Two years ago, the company sold about 5,000 units of the Playground. Last year, that number was roughly 150,000. This year, it’s on track for 600,000. Before its pivot, Nex did about $3 million of annual revenue and wasn’t profitable. This year, the company is projecting more than $150 million of sales and says it’s on pace to finally break even.

Cybercriminals keep getting better at blending into the software you use every day. 

Over the past few years, we’ve seen phishing pages that copy banking portals, fake browser alerts that claim your device is infected and “human verification” screens that push you to run commands you should never touch. The latest twist comes from the ongoing ClickFix campaign.

Instead of asking you to prove you are human, attackers now disguise themselves as a Windows update. It looks convincing enough that you might follow the instructions without thinking, which is exactly what they want.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.

NEW SCAM SENDS FAKE MICROSOFT 365 LOGIN PAGES

How the fake update works

Researchers noticed that ClickFix has upgraded its old trick. The campaign used to rely on human verification pages, but now you get a full-screen Windows update screen that looks almost identical to the real thing. Joe Security showed how the page displays fake progress bars, familiar update messages and a prompt that tells you to complete a critical security update.

If you are on Windows, the site tells you to open the Run box, copy something from your clipboard and paste it in. That “something” is a command that silently downloads a malware dropper. The final payload is usually an infostealer, which steals passwords, cookies and other data from your machine.

NEW EMAIL SCAM USES HIDDEN CHARACTERS TO SLIP PAST FILTERS

The moment you paste the command, the infection chain begins. First, a file called mshta.exe reaches out to a remote server and grabs a script. To avoid detection, these URLs often use hex encoding for parts of the address and rotate their paths. The script then runs obfuscated PowerShell code filled with junk instructions to throw researchers off. Once PowerShell does its work, it decrypts a hidden .NET assembly that functions as the loader.

Why is this attack so hard to detect?

The loader hides its next stage inside what looks like a regular PNG file. ClickFix uses custom steganography, which is a technique that hides secret data inside normal-looking content. In this case, the malware sits inside the image’s pixel data. The attackers tweak color values in certain pixels, especially in the red channel, to embed pieces of shellcode. When you view the image, everything appears normal.

The script knows exactly where the hidden data sits. It extracts the pixel values, decrypts them and rebuilds the malware directly in memory. That means nothing obvious is written to disk. Security tools that rely on file scanning miss it, since the shellcode never appears as a standalone file.

Once rebuilt, the shellcode is injected into a trusted Windows process like explorer.exe. The attack uses familiar in-memory techniques such as VirtualAllocEx, WriteProcessMemory and CreateRemoteThread. Recent ClickFix activity has delivered infostealers like LummaC2 and updated versions of Rhadamanthys. These tools are built to harvest credentials and send them back to the attacker with very little noise.

7 steps you can take to protect yourself from the ClickFix campaign

The best way to stay protected is to slow down for a moment and follow a few steps that cut off these attacks before they start.

1) Never run commands you didn’t ask for

If any site tells you to paste a command into Run, PowerShell or Terminal, treat it as an immediate warning sign. Real operating system updates never require you to run commands from a webpage. When you run that command, you hand full control to the attacker. If something feels off, close the page and don’t interact further.

2) Keep Windows updates inside Windows

Updates should only come from the Windows Settings app or through official system notifications. A browser tab or pop-up pretending to be a Windows update is always fake. If you see anything outside the normal update flow asking for your action, ignore it and check the real Windows Update page yourself.

