New ClickFix Attack Tricks Users with ‘Fake OS Update’ to Execute Malicious Commands

A new ClickFix campaign is tricking users with a fake Windows update that runs in their browser. Called “Fake OS Update,” this scam takes advantage of people’s trust in the familiar blue screen of death (BSOD) from Microsoft.

It delivers malware and shows how social engineering can be more effective than technical tricks.

Cybersecurity researcher Daniel B., who works at the UK’s National Health Service, first spotted the attack last month while probing malicious online threats.

As detailed in his LinkedIn post, the scam operates primarily on the domain groupewadesecurity[.]com. Simply visiting the site often via malvertising or spam links triggers a full-screen overlay mimicking a Windows OS crash or update prompt.

The fake BSOD, complete with error codes and progress bars, appears on both PCs and smartphones, creating panic and urgency.

What sets this apart from earlier ClickFix variants is its multi-step deception. After the initial screen, victims are instructed to perform three “manual fixes” using keyboard shortcuts: pressing Ctrl+Alt+Del to “restart services,” entering a bogus command in a simulated command prompt, and finally downloading a “recovery tool” from a linked malicious site.

In reality, these actions grant attackers remote access or install infostealers and ransomware loaders. The campaign’s sophistication lies in its cross-device compatibility and avoidance of immediate redirects, making it harder for browser protections to flag.

ClickFix attacks, which trick users into “fixing” non-existent issues via clicks, have plagued browsers since 2020. But as attackers refine their tactics employing hyper-realistic graphics, localized languages, and timely lures tied to real events like Patch Tuesday, this variant proves especially insidious.

Experts warn that such campaigns highlight a critical gap: while endpoint detection tools catch many automated threats, human error remains the weakest link.

“User vigilance and regular cybersecurity training are as vital as firewalls,” notes a spokesperson for the UK’s National Cyber Security Centre (NCSC).

Organizations should prioritize awareness programs that simulate these scenarios, alongside browser extensions such as uBlock Origin to block suspicious domains.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post New ClickFix Attack Tricks Users with ‘Fake OS Update’ to Execute Malicious Commands appeared first on Cyber Security News.