ClickFix Gets Creative: Malware Buried in Images

Nov. 25, 2025, 9:15 a.m.

Description

A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a standard 'Human Verification' and a convincing fake Windows Update screen. The execution chain involves mshta.exe, PowerShell, and .NET assemblies, ultimately extracting and injecting shellcode into target processes. The steganographic technique encodes malicious data directly into image pixel data, using specific color channels for payload reconstruction and decryption in memory. This sophisticated approach helps evade signature-based detection and complicates analysis.

External References

https://www.huntress.com/blog/clickfix-malware-buried-in-images
https://otx.alienvault.com/pulse/6924c9a94b1c7374cf444b82
Tags
social engineering
lummac2
rhadamanthys
infostealer
steganography
clickfix
multi-stage
2025-11-24
windows update

Date

  • Created: Nov. 24, 2025, 9:10 p.m.
  • Published: Nov. 24, 2025, 9:10 p.m.
  • Modified: Nov. 25, 2025, 9:15 a.m.

Indicators

  • 94.74.164.136
  • 81.90.29.64
  • 192.124.176.103
  • http://vicareu.su/bcdf
  • http://squeaue.su/qwe
  • http://squatje.su/asdasd
  • http://ozonelf.su/asd
  • http://narroxp.su/rewd
  • http://exposqw.su/casc
  • http://conxmsw.su/vcsf
  • http://corezea.com/ebc
  • http://bendavo.su/asdsa
  • xpoalswwkjddsljsy.com
  • xoiiasdpsdoasdpojas.com
  • xmcniiadpwqw.site
  • xcvcxoipoeww.site
  • squeaue.su
  • vicareu.su
  • virhtechgmbh.com
  • squatje.su
  • securitysettings.live
  • sportsstories.gr
  • ozonelf.su
  • narroxp.su
  • hypudyk.shop
  • groupewadesecurity.com
  • galaxyswapper.pro
  • exposqw.su
  • corezea.com
  • conxmsw.su
  • cmevents.live
  • bendavo.su
Download all indicators here!

Attack Patterns

  • LummaC2
  • Rhadamanthys