3) Use a reputable antivirus

Choose a security suite that can detect both file-based and in-memory threats. Stealthy attacks like ClickFix avoid leaving obvious files for scanners to pick up. Tools with behavioral detection, sandboxing and script monitoring give you a much better chance of spotting unusual activity early.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

4) Use a password manager

Password managers create strong, unique passwords for every account you use. They also autofill only on legitimate websites, which helps you catch fake login pages. If a manager refuses to fill out your credentials, take a second look at the URL before entering anything manually.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

5) Use a personal data removal service

Many attacks start by targeting emails and personal details already exposed online. Data removal services help shrink your digital footprint by requesting takedowns from data broker sites that collect and sell your information. They can’t erase everything, but reducing your exposure means fewer attackers have easy access to your details.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

6) Check URLs before trusting anything

A convincing layout doesn’t mean it is legitimate. Always look at the domain name first. If it doesn’t match the official site or uses odd spelling or extra characters, close it. Attackers rely on the fact that people recognize a page’s design but ignore the address bar.

7) Close suspicious full-screen pages

Fake update pages often run in full-screen mode to hide the browser interface and make the page look like part of your computer. If a site suddenly goes full screen without your permission, exit with Esc or Alt+Tab. Once you’re out, scan your system and don’t return to that page.

Kurt’s key takeaway

ClickFix works because it leans on user interaction. Nothing happens unless you follow the instructions on the screen. That makes the fake Windows update page especially dangerous, because it taps into something most people trust. If you are used to Windows updates freezing your screen, you may not question a prompt that appears during the process. Cybercriminals know this. They copy trusted interfaces to lower your guard and then rely on you to run the final command. The technical tricks that follow are complex, but the starting point is simple. They need you to help them.

Do you ever copy commands from a website without thinking twice about what they do? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report 

Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter. 

Copyright 2025 CyberGuy.com.  All rights reserved.

A group of more than 150 parents sent a letter on Friday to New York governor Kathy Hochul, urging her to sign the Responsible AI Safety and Education (RAISE) Act without changes. The RAISE Act is a buzzy bill that would require developers of large AI models — like Meta, OpenAI, Deepseek, and Google — to create safety plans and follow transparency rules about reporting safety incidents.

The bill passed in both the New York State Senate and the Assembly in June. But this week, Hochul reportedly proposed a near-total rewrite of the RAISE Act that would make it more favorable to tech companies, akin to some of the changes made to California’s SB 53 after large AI companies weighed in on it.

Many AI companies, unsurprisingly, are squarely against the legislation. The AI Alliance, which counts
Meta, IBM, Intel, Oracle, Snowflake, Uber, AMD, Databricks, and Hugging Face among its members, sent a letter in June to New York lawmakers detailing their “deep concern” about the RAISE Act, calling it “unworkable.” And Leading the Future, the pro-AI super PAC backed by Perplexity AI, Andreessen Horowitz (a16z), OpenAI president Greg Brockman, and Palantir co-founder Joe Lonsdale, has been targeting New York State Assemblymember Alex Bores, who co-sponsored the RAISE Act, with recent ads.

Two organizations, ParentsTogether Action and the Tech Oversight Project, put together Friday’s letter to Hochul, which states that some of the signees had “lost children to the harms of AI chatbots and social media.” The signatories called the RAISE Act as it stands now “minimalist guardrails” that should be made law.

They also highlighted that the bill, as passed by the New York State Legislature, “does not regulate all AI developers – only the very largest companies, the ones spending hundreds of millions of dollars a year.” They would be required to disclose large-scale safety incidents to the attorney general and publish safety plans. The developers would also be prohibited from releasing a frontier model “if doing so would create an unreasonable risk of critical harm,” which is defined as the death or serious injury of 100 people or more, or $1 billion or more in damages to rights in money or property stemming from the creation of a chemical, biological, radiological, or nuclear weapon; or an AI model that “acts with no meaningful human intervention” and “would, if committed by a human,” fall under certain crimes.

“Big Tech’s deep-pocketed opposition to these basic protections looks familiar because we have
seen this pattern of avoidance and evasion before,” the letter states. “Widespread damage to young people —
including to their mental health, emotional stability, and ability to function in school — has been
widely documented ever since the biggest technology companies decided to push algorithmic
social media platforms without transparency, oversight, or responsibility.”