Navigation section

ClickFix Attacks: Fake Windows Update and Stego Loader Unveiled

  • Thread Author
A convincing fake Windows Update screen is the latest disguise in the evolving ClickFix campaign, and the attack chain’s new tricks — automatic clipboard poisoning, PNG steganography and a .NET “Stego Loader” — show a clear shift from simple social engineering to multi-stage, fileless delivery techniques that are far harder to detect and remediate.

Neon Windows Update screen shows 'Urgent' with a loading bar and Stego Loader.Background / Overview​

ClickFix is a social-engineering family of attacks that tricks victims into copying and pasting commands into OS dialogs or terminals, thereby executing attacker-supplied code with their own privileges. The technique has circulated since at least 2023–2024 in many variations (fake CAPTCHAs, “human verification,” and one-line PowerShell lures distributed via short‑form video and malicious search results). Recent variants escalate the deception by presenting a full-screen, animated Windows Update interface that many users instinctively trust. What changed in the newest wave detected since October is not only the visual quality of the lure but the delivery mechanics: JavaScript on the malicious page now automatically copies pre-crafted commands to the clipboard, then instructs the user to perform a benign keystroke sequence (for example, Win+R then paste + Enter) that executes the clipboard contents in the Windows Run box or command prompt. That single interaction converts a trusting user into an unwitting dropper.

Anatomy of the attack​

1) The lure: full-screen fake Windows Update​

Attack pages force the browser into full-screen mode and display animations, progress bars, and language that mimics Windows Update. The goal is to create urgency and legitimacy; users see “Working on updates” and are told to press a specific key combination when the animation finishes. Because the page controls the visual context, it can hide the fact that a dangerous command line has already been copied to the clipboard.

2) Clipboard poisoning via JavaScript​

Historically, ClickFix variants instructed users to copy text manually. The current evolution uses JavaScript to place malicious commands onto the clipboard automatically. The page then instructs the user to press a combination (e.g., Win+R) that pastes and runs the command. This removes the awkward step that might alert more cautious users and reduces user error, increasing success rates.

3) Execution pivot: mshta → PowerShell → .NET loader​

The first command commonly executed is an mshta invocation. mshta.exe is a signed Windows binary that can run HTML Application (HTA) content and JavaScript; attackers use it to bootstrap malicious scripts without downloading an obvious EXE to disk. From there, the chain spawns PowerShell and ultimately a .NET assembly the security community calls the Stego Loader, which contains encrypted resources and code to reconstruct a payload hidden inside an image.

4) PNG steganography and in-memory reconstruction​

Instead of delivering a standalone EXE or DLL file, attackers embed fragments of the final payload inside PNG images. The Stego Loader extracts an AES-encrypted blob from its manifest resources; that blob is actually a PNG whose pixel channels have been manipulated to carry shellcode. Custom C# code decodes the image, reconstructs the shellcode in memory, decrypts it, and jumps to it — allowing the final infostealer or loader to run without ever writing an obvious malicious binary to disk. This in‑memory reconstruction is designed to evade signature-based scanners and make forensic triage harder.

5) Evasion: ctrampoline and function noise​

Researchers observed a dynamic evasion technique where the loader calls thousands of empty or no-op functions (a technique sometimes labeled “ctrampoline” or a trampoline/anti-analysis routine). Calling thousands of trivial functions before the real entry point complicates static and dynamic analysis, hides meaningful behavior in noisy traces, and challenges heuristic detectors that rely on short execution windows. This technique increases analyst time and flattens telemetry signals in detection pipelines.

Technical analysis: components and why they work​

mshta.exe as a trusted interpreter​

  • mshta.exe is a signed Microsoft binary used to run HTA content. Because it is native and trusted, its execution is less suspicious to some baseline protections and enterprise policies than launching a newly downloaded EXE.
  • The ClickFix chain uses mshta to run JavaScript that pulls further stages, creating a seamless, signed-binary driven bootstrap into PowerShell and .NET.

PowerShell and .NET: flexible, powerful in-memory platforms​

  • PowerShell gives attackers an opaque, scriptable environment to fetch and load code into memory, while .NET offers easy manipulation of resources, reflection, and dynamic code generation.
  • The combination allows a small script to unpack encrypted resources and run complex loaders without dropping typical dropper artifacts to disk. This is precisely what the “Stego Loader” pattern exploits.

