489/68 Wednesday, November 26, 2025
A new and more sophisticated wave of ClickFix cyberattacks has been detected, leveraging highly convincing full-screen browser windows that mimic authentic Windows Update animations or authentication prompts. These fake screens are used to socially engineer victims into following instructions that ultimately execute malicious commands silently copied into the clipboard and automatically run via Windows Run or Command Prompt, leading to immediate malware installation.
One of the most concerning elements of this attack is its use of advanced steganography to hide malicious code. According to Huntress, attackers no longer append data to the end of image files as seen in past campaigns. Instead, they encrypt and embed malicious code directly inside the pixel data of .PNG image files, making detection significantly more difficult.
Once the victim follows the on-screen prompts, Windows components such as mshta and PowerShell extract the hidden code in memory, reconstruct it, and execute it-ultimately installing LummaC2 and Rhadamanthys credential-stealing malware.
Although the international cybercrime takedown Operation Endgame in mid-November successfully disrupted part of the Rhadamanthys infrastructure, the domains hosting these fake update screens remain active. Experts therefore recommend the following defensive actions:
- Disable the Windows Run box if not required.
- Monitor for suspicious system behavior, such as explorer.exe launching mshta.exe or PowerShell without user initiation.
- If an attack is suspected, administrators should inspect historical command execution via the RunMRU registry key to assess impact.
The resurgence of ClickFix demonstrates continued evolution in social engineering and malware delivery techniques, emphasizing the need for heightened vigilance and proactive endpoint monitoring.
