ClickFix Gets Creative: Malware Buried in Images
Essential information
- Published
- 24/11/2025 21:10
- Modified
- 21/12/2025 18:01
- Tags
- 2025-11-24 clickfix infostealer lummac2 multi-stage rhadamanthys social engineering steganography windows update
- Related entities
- 12 observables, 10 techniques (mitre), 2 malware, 20 others
Description
A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a standard 'Human Verification' and a convincing fake Windows Update screen. The execution chain involves mshta.exe, PowerShell, and .NET assemblies, ultimately extracting and injecting shellcode into target processes. The steganographic technique encodes malicious data directly into image pixel data, using specific color channels for payload reconstruction and decryption in memory. This sophisticated approach helps evade signature-based detection and complicates analysis.