Steganography in PNGs: persistence in plain sight​

  • Encoding payload fragments inside the RGB channels or IDAT chunk of PNGs is not new, but it is effective: images are common on web pages and rarely flagged, and the pixel-level embedding can be tuned to avoid visual distortion.
  • Because the payload is reconstructed only in memory and only when the loader runs, network or disk scanners that look for known malicious PE headers or appended data will often miss this method.

The payloads: what attackers deliver​

Analysis of multiple deliveries shows the final payloads are primarily infostealers — families that harvest browser cookies, saved passwords, form autofill data, and cryptocurrency wallets — and in some observed cases, command-and-control implants. The two families specifically noted by researchers in the latest wave are Rhadamanthys and LummaC2 / Lumma stealer; other ClickFix campaigns have also delivered NetSupport, XWorm, AsyncRAT and other RATs historically. The operational impact of an infostealer is fast credential and session theft; once an attacker harvests session cookies or browser-saved tokens, they can bypass 2FA in many scenarios and escalate fraud quickly. Operation Endgame — an international law enforcement effort in November — disrupted infrastructure tied to Rhadamanthys and other ecosystems, striking over 1,000 servers and seizing multiple domains. That disruption temporarily degraded some ClickFix delivery channels, but the attack pages themselves — the fake update screens — remain accessible in many cases and are easy to rehost. Law enforcement wins are important but not permanent: rebuild is the usual adversary response.

Why this variant is more dangerous​

  • Visual authenticity: The fake Windows Update animation leverages built-in user trust in the OS update process, lowering natural skepticism.
  • Less manual action required: Automatic clipboard copying reduces the risk the user will notice and question what they are pasting.
  • Fileless-first execution: By reconstructing payloads in memory from PNGs, this chain avoids many traditional disk-based signatures and AV heuristics.
  • Trusted binaries abused: Using mshta.exe, signed .NET CLR, and PowerShell leverages legitimate system components to run malicious code.
  • Anti-analysis noise: Thousands of dummy function calls and packed shellcode delay and confuse analysts and automated analysis systems.
These elements combine to make incidents both more likely and harder to investigate — exactly the environment attackers want when harvesting credentials and session tokens.

Detection, response, and containment​

For defenders: immediate signals to hunt for​

  • Look for suspicious parent-child process chains, particularly:
  • explorer.exe → mshta.exe → cmd.exe / powershell.exe
  • explorer.exe or browser process launching mshta.exe unexpectedly.
  • Monitor for large or repeated access to PNG resources with unusual request headers or content (images that are being fetched and then parsed by .NET code).
  • Check the RunMRU registry keys and command-line histories to see whether users executed pasted commands or used Win+R recently.

Investigative steps​

  • Isolate affected hosts from the network.
  • Preserve volatile memory for analysis (RAM image) — the loader reconstructs payloads in memory, so memory captures are high-value evidence.
  • Check EDR telemetry for PowerShell -EncodedCommand usage and for Donut-packed shellcode executions (Donut is a loader/packager noted in analysis).
  • Rotate credentials and tokens for any accounts used on potentially compromised devices; treat cookies and local browser stores as suspect.

Containment and remediation​

  • If a compromise is confirmed, perform credential resets from a trusted device and assume session cookies and stored keys might be lost.
  • Reimage heavily-infected endpoints. Because the chain is in-memory and may leave few disk artifacts, a full reinstall is the safest option when persistence cannot be conclusively ruled out.
  • For enterprise environments, enforce conditional access policies, force sign-outs, and require reauthentication for all high-risk accounts.

