{“lastseen”:”2025-11-25T18:05:09″,”description”:”Several researchers have flagged a new development in the ongoing ClickFix campaign: Attackers are now mimicking a Windows update screen to trick people into running malware. \\n\\nClickFix campaigns use convincing lures, historically \u201cHuman Verification\u201d screens, and now a fake \u201cWindows Update\u201d splash page that exactly mimics the real Windows update interface. Both require the user to paste a command from the clipboard, making the attack depend heavily on user interaction.\\n\\nAs shown by Joe Security, ClickFix now displays its deceptive instructions on a page designed to look exactly like a Windows update.\\n\\nIn full-screen mode, visitors running Windows see instructions telling them to copy and paste a malicious command into the Run box.\\n\\n\\n\\n\\u003e \u201cWorking on updates. Please do not turn off your computer. \\n\\u003e Part 3 of 3: Check security \\n\\u003e 95% complete\\n\\u003e \\n\\u003e Attention! \\n\\u003e To complete the update, install \\n\\u003e the critical Security Update \\n\\u003e \\n\\u003e [\u2026 followed by the steps to open the Run box, paste \u201csomething\u201d from your clipboard, and press OK to run it]\\n\\nThe \u201csomething\u201d the attackers want you to run is an `mshta` command that downloads and runs a malware dropper. Usually, the final payload is the Rhadamanthys infostealer.\\n\\n## Technical details\\n\\nIf the user follows the displayed instructions this launches a chain of infection steps:\\n\\n * **Stage 1:** `mshta.exe` downloads a script (usually JScript). URLs consistently use hex-encoding for the second octet and often rotate URI paths to evade signature-based blocklists\\n * **Stage 2:** The script runs PowerShell code, which is obfuscated with junk code to confuse analysis.\\n * **Stage 3:** PowerShell decrypts and loads a .NET assembly acting as a loader.\\n * **Stage 4:** The loader extracts the next stage (malicious shellcode) hidden within a resource image using custom steganography. In essence, we use the name steganography for every technique that conceals secret messages in something that doesn\u2019t immediately cause suspicion. In this case, the malware is embedded in specific pixel color data within PNG files, making detection difficult.\\n * **Stage 5:** The shellcode is injected into a trusted Windows process (like `explorer.exe`), using classic in-memory techniques like `VirtualAllocEx`, `WriteProcessMemory`, and `CreateRemoteThread`.\\n * **Final payload:** Recent attacks delivered info-stealing malware like LummaC2 (with configuration extractors provided by Huntress) and the Rhadamanthys information stealer.\\n\\n\\n\\n### Details about the steganography used by ClickFix:\\n\\nMalicious payloads are encoded directly into PNG pixel color channels (especially the red channel). A custom steganographic algorithm is used to extract the shellcode from the raw PNG file.\\n\\n * The attackers secretly insert parts of the malware into the image\u2019s pixels, especially by carefully changing the color values in the red channel (which controls how red each pixel is).\\n * To anyone viewing the picture, it still looks totally normal. No clues that it\u2019s something more than just an image.\\n * But when the malware script runs, it knows exactly where to \u201clook\u201d inside the image to find those hidden bits.\\n * The script extracts and decrypts this pixel data, stitches the pieces together, and reconstructs the malware directly in your computer\u2019s memory.\\n * Since the malware is never stored as an obvious file on disk and is hidden inside an innocent-looking picture, it\u2019s much harder for anti-malware or security programs to catch.\\n\\n\\n\\n## How to stay safe\\n\\nWith ClickFix running rampant\u2014and it doesn\u2019t look like it\u2019s going away anytime soon\u2014it\u2019s important to be aware, careful, and protected.\\n\\n * **Slow down. **Don\u2019t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.\\n * **Avoid running commands or scripts from untrusted sources. **Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action\u2019s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.\\n * **Limit the use of copy-paste for commands. **Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.\\n * **Secure your devices. **Use an up-to-date real-time anti-malware solution with a web protection component.\\n * **Educate yourself on evolving attack techniques.** Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!\\n\\n\\n\\n**Pro tip:** Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?\\n\\n* * *\\n\\n**We don ‘t just report on scams\u2014we help detect them**\\n\\nCybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we\u2019ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!”,”published”:”2025-11-25T16:08:03″,”modified”:”2025-11-25T16:08:03″,”type”:”malwarebytes”,”title”:”New ClickFix wave infects users with hidden malware in images and fake Windows updates”,”source”:””,”references”:””,”id”:”MALWAREBYTES:057026927D586A202F7019C8266745EB”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/11\/new-clickfix-wave-infects-users-with-hidden-malware-in-images-and-fake-windows-updates”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-25T18:05:09″,”description”:”Several researchers have flagged a new development in the ongoing ClickFix campaign: Attackers are now mimicking a Windows update screen to trick people into running…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-27577","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n