A widespread malware campaign, identified as ClickFix, is actively compromising user systems through a dual-vector attack. The operators behind ClickFix are leveraging both steganography, the practice of hiding malicious code within image files, and deceptive fake Windows update prompts to distribute their payload.

Analysis of the campaign reveals that victims are initially exposed to the threat through compromised websites hosting the infected images. These images appear normal to the user, but contain the ClickFix malware dropper embedded within their data. In the second vector, users encounter pop-ups or dedicated web pages designed to mimic legitimate Microsoft Windows update notifications. These prompts urge users to download and run a critical update, which is in fact the ClickFix installer.

Infection Vectors and Execution

The ClickFix campaign’s success relies on its two distinct methods of delivery. The first method uses images with hidden malicious payloads. When a user visits a webpage containing one of these images, scripts on the page extract and execute the malware. This steganography technique allows the initial payload to bypass some security filters that scan for overtly malicious file types.

The second method involves social engineering through fake Windows update alerts. These alerts are designed to create a sense of urgency, tricking users into manually downloading and executing the malware installer. The installer file is often disguised with a legitimate-looking name, such as `WindowsUpdate.exe` or `CriticalUpdateKB502113.exe`, to further deceive the user.

ClickFix Payload and Observed Actions

Once executed on a system, the ClickFix malware establishes persistence to ensure it runs each time the computer is started. Its primary function is to perform ad fraud by silently clicking on online advertisements in the background. The malware operates by launching hidden browser instances to visit specific websites and generate fraudulent ad revenue for the campaign operators.

The malware also includes components to monitor user activity and inject additional ads into web browsing sessions. It has been observed modifying browser settings and redirecting search queries to ad-laden pages. All of these actions are performed without the user’s knowledge or consent, consuming system resources and compromising user privacy.

Source: https://www.malwarebytes.com/blog/news/2025/11/new-clickfix-wave-infects-users-with-hidden-malware-in-images-and-fake-windows-updates