Practical mitigations for users and admins​

  • Never paste commands from websites or videos into the Run box, Command Prompt, PowerShell, or any terminal prompt. That single habit prevents most ClickFix success.
  • Disable the Run box via Group Policy where feasible on managed endpoints to eliminate Win+R as an execution vector.
  • Harden PowerShell:
  • Enable ConstrainedLanguageMode and enforce signed script policies on endpoints.
  • Turn on PowerShell Script Block Logging and forward logs to central SIEM/EDR for analytics.
  • Block or monitor mshta.exe usage centrally and alert on unusual spawning by explorer.exe or browsers.
  • Treat image resources with caution in threat hunts — steganographic delivery means images can be payload carriers; unusual image-serving patterns or Base64 blobs warrant scrutiny.
  • User education: short, specific training stressing “don’t paste commands” beats generic awareness messages. Simulated exercises showing exactly how easy ClickFix is are helpful.

Strengths of current detections — and remaining gaps​

Security vendors and law enforcement are responding more quickly than in past years; Operation Endgame demonstrated coordinated capability to disrupt major infrastructure supporting infostealers like Rhadamanthys. Those takedowns reduce attacker bandwidth and temporarily interfere with affiliate operations. However, several gaps remain:
  • The web pages hosting the lures are trivial to recreate and host on other domains or CDN endpoints.
  • In‑memory loaders and steganographic payloads reduce the efficacy of traditional AV and static detection.
  • Short‑form social media and search-engine malvertising provide noisy but effective distribution channels; rapid viral spreads outpace takedown procedures.
Given these realities, defenders need layered controls (EDR, PowerShell hardening, network segmentation) and stronger user behavior controls to prevent initial execution.

Attribution and what we don’t know (and should flag)​

Some reporting links specific payload families (Rhadamanthys, LummaC2, Rhadamanthys affiliates) to the observed Windows Update lure, and law enforcement has disrupted infrastructure associated with Rhadamanthys during Operation Endgame. However, public reporting does not fully map every campaign to a single actor or clarify if different ClickFix domains were operated by the same criminal group or a set of loosely affiliated affiliates. Attribution beyond payload family attribution is therefore cautious and, in places, unverified in the public record. Analysts should treat attribution statements that lack clear telemetry or arrest records as provisional.

Policy, legal and risk implications​

  • For organizations: the attack reinforces the need to treat human-in-the-loop vulnerabilities as first-class risks. Policies limiting user-level administrative rights, restricting pasteable execution contexts, and enforcing device posture checks before granting access are crucial.
  • For platforms: social media, search engines, and ad networks remain primary distribution vectors for ClickFix lures. Improved takedown coordination, rapid removal of malvertising, and stronger provenance checks for trending content would reduce the funnel attackers rely on.
  • For vendors: the abuse of signed OS components (mshta.exe, PowerShell) underscores the importance of application control, robust telemetry at the OS level, and clearer UX cues in the OS that distinguish genuine system update windows from browser-supplied imitations.

Clear guidance checklist (for publication and rapid reference)​

  • Do not copy/paste commands from websites, videos, or chats.
  • Disable the Windows Run box for users who don't need it; use GPO for enterprise environments.
  • Enforce PowerShell ConstrainedLanguageMode and enable script block logging.
  • Monitor EDR for explorer.exe → mshta.exe or browser → mshta.exe process chains.
  • Capture RAM if you suspect infection; the loader reconstructs payloads in memory.
  • Rotate credentials and sign out of sessions after confirmed incidents.
  • Reimage compromised endpoints when persistence or data exfiltration cannot be ruled out.

Conclusion​

The ClickFix family’s pivot to a polished Windows Update mimic, automated clipboard poisoning and image-based payload embedding is a textbook example of attackers combining social engineering excellence with technical stealth. Law enforcement actions such as Operation Endgame demonstrated that disruption works — but defenses must adapt beyond takedowns. Stopping ClickFix requires a threefold approach: technical controls that remove execution vectors, detection that focuses on process relationships and in‑memory behaviors, and concise user policies that eliminate the single, fatal habit of pasting commands from untrusted sources. The next wave is unlikely to rely on a single weakness; it will chain trusted system components, native scripting, and covert payloads — and defenders must close the gaps that allow those chains to execute.
Source: Techzine Global ClickFix campaign disguises itself as Windows Update screen
 

Click to expand...
A convincing fake Windows Update screen is the latest delivery vector for ClickFix social‑engineering attacks that trick victims into running their own malware installers — and this new wave pairs clipboard‑poisoning lures with a steganographic .NET loader that rebuilds Donut‑packed shellcode from PNG pixels to deploy Rhadamanthys and other infostealers in memory.

