{"id":5947,"date":"2025-11-26T01:00:37","date_gmt":"2025-11-26T01:00:37","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5947"},"modified":"2025-11-26T01:00:37","modified_gmt":"2025-11-26T01:00:37","slug":"new-clickfix-attacks-use-fake-windows-update-screens-to-fool-employees","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5947","title":{"rendered":"New ClickFix attacks use fake Windows Update screens to fool employees"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

CSOs and Windows admins should disable the ability of personal computers to automatically run commands to block the latest version of the ClickFix social engineering attacks.<\/p>\n

This advice comes from researchers at Huntress, who this week warned<\/a> that a new version of ClickFix-based attacks, where employees are tricked into running malicious commands, is circulating.<\/p>\n

The latest tactics of this campaign include steganography \u2014 hiding malware in the pixels of an image \u2014 and a \u201chighly convincing\u201d fake Windows Update screen that asks the user to open a Run prompt, then paste in and run a malicious command.<\/p>\n

That command delivers the LummaC2<\/a> and Rhadamanthys infostealers.<\/p>\n

Huntress notes that its report comes after the November 13 Operation Endgame law enforcement takedowns<\/a> targeting the Rhadamanthys infrastructure. As of November 19, multiple active domains continued to host the Windows Update Lure page associated with the Rhadamanthys campaign. All of these lures point to the same hex-encoded URL structure previously linked to the deployment of Rhadamanthys, although it appears this payload is no longer being hosted.\u00a0<\/p>\n

The first step defenders should take is to stop the ability of this malware to run, says the report. \u201cThe most effective way to mitigate ClickFix is by disabling the Windows Run box,\u201d says Huntress, either by modifying the Windows Registry or deploying GPO (group policy object) rules to block interaction with the Windows Run box.<\/p>\n

After that, the report recommends the standard response for fighting all social engineering attacks: Effective employee security awareness training. \u201cEnsure users are trained on the ClickFix methodology,\u201d says the report, \u201cemphasizing that legitimate CAPTCHA or Windows Update processes will never require pasting and running commands.\u201d<\/p>\n

ClickFix warnings<\/h2>\n

Experts have been warning about ClickFix attacks<\/a> (sometimes called pastejacking) since at least early 2024. They often start with a phishing lure that pulls the victim to a realistic fake landing page that purports to be a Windows Update page or a government department website. The heart of the attack is in giving users instructions that involve clicking on prompts and copying, pasting, and running commands directly in\u00a0 the Windows\u00a0Run<\/em>\u00a0dialog box, Windows Terminal, or Windows PowerShell.\u00a0This leads to the downloading of scripts that launch malware.<\/p>\n

Two new tactics are used in the latest ClickFix campaign, says Huntress:<\/p>\n

the use since early October of a fake blue Windows Update splash page in full-screen, displaying realistic \u201cWorking on updates\u201d animations that eventually conclude by prompting the user to follow the standard ClickFix pattern: open the Run prompt (Win+R), then paste and run the malicious command.
Why would an employee do this? Because the request is part of an alleged test to prove the victim is human. A screen saying \u201cHuman Verification. Follow 3 quick steps to verify you\u2019re not a robot.\u201d is displayed. It\u2019s like a CAPTCHA request, which is familiar to employees these days. In this case, the three steps are: press the Windows button + R (which opens the Run box); press CTRL + V (which pastes in a command that was automatically copied to the clipboard); and then press Enter to \u201cverify\u201d (which actually runs the command that triggers downloading of scripts).<\/p>\n

steganography, which conceals the final malware stages within an image. Rather than simply appending malicious data to a file, the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory;<\/p>\n

In an email, report co-author Ana Pham said steganography is not new to malware operations. \u201cWhat stands out here is the implementation: rather than simply appending malicious data to an image file, this campaign encodes the payload directly into the RGB pixel values of PNG images, extracting shellcode by reading specific color channels and applying XOR decryption. It\u2019s a more involved approach than basic file-appending techniques, designed to evade signature-based detection.\u201d<\/p>\n

The Windows Update-themed tactic is particularly effective because it mimics something users expect to see: a full-screen Windows Update splash page with realistic animations, she said.<\/p>\n

