Top Highlights
- Threat actors are now using a sophisticated fake Windows Update screen to deploy malware, making the scam more convincing with realistic animations and prompts, leading victims to manually execute malicious commands via the Run prompt.
- The campaign utilizes steganography to hide payloads like LummaC2 and Rhadamanthys within image pixels, aiming to trick users into running commands that install infostealers and other malware.
- These ClickFix attacks have skyrocketed by over 500% in H1 2025, becoming the second most common attack vector after phishing, with threats expanding to ransomware, Trojans, cryptominers, and nation-state malware.
- Law enforcement actions have disrupted some campaigns, notably stopping the delivery of Rhadamanthys malware, but these delivery mechanisms and attack methods remain active and evolving.
The Core Issue
Threat actors are increasingly employing a sophisticated version of the ClickFix attack, which disguises malicious software as a convincing Windows Update screen. This new tactic leverages a full-screen, realistic update prompt that mimics legitimate Windows notifications, complete with animations and instructions, compelling users to follow a familiar pattern: opening the Run prompt and pasting a malicious command. Once executed, this command initiates a sequence involving PowerShell and reflective .NET assemblies, ultimately leading to the installation of the LummaC2 and Rhadamanthys malware—both designed to steal sensitive information. Researchers from Huntress have observed this campaign since October, noting that the malware is concealed within steganographic images to evade detection.
The reason behind these attacks is clear: by mimicking legitimate system updates, cybercriminals exploit user trust to facilitate malware deployment, bypassing traditional security measures. This campaign has targeted many individuals and organizations globally, resulting in widespread infections. Importantly, law enforcement efforts in Europe recently disrupted the infrastructure behind Rhadamanthys, temporarily halting its distribution. Nonetheless, these threats continue to evolve, with the attack method relying mainly on victims’ manual actions—such as copying commands into the Run box—which makes user vigilance crucial. Overall, this case exemplifies the increasing complexity and danger of social engineering scams that adapt quickly to security defenses.
Critical Concerns
The issue “Attackers are Using Fake Windows Updates in ClickFix Scams” poses a serious threat to your business because hackers deceive employees into clicking malicious links disguised as genuine updates. Consequently, this can lead to malware infections, data breaches, and operational disruptions. As a result, sensitive customer and company information may be compromised, causing legal and financial repercussions. Furthermore, such attacks erode trust with clients and damage your company’s reputation. In addition, recovery efforts require time and resources, diverting focus from core business activities. Ultimately, if not stopped, this scam can result in severe financial losses and long-term damage to your brand integrity.
Possible Remediation Steps
Prompted by the increasing sophistication of cyber threats, timely remediation is crucial in defending against evolving attack methods such as fake Windows updates used in ClickFix scams. Delays can allow malicious actors to harvest sensitive data, escalate access, or spread malware, thereby compounding damage and complicating recovery efforts.
Mitigation & Remediation
-
User Education
Inform users about recognizing legitimate Windows update prompts and the risks of clicking unknown links. -
Update Management
Ensure all systems automatically receive and install official updates directly from Microsoft. -
Endpoint Security
Deploy comprehensive anti-malware tools with real-time scanning to detect and block fake update sites and downloads. -
Network Defense
Implement URL filtering and DNS filtering to prevent access to known malicious domains associated with fake update scams. -
Incident Response
Establish a protocol for rapid investigation of suspicious update alerts, including isolating affected systems and analyzing malware. -
Vulnerability Patching
Regularly patch software vulnerabilities that could be exploited through fake update vectors. -
Monitoring & Alerts
Use security information and event management (SIEM) systems to monitor for signs of fake update activity and respond promptly.
Continue Your Cyber Journey
Stay informed on the latest Threat Intelligence and Cyberattacks.
Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
