steganography Archives

AppWizard

November 26, 2025

Android users told to delete apps immediately after cyber attack infestation

Hundreds of Android applications have been compromised by SlopAds ad fraud malware, leading to their removal from the Google Play Store. A total of 224 apps were identified, collectively downloaded over 38 million times. The malware employs techniques like steganography to hide its activities and redirect users to malicious sites. Google has removed all identified malicious apps and will alert users to uninstall them. Android users are advised to activate Google Play Protect for enhanced security. The ad fraud undermines the integrity of legitimate advertisers and developers.

Winsage

November 25, 2025

JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers

Cybersecurity experts have identified a new campaign that combines ClickFix tactics with counterfeit adult websites to trick users into executing harmful commands under the guise of a "critical" Windows security update. This campaign uses fake adult sites, including clones of popular platforms, as phishing mechanisms, increasing psychological pressure on victims. ClickFix-style attacks have risen significantly, accounting for 47% of all attacks, according to Microsoft data. The campaign features convincing fake Windows update screens that take over the user's screen and instruct them to execute commands that initiate malware infections. The attack begins when users are redirected to a fake adult site, where they encounter an "urgent security update." The counterfeit Windows Update screen is created using HTML and JavaScript, and it attempts to prevent users from escaping the alert. The initial command executed is an MSHTA payload that retrieves a PowerShell script from a remote server, which is designed to deliver multiple payloads, including various types of malware. The downloaded PowerShell script employs obfuscation techniques and seeks to elevate privileges, potentially allowing attackers to deploy remote access trojans (RATs) that connect to command-and-control servers. The campaign has been linked to other malware execution chains that also utilize ClickFix lures. Security researchers recommend enhancing defenses through employee training and disabling the Windows Run box to mitigate risks associated with these attacks.

Winsage

November 25, 2025

Do Not Download These Windows Security Updates, Experts Warn

Security experts at Huntress have confirmed that hackers are using ClickFix malware to distribute fake Windows security updates, deceiving users into executing harmful commands. Over the past year, these attacks have increased, with both state-sponsored actors and cybercriminal organizations employing this tactic. Microsoft has indicated that ClickFix is the most frequently used method for gaining initial access, representing 47 percent of attacks noted in Microsoft Defender notifications. A report released on November 24 revealed a new wave of ClickFix attacks utilizing realistic Windows Security Update screens to deploy credential-stealing malware. The campaign employs steganography to conceal malware within PNG images, embedding harmful code directly within the pixel data. Windows users are advised to remain vigilant and recognize that legitimate updates will never request users to cut and paste commands into the Windows run prompt from a web page.

Winsage

November 25, 2025

ClickFix attack uses fake Windows Update screen to push malware

Recent observations have identified ClickFix attack variants where cybercriminals use deceptive Windows Update animations on full-screen browser pages to hide malicious code within images. Victims are misled into executing harmful commands through specific key sequences that copy and execute commands via JavaScript. Security researchers have documented these attacks since October, noting the use of LummaC2 and Rhadamanthys information stealers. Attackers utilize steganography to embed malware payloads within PNG images, reconstructing and decrypting them in memory using PowerShell and a .NET assembly called the Stego Loader. A dynamic evasion tactic known as ctrampoline complicates detection by initiating calls to numerous empty functions. The shellcode extracted from the encrypted image can execute various file types directly in memory. Following a law enforcement operation on November 13, the Rhadamanthys variant's payload delivery through fake Windows Update domains ceased, although the domains remain active. Researchers recommend disabling the Windows Run box and monitoring suspicious process chains to mitigate risks.

Winsage

November 25, 2025

Attackers are Using Fake Windows Updates in ClickFix Scams

Threat actors have adapted the ClickFix attack model, using a fraudulent Windows Update screen to disguise malicious code. This screen mimics the legitimate Windows Update interface and prompts users to execute harmful commands. The execution of these commands leads to the installation of LummaC2 and Rhadamanthys info-stealing malware. A report from ESET noted a 500% increase in ClickFix attacks, which now account for nearly 8% of all blocked attacks in early 2025. Huntress researchers tracked ClickFix lures that used steganography to deliver LummaC2 and Rhadamanthys malware, concealing malicious software within image files. The attacks involve a full-screen display that instructs users not to turn off their computers, ultimately prompting them to paste a malicious command. The execution process includes using mshta.exe and PowerShell to load and inject malicious assemblies. European law enforcement recently dismantled infrastructure used by threat actors, but Rhadamanthys is no longer distributed through the fraudulent Windows Update campaign. The use of steganography helps these payloads evade detection while relying on victims to manually execute commands.

