Windows Security Update Archives

Winsage

January 16, 2026

‘Fail To Shut Down’—Microsoft Issues Windows Update Warning

Microsoft has raised concerns about the shutdown process of Windows PCs, indicating complications following the January 13, 2026, security update. PCs with Secure Launch may fail to shut down or hibernate, instead restarting unexpectedly. A temporary solution is to use the Command Prompt with the command shutdown /s /t 0 for shutting down, but there is no workaround for the hibernation issue. Microsoft recommends saving work and shutting down devices to avoid power loss. Additionally, some users are facing credential prompt failures during Remote Desktop connections, affecting services like Azure Virtual Desktop and Windows 365. Alternatives include using the Remote Desktop client for Windows or the Windows App Web Client. An emergency update is expected to resolve these issues.

Winsage

December 5, 2025

Microsoft Silently Activates Critical Windows Security Update

Microsoft has enhanced its Windows security measures by addressing the CVE-2025-9491 vulnerability, which has existed for nearly eight years and was exploited by state-sponsored groups for cyber espionage and data theft. The vulnerability was previously identified as ZDI-CAN-25373 and ZDI-25-148 by Trend Micro. The November Patch Tuesday updates have fixed this issue, which was described as having been demoted from a vulnerability to a functional bug. The update modifies the Properties dialog of a .lnk file to display the entire Target command in a single line. Microsoft has not officially acknowledged the update but stated that it is continuously rolling out enhancements for security and user experience.

Winsage

November 25, 2025

JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers

Cybersecurity experts have identified a new campaign that combines ClickFix tactics with counterfeit adult websites to trick users into executing harmful commands under the guise of a "critical" Windows security update. This campaign uses fake adult sites, including clones of popular platforms, as phishing mechanisms, increasing psychological pressure on victims. ClickFix-style attacks have risen significantly, accounting for 47% of all attacks, according to Microsoft data. The campaign features convincing fake Windows update screens that take over the user's screen and instruct them to execute commands that initiate malware infections. The attack begins when users are redirected to a fake adult site, where they encounter an "urgent security update." The counterfeit Windows Update screen is created using HTML and JavaScript, and it attempts to prevent users from escaping the alert. The initial command executed is an MSHTA payload that retrieves a PowerShell script from a remote server, which is designed to deliver multiple payloads, including various types of malware. The downloaded PowerShell script employs obfuscation techniques and seeks to elevate privileges, potentially allowing attackers to deploy remote access trojans (RATs) that connect to command-and-control servers. The campaign has been linked to other malware execution chains that also utilize ClickFix lures. Security researchers recommend enhancing defenses through employee training and disabling the Windows Run box to mitigate risks associated with these attacks.

Winsage

November 25, 2025

Do Not Download These Windows Security Updates, Experts Warn

Security experts at Huntress have confirmed that hackers are using ClickFix malware to distribute fake Windows security updates, deceiving users into executing harmful commands. Over the past year, these attacks have increased, with both state-sponsored actors and cybercriminal organizations employing this tactic. Microsoft has indicated that ClickFix is the most frequently used method for gaining initial access, representing 47 percent of attacks noted in Microsoft Defender notifications. A report released on November 24 revealed a new wave of ClickFix attacks utilizing realistic Windows Security Update screens to deploy credential-stealing malware. The campaign employs steganography to conceal malware within PNG images, embedding harmful code directly within the pixel data. Windows users are advised to remain vigilant and recognize that legitimate updates will never request users to cut and paste commands into the Windows run prompt from a web page.

Winsage

November 25, 2025

ClickFix attack uses fake Windows Update screen to push malware

Recent observations have identified ClickFix attack variants where cybercriminals use deceptive Windows Update animations on full-screen browser pages to hide malicious code within images. Victims are misled into executing harmful commands through specific key sequences that copy and execute commands via JavaScript. Security researchers have documented these attacks since October, noting the use of LummaC2 and Rhadamanthys information stealers. Attackers utilize steganography to embed malware payloads within PNG images, reconstructing and decrypting them in memory using PowerShell and a .NET assembly called the Stego Loader. A dynamic evasion tactic known as ctrampoline complicates detection by initiating calls to numerous empty functions. The shellcode extracted from the encrypted image can execute various file types directly in memory. Following a law enforcement operation on November 13, the Rhadamanthys variant's payload delivery through fake Windows Update domains ceased, although the domains remain active. Researchers recommend disabling the Windows Run box and monitoring suspicious process chains to mitigate risks.

