Hackers have taken a familiar social engineering trick to a whole new level, luring users in with update and hiding payload in pixels
A ClickFix tricks users into manually executing malicious commands on their own computers.
However, new research from Huntress reveals that what used to appear as basic ‘Human Verification’ pop-ups has now evolved into full-screen fake Windows Update pages that look almost identical to the real thing.
First spotted in October, the latest ClickFix campaigns force the browser into full-screen mode and display what appears to be a standard blue Windows Update page — complete with progress messages and the familiar “Working on updates” animation.
Once the fake update finishes users are told to press Win + R and paste in a command which can kick off the hidden malware chain.
Getting crafty with the pixels
In their blog Huntress researchers Ben Folland and Anna Pham observe that what sets this campaign apart is the way the malware is concealed. Instead of attaching the code to a manual place, attackers are hiding it inside the pixel data of a PNG image.
Specific colour channels within the picture carry fragments of the code, which are reconstructed and decrypted in memory when the attack script runs.
In this investigation, Huntress discovered the malware extracts the shellcode from the byte data within the red channel of the image, ignoring the data within the other channels From this point the image delivers the malware - often infostealers such as LummaC2 or Rhadamanthys.
Folland points out that because the malicious components operate in the memory they are much harder for traditional antivirus tools to detect.
“This convincing full screen Windows Update with realistic animations and framing the malicious instruction as a necessary technical fix suggests that attackers are refining both their technical methods and their psychological manipulation,” says Folland.
Once the bogus update process “completes”, users are instructed to hit Win+R and paste the malicious command, triggering the hidden execution chain.
ClickFix relies on users trusting what they see rather than software vulnerabilities and attackers have moved beyond simple "Fake CAPTCHA" lures - and this highly realistic bogus update page may trick many everyday users.
ClickFix attacks have got smarter
As Folland puts it: “ClickFix campaigns exploit a significant gap in cybersecurity awareness.”
“While users are routinely trained to spot suspicious emails and avoid clicking unknown links, fewer are taught that using their own keyboard shortcuts - specifically the "Win+R" and paste commands - can pose a serious threat,” he adds.
Huntress stresses that genuine Windows updates will never ask users to open the Run box or paste in commands and any prompt that does should be treated as suspicious. Another red flag is unusual behaviour such as Explore launching PowerShell.
The cybersecurity company also advises organisations to restrict using ‘Win + R” short cuts in environments where it isn’t needed.
Unlock more exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked