RenderShock 0-Click Exploit Executes Payloads Silently via Background Process

A new class of cyberattack called RenderShock has been identified that can compromise enterprise systems without requiring any user interaction, exploiting the very productivity features designed to help workers preview and process files automatically.

Unlike traditional malware that requires users to click on malicious attachments or links, RenderShock leverages passive execution surfaces that operate silently in the background.

These include file preview panes, document indexing services, antivirus scanners, and cloud synchronization tools that automatically process files without explicit user action.

The attack methodology exploits trusted system components that parse untrusted files, turning routine operations like hovering over a document in Windows Explorer or having files automatically indexed by search services into potential compromise vectors.

Modern operating systems and enterprise tools are built under the assumption that previewing or indexing files is inherently safe, but RenderShock demonstrates how this trust can be weaponized.

Five-Stage Attack Framework

According to the Researchers, RenderShock operates through a structured five-stage process beginning with payload design. Attackers craft malicious documents, images, or shortcuts that trigger when processed by preview handlers, metadata extractors, or security scanning engines.

These payloads range from foundational formats like PDFs with external references and macro-enabled Office documents to advanced techniques involving polyglot files and font exploitation.

The delivery mechanism bypasses traditional user interaction by placing files where systems will automatically process them – through helpdesk portals, shared mailboxes, USB drops, or cloud collaboration platforms.

The attack activates when systems interact with these files through preview panes, antivirus scans, or indexing services.

Once triggered, RenderShock can achieve multiple objectives without detection.

The framework enables passive reconnaissance through DNS beacons and SMB authentication attempts, credential theft via NTLMv2 hash harvesting, and even remote code execution through preview-based macro execution or malicious shortcut triggers.

The attack’s stealth comes from its abuse of legitimate system behaviors.

For example, a crafted LNK file embedded in a ZIP archive can trigger Windows Explorer to silently attempt loading a remote icon over SMB, leaking authentication credentials without any user clicks or file execution.

Security teams face significant challenges detecting RenderShock attacks because they operate through trusted system processes like explorer.exe, searchindexer.exe, or Office preview handlers.

Traditional security tools often lack visibility into these passive execution surfaces, treating them as benign productivity features rather than potential attack vectors.

The framework demonstrates how modern enterprise convenience features create an expanded attack surface that remains largely unmonitored.

Organizations must now consider treating internal previews, synchronization, and indexing operations as potential execution surfaces requiring the same security scrutiny as traditional user-initiated file operations.

Security experts recommend disabling preview features, restricting outbound SMB traffic, hardening Office configurations, and implementing behavioral monitoring for preview-related processes making unexpected network calls.

The emergence of RenderShock highlights the need to redefine trust boundaries in enterprise environments where productivity and security must be carefully balanced.

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.