pixel data Archives

AppWizard

January 20, 2026

A fan managed to run Windows 95 and classic Minecraft inside Hytale

Hytale launched in Early Access on January 13, 2026, and quickly gained popularity, achieving over 2 million mod downloads within 72 hours. A 15-year-old developer, @iamcxv711, successfully ran a fully functioning instance of Windows 95 and classic Minecraft (version 0.30) within Hytale, showcasing the game's modding capabilities. This was accomplished through map pixel data manipulation without external assets. The game's developers have emphasized its mod-friendly nature, supported by partnerships like CurseForge to facilitate user-generated content integration.

Winsage

December 4, 2025

This Windows Update Pop-Up Is a Scam

Hackers have exploited Windows update screens to deliver malware disguised as a "critical security update," a tactic known as the ClickFix attack. This attack uses social engineering techniques, including fake error messages and CAPTCHA forms, to trick users into executing harmful commands. The scam appears as a pop-up mimicking the standard Windows blue screen but originates from a malicious domain. Users are prompted to paste and execute harmful commands, leading to malware installation. Researchers from Huntress have detailed this attack, noting that malicious code can be embedded within PNG images. Although recent law enforcement actions have reduced the presence of malware payloads on these domains, the threat remains. Users should be cautious of any update screens that do not show a progress indicator or require manual command input, as these are signs of a ClickFix attack. Microsoft releases security updates on the second Tuesday of each month, and users are advised to enable automatic updates and consider disabling the Windows Run box for added security.

Winsage

November 25, 2025

Do Not Download These Windows Security Updates, Experts Warn

Security experts at Huntress have confirmed that hackers are using ClickFix malware to distribute fake Windows security updates, deceiving users into executing harmful commands. Over the past year, these attacks have increased, with both state-sponsored actors and cybercriminal organizations employing this tactic. Microsoft has indicated that ClickFix is the most frequently used method for gaining initial access, representing 47 percent of attacks noted in Microsoft Defender notifications. A report released on November 24 revealed a new wave of ClickFix attacks utilizing realistic Windows Security Update screens to deploy credential-stealing malware. The campaign employs steganography to conceal malware within PNG images, embedding harmful code directly within the pixel data. Windows users are advised to remain vigilant and recognize that legitimate updates will never request users to cut and paste commands into the Windows run prompt from a web page.

Winsage

November 25, 2025

ClickFix attack uses fake Windows Update screen to push malware

Recent observations have identified ClickFix attack variants where cybercriminals use deceptive Windows Update animations on full-screen browser pages to hide malicious code within images. Victims are misled into executing harmful commands through specific key sequences that copy and execute commands via JavaScript. Security researchers have documented these attacks since October, noting the use of LummaC2 and Rhadamanthys information stealers. Attackers utilize steganography to embed malware payloads within PNG images, reconstructing and decrypting them in memory using PowerShell and a .NET assembly called the Stego Loader. A dynamic evasion tactic known as ctrampoline complicates detection by initiating calls to numerous empty functions. The shellcode extracted from the encrypted image can execute various file types directly in memory. Following a law enforcement operation on November 13, the Rhadamanthys variant's payload delivery through fake Windows Update domains ceased, although the domains remain active. Researchers recommend disabling the Windows Run box and monitoring suspicious process chains to mitigate risks.

Winsage

November 25, 2025

Attackers are Using Fake Windows Updates in ClickFix Scams

Threat actors have adapted the ClickFix attack model, using a fraudulent Windows Update screen to disguise malicious code. This screen mimics the legitimate Windows Update interface and prompts users to execute harmful commands. The execution of these commands leads to the installation of LummaC2 and Rhadamanthys info-stealing malware. A report from ESET noted a 500% increase in ClickFix attacks, which now account for nearly 8% of all blocked attacks in early 2025. Huntress researchers tracked ClickFix lures that used steganography to deliver LummaC2 and Rhadamanthys malware, concealing malicious software within image files. The attacks involve a full-screen display that instructs users not to turn off their computers, ultimately prompting them to paste a malicious command. The execution process includes using mshta.exe and PowerShell to load and inject malicious assemblies. European law enforcement recently dismantled infrastructure used by threat actors, but Rhadamanthys is no longer distributed through the fraudulent Windows Update campaign. The use of steganography helps these payloads evade detection while relying on victims to manually execute commands.

Winsage

November 25, 2025

ClickFix Attack Uses Steganography to Hide Malicious Code in Fake Windows Security Update Screen

A new wave of ClickFix attacks has emerged, using fake Windows Update screens and PNG image steganography to deploy infostealing malware like LummaC2 and Rhadamanthys. The attacks trick users into executing a command by pressing Win+R and pasting a command copied to their clipboard. Attackers have shifted from using “Human Verification” lures to more convincing full-screen fake Windows Update screens. The fake update prompts users to run a command that initiates mshta.exe with a URL containing a hex-encoded IP address, leading to the download of obfuscated PowerShell and .NET loaders. A notable feature of the campaign is the use of a .NET steganographic loader that hides shellcode within the pixel data of a PNG image, which is decrypted and reconstructed in memory. The shellcode is Donut-packed and injected into processes like explorer.exe using standard Windows APIs. Huntress has been monitoring these ClickFix clusters since early October, noting the use of the IP address 141.98.80[.]175 and various paths for the initial mshta.exe stage, with subsequent PowerShell stages hosted on domains linked to the same infrastructure. Despite the disruption of Rhadamanthys’ infrastructure in mid-November, active domains continue to serve the ClickFix lure, although the Rhadamanthys payload appears to be unavailable. To mitigate the attack, disabling the Windows Run box through Group Policy or registry settings is recommended, along with monitoring for suspicious activity involving explorer.exe. User education is critical, emphasizing that legitimate processes will not require pasting commands into the Run prompt. Analysts can check the RunMRU registry key to investigate potential ClickFix abuse.