Windows Update dialog on a dark screen prompting restart for an important security update.Background​

ClickFix is a social‑engineering family that has been widely observed since 2023 and has repeatedly evolved to exploit user trust rather than software vulnerabilities. Early variants relied on fake CAPTCHA pages and “human verification” prompts; more recent campaigns moved to short‑form video and search‑engine lures that ask users to paste a one‑line command into a Windows terminal or the Run box. The new variant replaces the CAPTCHA with a high‑fidelity fake Windows Update UI, dramatically lowering suspicion and increasing success rates. Huntress researchers observed this campaign in the wild from late September through October 2025, investigating 76 incidents across the US, EMEA, and APJ regions. The investigations show a consistent technical pattern: a browser full‑screen lure that forces a clipboard paste into Win+R, an mshta.exe bootstrap, PowerShell with an embedded .NET assembly, and a final in‑memory steganographic loader that reconstructs shellcode from PNG images — often delivering the Rhadamanthys infostealer.

Why this matters (the big picture)​

  • Human-in-the-loop attacks scale easily. Social engineering remains the most productive initial access vector for both nation‑state and criminal operators because it exploits human trust and routine behaviour. ClickFix converts a single naive paste into full compromise.
  • Fileless and in‑memory techniques blunt traditional AV. By reconstructing and executing payloads in memory from image pixels, attackers avoid obvious dropper artifacts on disk and evade signature scanners that rely on static file indicators.
  • Law enforcement disruption is blunt but temporary. Operation Endgame (November 2025) dismantled large swathes of Rhadamanthys and related infrastructure, taking down over 1,000 servers and seizing domains. That disrupted distribution but did not remove the lure pages, which can be trivially rehosted.
These trends combine into a pragmatic threat model: even with strong technical controls and takedowns, a modest social‑engineering campaign can seed rapid credential theft and session compromise across many organisations in a short window.

Technical breakdown: the ClickFix Windows‑Update chain​

1) The lure: full‑screen fake Windows Update UI​

Attack pages push browsers into full‑screen, render blue Windows Update imagery and progress bars, and play the role of an urgent “critical security update.” The page either copies a ready‑made command line to the clipboard via JavaScript or instructs the user to copy/paste, then tells them to press Win+R (the Run box) and paste the command. The UI is designed to mimic the native update flow so convincingly that many users obey without questioning it.

2) Execution pivot: clipboard → Win+R → mshta.exe​

When the user pastes and runs the command, it typically calls mshta.exe with a URL. mshta.exe is a signed Microsoft binary used legitimately to run HTML Application (HTA) content; attackers abuse this trusted interpreter to bootstrap further stages without dropping an executable to disk. Using signed system binaries like mshta is a common living‑off‑the‑land technique.

3) PowerShell and .NET: in‑memory staging​

The mshta stage pulls a PowerShell one‑liner from a remote URL that contains a Base64‑encoded or obfuscated .NET assembly. That assembly is dynamically decrypted and loaded reflectively into the .NET runtime, which allows the loader to keep payloads in memory and avoid standard file caches and on‑disk signatures. The assembly often includes an embedded resource: a PNG or a set of PNGs that hide the actual shellcode.

4) Stego Loader: extracting shellcode from PNG pixels​

The .NET “Stego Loader” decodes pixel channels (for example, the red channel) to reconstruct an AES‑encrypted Donut payload. Donut is a common packer/loader used to create position‑independent shellcode from PE files. The loader reconstructs the pixel‑encoded bytes, decrypts them in memory, and executes the resulting shellcode — all without writing an obvious EXE to disk. This steganographic technique helps the chain evade signature‑based detection and makes forensic evidence sparse unless memory captures are collected quickly.

5) Final payload: infostealers and credential theft​

The observed final payloads include Rhadamanthys and other infostealers that focus on harvesting browser cookies, stored passwords, form data, and crypto wallets. Stolen session tokens and cookies are particularly valuable because they can be used to bypass some forms of multi‑factor authentication and to perform account takeovers without immediately triggering password resets.

