ClickFix attack employs fake Windows security udpates.
SOPA Images/LightRocket via Getty Images
Updated November 27 with another Windows update warning, along with threat intelligence from the Acronis Threat Research Unit regarding the use of fake Windows security updates to exploit ClickFix attacks, as well as the original Huntress report, as detailed previously.
It’s hard being a Windows user sometimes. What with the constant flow of security alerts concerning everything from hackers using ancient protocols and brand new vulnerabilities in attacks. The good news is that Microsoft issues security updates for all users, even those of the now unsupported Windows 10 operating system, if you know how to sign up for them. The bad news is that security updates can cause problems as well as solve them. The even worse news is that hackers have been employing fake Windows security updates as part of a ClickFix cyberattack campaign. Here’s what you need to know.
Experts Sound Alert Over Fake Windows Security Updates
Security experts at Huntress have confirmed that hackers employing the ClickFix malware have been using fake Windows security updates in their attacks.
ClickFix is a type of social engineering technique that tricks users into running malicious commands on their own machines, typically using fake fixes or I-am-not-a-robot prompts. These types of attacks have surged over the past year, with both government-sponsored spies and cybercriminal gangs deploying this technique to deliver malware. The irony being that Microsoft itself has already warned that ClickFix is the most often used method of gaining initial access, “accounting for 47 percent of attacks” observed in Microsoft Defender notifications.
The November 24 report has revealed a new wave of ClickFix attacks, this time using what can only be described as extremely realistic and believable Windows Security Update screens to deploy credential-stealing malware. “A notable discovery during analysis was the campaign’s use of steganography to conceal the final malware stages within an image,” Huntress security analysts Ben Folland and Anna Pham, said. “Rather than simply appending malicious data to a file, the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory.”
Acronis Threat Research Unit Adds To Windows Security Update ClickFix Concerns
Security researchers based at the Acronis Threat Research Unit have also confirmed what they are calling a “novel JackFix attack” that combines a realistic “full-screen Windows Update of Critical Windows Security Updates,” with a number of screen hijacking techniques. The psychological tricks employed by the attackers are in plain view, with the use of fake porn sites to spring the ClickFix Windows Update trap. “The adult theme, and possible connection to shady websites,”Eliad Kimhy from the Acronis TRU said, “adds to the victim’s psychological pressure, making victims more likely to comply with sudden security update installation instructions.”
The campaign, Kimhy warned, obfuscates the commands used to facilitate the attack as well as the payload itself and, by so doing, it circumvents current ClickFix prevention and detection methods, making it all the more dangerous.
This Windows 11 Security Update’s Bark is Worse than Its Bite
Just when you thought it might be safe to go back into the Windows security update water, there’s more unsettling news. That said, keeping the Jaws analogy going, this time it’s less of a Great White shark and more of an angry dolphin. By which I mean that its bite is nothing to be feared, even though it seems quite scary at first.
The issue is that, following the application of any Windows 11 updates after the September 2025 preview release, some users have been reporting that they are being requested to enter a PIN when signing in if they use a security key.
While this could easily be misinterpreted as a negative security issue, another Windows update that has gone wrong, it’s actually quite the opposite. If the relying party or identity provider requests user verification during the authentication process using a Fast IDentity Online 2 key, then the PIN number input pops up, and that’s a good thing. How so? Because, as Microsoft has now explained, this is “intended behavior, implemented to remain compliant with WebAuthn specifications.”
The changes started rolling out to Windows 11 devices, on a gradual basis, according to Microsoft, after the installation of the KB5065789 update on September 29. “The rollout was completed on Windows 11 clients after installing the Windows security update, November 11, 2025, KB5068861 (OS Builds 26200.7171 and 26100.7171), or later updates,” Microsoft has confirmed.
The support for such PIN setup in the authentication flow was added to be consistent across both registration and authentication flows, but Microsoft has also provided a get-out for those admins who do not want user verification, and so do not want users to create or enter a PIN for their security keys: Set “userVerification” to “discouraged” in PublicKeyCredentialRequestOptions.
Windows User Recommendations To Mitigate The Latest ClickFix Attacks
All Windows users are advised to be on the alert for the latest ClickFix attacks. Mitigation is actually rather simple, and as with all the previous campaigns, it relies on understanding that a genuine Windows security update, just like the fake CAPTCHA screens employed before, will never, ever, require the user to cut and paste commands into the Windows run prompt from a web page. It just doesn’t happen. Stay safe out there, and heed this advice.