Winsage

November 25, 2025

New ClickFix attacks use fake Windows Updates to swipe creds

A surge in ClickFix attacks is occurring, where attackers use deceptive Windows update screens to trick users into downloading infostealer malware. This method has become the primary means of initial access for cybercriminals, as reported by Microsoft. State-sponsored actors and organized crime groups are increasingly using this tactic. Huntress security experts have noted a shift from traditional prompts to convincing fake Windows update screens, showcasing the attackers' adaptability. Cyber adversaries are utilizing a steganographic loader to deliver infostealing malware like Rhadamanthys, encoding malicious code within PNG images to evade detection. Between September 29 and October 30, 2025, Huntress investigated 76 incidents linked to this campaign across various regions, with one incident involving the IP address 141.98.80[.]175. Victims typically visit a malicious site that triggers a full-screen blue Windows Update screen, leading them to install a “critical security update” through a series of commands. This process involves executing a command that runs PowerShell code to deploy a steganographic loader, ultimately leading to the installation of Rhadamanthys, which captures login credentials. Comments in the lure site's source code are in Russian, suggesting the attackers' identity remains unknown. As of November 19, multiple domains continue to host the lure page, although the payload is no longer actively hosted. Organizations can defend against these attacks by blocking access to the Windows Run box and educating employees about the ClickFix technique.

AppWizard

October 15, 2025

Think You’re Safe? Hackers Can Now Peek at Every Password You Type on Android

Android smartphones are being targeted by malware named "Pixnapping," which uses pixel-stealing technology to extract information directly from the screen without requiring elevated permissions. This malware captures repeated background screenshots to read pixels, allowing it to surveil sensitive information such as messages, passwords, and two-factor authentication (2FA) codes. The extracted data is transmitted to a remote server controlled by attackers, enabling them to infiltrate accounts and perform actions like altering settings or making purchases. The malware's effectiveness varies by device, with a recovery rate of 53% for 2FA codes on the Pixel 9 and 73% on the Pixel 6. A vulnerability in Android APIs, designated as CVE-2025-48561, is exploited by this malware. Google was notified of the vulnerability in February and issued a partial fix in September, but the issue remains unresolved. Users are advised to keep their devices updated, enable built-in protections, avoid unverified apps, and consider hardware-based two-factor authentication for enhanced security.

AppWizard

October 15, 2025

Researchers expose critical Android flaw allowing apps to steal sensitive data

Security researchers have identified a data theft technique called Pixnapping that exploits vulnerabilities in Android devices, specifically targeting sensitive information from various applications without needing special permissions. This method allows malicious apps to capture data from other apps or websites, including sensitive information from platforms like Google Maps, Gmail, Signal, Venmo, and two-factor authentication codes from Google Authenticator. The technique utilizes a hardware side channel known as GPU.zip to read screen pixel data by measuring rendering times. The data leak rate is between 0.6 to 2.1 pixels per second, sufficient to reconstruct sensitive information. The vulnerability is designated as CVE-2025-48561 and affects Android versions 13 through 16, including devices like the Pixel 6 to 9 and Galaxy S25. A partial patch was released in September 2025, with a comprehensive solution expected in December. The attack allows benign applications from the Google Play Store to potentially spy on sensitive on-screen data, highlighting broader concerns regarding side-channel vulnerabilities that arise from hardware data processing rather than software bugs. While Google has stated there is no evidence of exploitation currently, the existence of this attack suggests that malware could bypass traditional security measures. Google is working on additional fixes to limit misuse of the blur API and improve detection capabilities, but the underlying GPU.zip vulnerability remains unresolved. Users are advised to avoid untrusted apps and keep their devices updated, as more side-channel attacks similar to Pixnapping may emerge in the future.

AppWizard

October 14, 2025

Pixnapping revives a 12-year-old browser trick to steal Android pixels

Security researchers have revived a 12-year-old browser attack, now adapted for Android devices, called "Pixnapping," which allows malicious applications to extract pixel data from other apps or websites. The attack involves a malicious app opening a target application, such as Google Authenticator, and using timing tricks to infer displayed content by measuring rendering times based on specific pixels. This attack has been successfully demonstrated on devices including Google Pixel 6, 7, 8, and 9, and Samsung Galaxy S25, all running Android versions 13 to 16. Pixnapping does not require special manifest permissions, complicating detection. It can extract sensitive information from apps like Google Maps, Signal, and Venmo, and capture two-factor authentication codes from Google Authenticator. The mechanism enabling this attack is likely present across a broader range of devices, but the research does not provide specific defenses against it.