Researchers at Huntress are warning that a new wave of ClickFix attacks is using steganography to hide malware inside PNG images—an unusual twist in an already troubling social-engineering technique.
ClickFix attacks rely on one simple move: convincing a user to open the Windows Run prompt and paste a malicious command. That manual action lets attackers bypass many traditional controls. What Huntress has now uncovered is a far more sophisticated execution chain sitting behind that simple trick, leading to infostealers such as LummaC2 and Rhadamanthys.
Attack Stages
The campaign begins with familiar lures. Early versions mimicked generic “Human Verification” checkpoints. Newer ones, however, have gone all-in on a fake Windows Update page displayed in full-screen, complete with the blue update splash screen and authentic-looking progress animations.
When the “update” finishes, victims are instructed to press Win+R and paste a command that has quietly been copied to their clipboard.
From there, the infection chain unfolds quickly. The initial command uses mshta.exe to reach out to attacker-controlled infrastructure, pulling down PowerShell that decrypts and executes a .NET loader. That loader then decrypts a second .NET assembly designed to inject shellcode into a target process.
Most notable, is the third stage: a steganographic loader that retrieves a PNG image embedded in the assembly. Instead of simply appending hidden data to the file, the attackers embed encrypted shellcode directly into the image’s pixel data, using a custom routine that extracts and decrypts bytes from specific colour channels.
Hidden in Plain Sight
The result is a payload hidden in plain sight, invisible to static inspection and signature-based scanners.
Once extracted, the shellcode (packed with Donut) is injected into explorer.exe, ultimately deploying either LummaC2 or Rhadamanthys depending on the campaign cluster.
Huntress has tracked multiple clusters since October, many tied to infrastructure at 141.98.80[.]175, with rotating file names and domains, but the same hex-encoded URL pattern.
Notably, several Windows Update-themed lures remained active even after law-enforcement actions against Rhadamanthys infrastructure in mid-November.
Despite the technical depth of the loader, the attack hinges on one behaviour: a user pasting a command into the Run box.
Mitigations
Huntress says the most effective way to mitigate ClickFix is by disabling the Windows Run box, which can be done with the registry modification below:
reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v NoRun /t REG_DWORD /d 1 /f
Huntress researchers also recommend that companies:
- Block the Windows Run box: Implement the registry modifications above or deploy GPO policies to block interaction with the Windows Run Box
- Security Awareness Training: Ensure users are trained on the ClickFix methodology, emphasising that legitimate CAPTCHA or Windows Update processes will never require pasting and running commands
- Monitor for suspicious process lineage: Use EDR telemetry to monitor for explorer.exe spawning mshta.exe or other living-off-the-land binaries with unexpected command lines
- Audit the RunMRU Registry Artefact: When investigating potential compromise, analysts can potentially verify if a user has entered commands into the Windows Run box by inspecting the “Most Recently Used” (MRU) list: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.