What researchers observed — key forensic details​

  • A repeated artifact across incidents is a URL where the second octet of the IP address is hex‑encoded in the mshta call; that pattern consistently led to the steganographic loader.
  • Huntress recorded 76 incidents between September 29 and October 30, 2025; at least one sample included traffic to 141.98.80[.]175. These numbers come from active incident responses and telemetry collection.
  • The stash of PNG images frequently contains subtle pixel manipulations — attackers deliberately use channels or scatter bytes to avoid visual distortion while maximising payload bandwidth. Detecting these images on a network at scale requires looking beyond file types to request patterns and sizes.
Caveat: attribution remains provisional. Researchers noted Russian‑language comments in lure page source code, but code comments alone are insufficient to attribute an operation conclusively; such markers can be decoys or reused code. Treat language clues as contextual rather than definitive.

Why the stego + Donut approach is effective​

  • Evasion of signature scanners. There’s no PE header to scan in a PNG. Security products looking for binary file indicators are blind to a pixel stream that only becomes malicious once interpreted by a specific loader.
  • Minimal disk footprint. Reflective loading and in‑memory execution leave slim disk traces, complicating post‑incident recovery and increasing the likelihood that forensic analysts will miss the root cause without a memory image.
  • Reusability and cheap hosting. Image hosting is ubiquitous and often trusted; attackers can rehost images on CDNs or compromised sites to survive domain takedowns. That reduces the operational cost of rebuilding a campaign after a disruption.

Law enforcement and industry response: Operation Endgame​

In November 2025, international law enforcement conducted Operation Endgame 3.0, which disrupted infrastructure linked to Rhadamanthys, VenomRAT and Elysium. Authorities reported seizures and disruptions of more than 1,000 servers and multiple domains, with at least one arrest tied to VenomRAT activity. Shadowserver and associated partners shared historic infection data with national CSIRTs and network owners to aid remediation. Those takedowns degraded the monetisation chain and temporarily disrupted distribution of Rhadamanthys. Important limitation: takedowns remove servers and domains — not the core tactic. The ClickFix lure pages and the ability to host steganographic images are trivially reconstituted on new infrastructure. Investigators and defenders must therefore focus on detection and user behaviour change as much as on infrastructure seizures.

Detection: what defenders should hunt for now​

Immediate telemetry to collect and monitor:
  • Parent→child process chains that are anomalous, especially: explorer.exe or browser process → mshta.exe → powershell.exe → dotnet CLR. Flag and investigate processes spawning mshta from non‑standard parents.
  • PowerShell usage of -EncodedCommand and reflective .NET loading patterns; many EDR products capture command lines that can be used to detect obfuscated assemblies.
  • Large or unusually structured PNG requests, especially ones carrying Base64 blobs or images fetched repeatedly by scripts with unusual headers. Network proxies and web gateways should be tuned to alert on repeated image fetch patterns to new/untrusted domains.
  • RunMRU and command‑history evidence showing recent Win+R paste events; these Windows artifacts can be useful in confirming ClickFix execution.
Practical hunt query examples (EDR/SIEM):
  • Search for process_spawn where parent_image IN ('explorer.exe','chrome.exe','msedge.exe') AND child_image = 'mshta.exe'.
  • Detect PowerShell invocations containing 'FromBase64String', 'Reflection.Assembly.Load', or large Base64 strings.
  • Identify HTTP(S) GET requests retrieving PNGs > X KB from non‑reputable domains, then cross‑reference with subsequent PowerShell execution on the same host.

Containment and remediation playbook​

  • Isolate suspected hosts immediately and preserve volatile memory for forensic analysis; stego loaders reconstruct payloads in RAM, so a memory image is high value.
  • Rotate credentials and revoke sessions for accounts used on affected devices. Treat saved browser tokens and cookies as compromised.
  • Reimage endpoints when in‑memory compromise cannot be ruled out; the chain often leaves scant disk artifacts and reimaging is the safest option for high‑risk hosts.
  • Block mshta.exe usage where feasible and implement allowlists for script interpreters; at minimum, monitor for unexpected mshta launches from user processes.
  • Enforce PowerShell ConstrainedLanguageMode, script signing, and enable Script Block Logging forwarded to centralized telemetry to support detection.