Winsage

November 25, 2025

ClickFix Attack Uses Steganography to Hide Malicious Code in Fake Windows Security Update Screen

A new wave of ClickFix attacks has emerged, using fake Windows Update screens and PNG image steganography to deploy infostealing malware like LummaC2 and Rhadamanthys. The attacks trick users into executing a command by pressing Win+R and pasting a command copied to their clipboard. Attackers have shifted from using “Human Verification” lures to more convincing full-screen fake Windows Update screens. The fake update prompts users to run a command that initiates mshta.exe with a URL containing a hex-encoded IP address, leading to the download of obfuscated PowerShell and .NET loaders. A notable feature of the campaign is the use of a .NET steganographic loader that hides shellcode within the pixel data of a PNG image, which is decrypted and reconstructed in memory. The shellcode is Donut-packed and injected into processes like explorer.exe using standard Windows APIs. Huntress has been monitoring these ClickFix clusters since early October, noting the use of the IP address 141.98.80[.]175 and various paths for the initial mshta.exe stage, with subsequent PowerShell stages hosted on domains linked to the same infrastructure. Despite the disruption of Rhadamanthys’ infrastructure in mid-November, active domains continue to serve the ClickFix lure, although the Rhadamanthys payload appears to be unavailable. To mitigate the attack, disabling the Windows Run box through Group Policy or registry settings is recommended, along with monitoring for suspicious activity involving explorer.exe. User education is critical, emphasizing that legitimate processes will not require pasting commands into the Run prompt. Analysts can check the RunMRU registry key to investigate potential ClickFix abuse.

Winsage

November 6, 2025

Windows security update triggers BitLocker recovery in some systems — bug mostly impacts Intel PCs with Modern Standby support

Microsoft has issued a service alert regarding the October 2025 Windows security update, warning that it may trigger BitLocker recovery on certain systems, specifically those running Windows 11 versions 24H2 and 25H2, as well as Windows 10 version 22H2. Affected devices may boot into the BitLocker recovery screen after installing updates released on or after October 14, 2025, requiring users to enter their recovery key. Similar issues have occurred in previous updates in May 2023, 2024, and 2022. Users should verify if BitLocker is enabled and retrieve their recovery key from their Microsoft account if needed. BitLocker is a security feature that protects data but can complicate access to local accounts if activated unexpectedly.

Winsage

October 24, 2025

Windows Server emergency patches fix WSUS bug with PoC exploit

Microsoft has released out-of-band security updates to address a critical-severity vulnerability in its Windows Server Update Service (WSUS), tracked as CVE-2025-59287. This remote code execution flaw affects Windows servers with the WSUS Server Role enabled, allowing low-complexity remote attacks without user interaction. If the WSUS server role is enabled and the fix is not installed, the server becomes vulnerable. Microsoft recommends that customers install the updates immediately and provided alternative measures, such as disabling the WSUS Server Role or blocking inbound traffic to Ports 8530 and 8531. The update is cumulative and supersedes all previous updates for affected versions. After installation, WSUS will no longer display synchronization error details as a temporary risk mitigation measure.

Winsage

October 24, 2025

Microsoft releases urgent fix for actively exploited WSUS vulnerability (CVE-2025-59287)

Microsoft has released an out-of-band security update to address the critical CVE-2025-59287 vulnerability, which affects Windows Server Update Services (WSUS) and is currently being exploited. This vulnerability allows unauthorized attackers to execute code on vulnerable machines without user interaction by sending specially crafted events to the WSUS server. It specifically impacts Windows Server machines with the WSUS Server role enabled. The initial fix provided in October 2025 was insufficient, leading to the release of this additional update. The German Federal Office for Information Security has raised concerns about potential exploitation if network configurations are not properly managed. Compromised WSUS servers could distribute malicious updates to client devices. The update is available for all supported Windows Server versions and requires a reboot. Administrators can temporarily disable the WSUS server role or block inbound traffic to specific ports if immediate implementation is not possible. This cumulative update supersedes all prior updates for affected versions.

Winsage

October 22, 2025

Windows update breaks USB support in recovery mode

Microsoft's security update KB5066835, released on October 14, 2025, has rendered USB mice and keyboards inoperable within the Windows Recovery Environment (WinRE). This issue affects users of Windows 11 24H2, 25H2, and Windows Server 2025. Bluetooth devices are also unsupported in WinRE due to its minimal driver set. Users can restore USB functionality by booting from a previously created USB recovery drive or by uninstalling the update if their system is still functioning. Microsoft has acknowledged the issue but has not provided a timeline for a fix.