This Windows Update Screen Is Actually a Hacker’s Trap

Don’t miss out on our latest stories. Add PCMag as a preferred source on Google.

A new attack is mimicking a Windows update to try and trick users into executing malicious commands, likely to install malware. 

A cybersecurity researcher at the UK’s National Health Service, Daniel B., spotted the attack while investigating malicious online threats. It’s been running at the groupewadesecurity[.]com domain for the last month. Visiting the site seemingly triggers a PC or even a smartphone to display a full-blown blue screen dressed up like a Windows update, which urges the user to complete three more manual steps from their keyboard.  

In reality, the blue screen is a trap from a hacker. The fake Windows update is merely being displayed from the internet domain, and abusing the Fullscreen application programming interface (API) in browsers to take over the entire screen space. 

The fake update screen then encourages the user to press the Windows button together with the R key—a little-known function to open the run dialog box, a way to launch programs on a Windows PC. All the while it’ll copy malicious instructions to the user’s clipboard. 

The fake update screen then instructs the user to press “CTRL + V”—the paste function—and then press enter. If a victim falls for the trick, they’ll unknowingly run a command, causing their Windows PC to execute computer code from the hacker’s malicious domain. 

Other variations of ClickFix (Credit: KnowBe4)

The threat builds on the “ClickFix” technique that’s been targeting Windows PCs for the last year. The tactic tries to trick the user into running the same commands to install malware. In the past, hackers have used the ClickFix technique in fake pages posing as CAPTCHA tests, Chrome browser errors, or government websites. But it looks like the attackers are coming up with more innovative ways to dupe potential victims. 

“The more recent ClickFix campaigns like these fake Windows update pages are a powerful reminder that user vigilance and cybersecurity awareness training are just as critical as technical defenses,” Daniel B. added. 

Fortunately, the attack is easy to foil and spot. That’s because no legitimate site or service will ask you to perform such commands on your computer. The attack is also essentially scareware coming through the browser that can be easily shut down by closing the browser tab or window. Google’s Chrome will also advise you to press “ESC” to return to the normal view when the browser goes into full-screen mode. 

Still, cybersecurity vendors are reporting a surge in ClickFix-related attacks, which can overcome traditional antivirus software since the user is unwittingly orchestrating the malware infection. “The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors,” ESET said in June.

Get Our Best Stories!

Stay Safe With the Latest Security News and Updates

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

About Our Expert

Michael Kan

Senior Reporter

---

Experience

I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.

Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.

Read Full Bio