\u201cGiven how convincing this lure is compared to standard \u2018robot verification\u2019 pages, it\u2019s reasonable to expect other threat actors will adopt similar approaches,\u201d she added. \u201cThe source code for these lures contains Russian-language comments and isn\u2019t heavily obfuscated, meaning it could be shared or copied by other groups relatively easily.\u201d<\/p>\n

Attacks are now \u2018rampant\u2019<\/h2>\n

ClickFix has become rampant among Huntress\u2019 customers, she said, and is one of the most prevalent threats seen this year. In the past six months, the company has seen a 313% increase in ClickFix-related incidents.<\/p>\n

Huntress responded to 76 separate incidents tied to this specific campaign over a one month period from late September through October, with attacks targeting organizations across multiple regions, including the United States, Europe\/Middle East\/Africa, and Asia-Pacific.<\/p>\n

What ties the incidents together is a specific indicator, Pham said: the initial payload, which ultimately delivers the steganographic loader, always contains a URL where the second octet is encoded in hexadecimal format.<\/p>\n

Researchers at Palo Alto Networks Unit 42 threat intelligence division have also reported seeing more ClickFix attacks. In a July report<\/a>, they said attackers lure victims into copying and pasting commands to apply quick fixes to common computer issues such as performance problems, missing drivers, or pop-up errors. Fake tech support forums are one way these attack start. Threat actors have also been known, in other campaigns, to use fake DocuSign and Okta single-sign-on pages to trick users. Payloads include infostealers, remote access trojans (RATS), or tools that disable security.<\/p>\n

\u201cThis delivery method bypasses many standard detection and prevention controls\u201d says the Palo Alto report. \u201cThere is no exploit, phishing attachment, or malicious link. Instead, potential victims unknowingly run the command themselves, through a trusted system shell. This method makes infections from ClickFix more complicated to detect than drive-by downloads or traditional malware droppers.\u201d<\/p>\n

In yet another instance, researchers at NCC Group\u00a0today issued this report<\/a> on a ClickFix attack\u00a0they discovered in May that involved a drive-by compromise and the use of a fake CAPTCHA popup, with the goal of installing the\u00a0Lumma C2 Stealer.<\/p>\n

What CSOs should do<\/h2>\n

But CSOs aren\u2019t without defenses. One is disabling the Windows Run dialogue through registry modifications or Group Policy. As well, they should audit the RunMRU registry key (which keeps a copy of the most recently executed commands from the Run window) during investigations to check if users have executed suspicious commands through the Run dialog. Palo Alto Networks notes some key indicators for suspicious RunMRU contents could be obfuscated content, keywords related to the download and execution of payloads from unknown or suspicious domains, and keywords indicating calls to administrative interfaces.<\/p>\n

Pham also said leaders should deploy endpoint monitoring for suspicious process chains, particularly watching for explorer.exe<\/em> spawning mshta.exe<\/em>, or PowerShell with unusual command-line arguments.<\/p>\n

Palo Alto Networks also warned that some attackers aim to avoid exposing their activity in the RunMRU registry key by presenting instructions to launch a terminal for PowerShell (Windows 11) or Command Prompt (Windows 10). EDR telemetry or Windows Event Logs will show signs of this tactic.<\/p>\n

While security awareness training is important, it shouldn\u2019t be the only line of defense, said Pham.<\/p>\n

\u201cClickFix succeeds because it exploits user trust and habitual behavior,\u201d she said. \u201cUsers instinctively trust CAPTCHA checks and Windows update screens as routine parts of their day. Even well-trained users can be caught off guard by a convincing full-screen Windows Update animation. The most effective [mitigation] approach combines user education with technical controls: disabling the Run dialog, monitoring for suspicious process behavior, and maintaining robust endpoint detection. Defense in depth matters here, training reduces the likelihood someone falls for the lure, but technical controls provide a safety net when they do.\u201d<\/p>\n

At this time Huntress doesn\u2019t have enough evidence to determine whether this specific campaign was run by a particular threat actor or multiple groups of threat actors, Pham noted.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

CSOs and Windows admins should disable the ability of personal computers to automatically run commands to block the latest version of the ClickFix social engineering attacks. This advice comes from researchers at Huntress, who this week warned that a new version of ClickFix-based attacks, where employees are tricked into running malicious commands, is circulating. The […]<\/p>\n","protected":false},"author":0,"featured_media":5948,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5947","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5947"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5947"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5947\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5948"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5947"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5947"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5947"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}