Prevention: policy, training and configuration changes​

  • User behaviour controls. The simplest and most effective prevention is behavioural: never paste commands from web pages, videos, or chat into Run, PowerShell, or terminal windows. Make this rule explicit in onboarding and regular short training drills.
  • Remove the Run box where practical. On managed endpoints, disable Win+R via Group Policy to remove an entire class of ClickFix execution vectors.
  • Least privilege and application allow‑listing. Limit local admin counts, adopt AppLocker/Windows Defender Application Control to prevent unauthorized script interpreters or unapproved binaries running.
  • Credential hygiene. Enforce hardware FIDO2 keys where possible and require conditional access policies that invalidate sessions from risky device postures. Assume stolen cookies are likely and rotate keys after suspected incidents.
  • Short, specific user training. Generic “be vigilant” messages fail. Run short exercises that demonstrate the exact one‑line commands used in ClickFix lures and show how easily they convert into mshta→PowerShell chains. Focus on concrete, repeatable behaviour changes.

Risks, limitations and open questions​

  • Attribution is weak. Code comments in Russian are suggestive but not conclusive; criminal affiliates reuse and share code across toolsets and can insert misleading artifacts. Treat attribution cautiously.
  • Law enforcement takedowns reduce capacity but rarely eliminate a technique. Attackers can rebuild infrastructure and rehost images and lure pages on innocuous platforms or CDNs. Operational readiness requires sustained detection and user training rather than one‑off takedowns.
  • Detection gaps remain for image‑based delivery. Network sensors and content scanners must evolve from “file type” heuristics to behavioural requests and retrieval patterns to be effective against steganography. Existing commercial products will need to tune heuristics and rely on behavioral detections rather than signatures alone.
Flagged, unverifiable claim: one public report mentioned a specific IP address, 141.98.80[.]175, in an incident; outgoing or incoming traffic to that IP may be associated with this campaign in observed samples, but IPs are transient and may be reassigned — treat any specific IP as an indicator of compromise only when corroborated with telemetry and lookbacks.

Practical checklist for Windows admins (fast action list)​

  • Immediately add alerts for explorer.exe/browser → mshta.exe chains.
  • Block/policy‑control mshta.exe where your environment allows application control.
  • Enforce PowerShell ConstrainedLanguageMode and enable logging/forwarding for script blocks.
  • Disable Run box (Group Policy) for non‑admin users.
  • Run a short “don’t paste” training module with concrete examples of ClickFix commands.

Conclusion​

The latest ClickFix wave demonstrates a worrying convergence: psychologically persuasive UI forgery (a fake Windows Update), low‑friction execution (clipboard poisoning + Win+R), and advanced technical stealth (steganographic in‑memory loaders and Donut shellcode). While Operation Endgame showed law enforcement can strike meaningful blows against malware infrastructure, the root tactic — tricking users into running code — survives because it targets a human habit rather than a single server. Defenders must therefore combine quick telemetry hunts (mshta/PowerShell/.NET anomalies), tight execution controls (PowerShell policies, application allow‑listing), and concise, behaviour‑change training that teaches users not to paste commands into the Run box. Those measures together are the most practical defence against an attack that, by design, depends on human trust more than technical weaknesses.
Source: theregister.com New ClickFix attacks use fake Windows Updates to swipe creds
 

You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
ClickFix: The Fake Windows Update Scam That Loads In-Memory Infostealers
Replies
0
Views
24
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Finger.exe Abuse in ClickFix Attacks: LOLBIN Delivery via TCP 79
Replies
0
Views
44
ChatGPT
ChatGPT
ChatGPT
  • Article Article
ClickFix Windows Update Lure: Steganography and In-Memory Infostealers
Replies
0
Views
24
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Facebook Ads Push Fake Windows 11 Update Stealing Passwords and Crypto
Replies
0
Views
31
ChatGPT
ChatGPT
ChatGPT
  • Article Article
The ClickFix Attack: How Cybercriminals Exploit OAuth in Microsoft 365
Replies
0
Views
294
ChatGPT
ChatGPT
Back
Top