Winsage

November 25, 2025

ClickFix Attack Uses Steganography to Hide Malicious Code in Fake Windows Security Update Screen

A new wave of ClickFix attacks has emerged, using fake Windows Update screens and PNG image steganography to deploy infostealing malware like LummaC2 and Rhadamanthys. The attacks trick users into executing a command by pressing Win+R and pasting a command copied to their clipboard. Attackers have shifted from using “Human Verification” lures to more convincing full-screen fake Windows Update screens. The fake update prompts users to run a command that initiates mshta.exe with a URL containing a hex-encoded IP address, leading to the download of obfuscated PowerShell and .NET loaders. A notable feature of the campaign is the use of a .NET steganographic loader that hides shellcode within the pixel data of a PNG image, which is decrypted and reconstructed in memory. The shellcode is Donut-packed and injected into processes like explorer.exe using standard Windows APIs. Huntress has been monitoring these ClickFix clusters since early October, noting the use of the IP address 141.98.80[.]175 and various paths for the initial mshta.exe stage, with subsequent PowerShell stages hosted on domains linked to the same infrastructure. Despite the disruption of Rhadamanthys’ infrastructure in mid-November, active domains continue to serve the ClickFix lure, although the Rhadamanthys payload appears to be unavailable. To mitigate the attack, disabling the Windows Run box through Group Policy or registry settings is recommended, along with monitoring for suspicious activity involving explorer.exe. User education is critical, emphasizing that legitimate processes will not require pasting commands into the Run prompt. Analysts can check the RunMRU registry key to investigate potential ClickFix abuse.

AppWizard

November 3, 2025

Android users urged to delete hundreds of apps immediately in cyber attack warning

A new wave of cyber attacks targeting Android users has been identified, involving 224 compromised applications that have collectively amassed over 38 million downloads from the Google Play Store. This threat, named SlopAds by the Satori Threat Intelligence and Research Team, involves sophisticated advertising fraud techniques, including steganography, to generate illicit revenue through harmful ads embedded in apps. Google has removed all compromised applications from the Play Store and will notify users to uninstall them. Users are advised to enable Google’s Play Protect feature to safeguard against malicious applications. Ad fraud not only affects individual users but also undermines trust in the advertising ecosystem.

AppWizard

November 3, 2025

Hack alert as Android users warned to uninstall these risky apps

HUMAN's Satori Threat Intelligence and Research Team has identified and dismantled an ad fraud scheme called SlopAds, linked to 224 applications that have over 38 million downloads from Google Play across 228 countries. The perpetrators used techniques like steganography to embed fraudulent payloads in apps, creating hidden WebViews that redirected users to cashout sites for generating illegitimate ad impressions and clicks. Google has removed all identified malicious applications and will notify affected users to uninstall them. Users are encouraged to enable Google's Play Protect feature to prevent future threats. Ad fraud poses risks to advertisers and developers by tricking ad networks into accepting fraudulent ads. Invalid traffic can arise from developers using prohibited ad practices, undermining trust in the mobile advertising ecosystem. Users are advised to uninstall flagged applications to protect their devices.

AppWizard

November 3, 2025

Android warning as hundreds of apps should be deleted after cyber attack

A cyber attack known as SlopAds has compromised 224 Android applications, which have been downloaded over 38 million times from the Google Play Store. The attack involves malicious advertisements that deceive users into providing personal and financial information. The Satori Threat Intelligence and Research Team reported that the threat actors use techniques like steganography and hidden WebViews to direct users to fraudulent cashout sites. Google has removed all identified problematic apps from the Play Store and will alert users who downloaded them to uninstall them. Android users are advised to activate the Google Play Protect feature to prevent future threats. Ad fraud not only affects individual users but also undermines the integrity of reputable advertisers and developers.

BetaBeacon

October 29, 2025

These Apps for Android and iPhone Are Free For a Short Time

The deals for the free apps and games were live as of the publishing date. It is recommended to check the details of the apps before downloading them to be aware of any special features or disadvantages. Users should be cautious of hidden in-app purchases and advertisements, especially when downloading games for children. It is important to read the app permissions to protect personal information from unauthorized access.