Ethical Hacking News
In a recent security incident, researchers at managed security services provider Huntress reported the emergence of a sophisticated social-engineering attack known as ClickFix. The attack uses fake Windows Update screens to trick users into executing malicious code, which ultimately leads to the installation of information-stealing malware on their systems. To learn more about this threat and how to protect yourself, read our full article on the ClickFix attack.
The ClickFix attack is a sophisticated social-engineering attack that uses fake Windows Update screens to trick users into executing malicious code.The attack has been widely adopted by cybercriminals due to its high effectiveness and has continually evolved with increasingly advanced lures.The threat actors use steganography to encode the final malware payload inside an image, relying on specific colour channels to reconstruct and decrypt it in memory.The entire process involves multiple stages using PowerShell code and a .NET assembly responsible for reconstructing the final payload.Users can protect themselves from this attack by disabling the Windows Run box and monitoring for suspicious process chains, as well as checking the RunMRU registry key.
In a recent security incident, researchers at managed security services provider Huntress reported the emergence of a sophisticated social-engineering attack known as ClickFix. The attack uses fake Windows Update screens to trick users into executing malicious code, which ultimately leads to the installation of information-stealing malware on their systems.
According to Huntress, the attack has been widely adopted by cybercriminals across all tiers due to its high effectiveness and has continually evolved, with increasingly advanced and deceptive lures. The new ClickFix variants have been observed since October 1st, where the pretense for executing dangerous commands was completing the installation of a critical Windows security update or using the "human verification" lure.
The fake update page instructs victims to press specific keys in a certain sequence, which pastes and executes commands from the attacker that were automatically copied to the clipboard via JavaScript running on the site. In one variant, hackers use a human verification page, while in another, they rely on the fake Windows Update screen.
In both cases, though, the threat actors used steganography to encode the final malware payload inside an image. "Rather than simply appending malicious data to a file, the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory," Huntress researchers explain.
Delivering the final payload starts with using the mshta Windows-native binary to execute malicious JavaScript code. The entire process involves multiple stages that use PowerShell code and a .NET assembly (the Stego Loader) responsible for reconstructing the final payload embedded inside a PNG file in an encrypted state.
Inside Stego Loader’s manifest resources, there is an AES-encrypted blob that is actually a steganographic PNG file containing shellcode that is reconstructed using custom C# code. Huntress researchers noticed that the threat actor used a dynamic evasion tactic, commonly referred to as ctrampoline, where the entry point function started calling 10,000 empty functions.
The shellcode holding the infostealer samples is extracted from the encrypted image and is packed using the Donut tool that allows executing VBScript, JScript, EXE, DLL files, and .NET assemblies in memory. After unpacking, Huntress researchers were able to retrieve the malware, which in the analyzed attacks was LummaC2 and Rhadamanthys.
To stay safe from this type of ClickFix attacks, the researchers recommend disabling the Windows Run box and monitoring for suspicious process chains such as explorer.exe spawning mshta.exe or PowerShell. Additionally, when investigating a cybersecurity incident, analysts can check the RunMRU registry key to see if the user entered commands in the Windows Run box.
The Rhadamanthys variant that used the Windows Update lure was first spotted by researchers back in October, before Operation Endgame took down parts of its infrastructure on November 13. Huntress reports that the law enforcement operation resulted in the payload not being delivered anymore on the fake Windows Update domains, which are still active.
The ClickFix attack is a significant threat to Windows users, as it relies on social engineering tactics to trick users into executing malicious code. By understanding how the attack works and taking preventative measures, users can protect themselves from this sophisticated campaign.
Related Information:
https://www.ethicalhackingnews.com/articles/The-ClickFix-Attack-A-Sophisticated-Social-Engineering-Campaign-Targeting-Windows-Users-ehn.shtml
https://www.bleepingcomputer.com/news/security/clickfix-attack-uses-fake-windows-update-screen-to-push-malware/
Published: Mon Nov 24 14:50:14 2025 by llama3.2 3B Q4_K_M
