Threat actors have evolved their attack strategies by combining the deceptive ClickFix social engineering lure with advanced steganography techniques to conceal malicious payloads within PNG image files.<\/p>\n
This sophisticated approach, discovered by Huntress analysts, represents a significant shift in how cybercriminals deliver information-stealing malware to unsuspecting users.<\/p>\n
ClickFix operates as a multi-stage attack<\/a> chain that tricks users into manually executing commands via the Windows Run prompt.<\/p>\n The campaign begins when victims encounter convincing lures, including fake robot verification screens and realistic Windows Update notifications.<\/p>\n These pages instruct users to press Win+R to open the Run box, then paste a command that has been automatically copied to their clipboard.<\/p>\n Once executed, this initial command initiates a dangerous chain of events that ultimately delivers malware to the target system.<\/p>\n Huntress analysts and researchers identified<\/a> the malware emerging in October 2025, with campaigns evolving across two distinct variants.<\/p>\n The initial \u201cHuman Verification\u201d lures have been overshadowed by newer, more convincing fake Windows Update screens that mimic legitimate Microsoft updates in full-screen mode, complete with realistic \u201cWorking on updates\u201d animations before prompting the ClickFix command execution.<\/p>\n The most notable aspect of this campaign is how threat actors conceal their final malware stages. Rather than appending malicious data to images, the attackers use a custom steganographic algorithm to encode shellcode directly within the pixel data of PNG images.<\/p>\n This technique relies on specific color channels\u2014particularly the red channel\u2014to reconstruct and decrypt the payload entirely in memory.<\/p>\n The infection mechanism begins with an mshta.exe command containing a hex-encoded IP address in its second octet.<\/p>\n This triggers a PowerShell<\/a> loader that dynamically decrypts and reflectively loads a .NET assembly. This assembly acts as a steganographic loader, extracting shellcode hidden within an encrypted PNG image embedded as a manifest resource.<\/p>\n The extraction process uses the bitmap\u2019s raw pixel data, calculating offsets for each row and column, then XORs the red channel value with 114 to recover the encrypted shellcode bytes.<\/p>\n The extracted shellcode is packed using Donut, a shellcode packer that enables in-memory .NET assembly execution.<\/p>\n Huntress researchers documented that the final payloads delivered through this mechanism include information-stealing malware such as LummaC2 and Rhadamanthys, designed to harvest sensitive user credentials and financial information.<\/p>\n This campaign<\/a> demonstrates how threat actors continue to innovate their detection evasion capabilities. By hiding payloads within image pixel data rather than traditional file structures, attackers complicate analysis and evade signature-based detection systems.<\/p>\n However, the attack still relies on the fundamental weakness of social engineering<\/a>\u2014convincing users to manually execute commands.<\/p>\n Organizations should prioritize user awareness training and consider disabling the Windows Run box through registry modifications or Group Policy to prevent this attack vector from succeeding.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Using ClickFix Technique to Hide Images within the Image Files<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Human](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjOz501Mb7vbJbrvKRyg0244TmgdssES4jjAb7NbED3y7lgfXFlumfBKvo_sPNDGgsVFhnonmTcT1Wcc4tk4spJOnQeCXGoxV4-3SlO7_m56TvC5XOaPsopYFqb0k6js5TpYPHae16TSfowjP4JzFSgMKd9rsNecmmYZn0oNvfUo7K0bWykcwGnfIA_tlA\/s16000\/Human%2520Verification%2520Lure%2520%28Source%2520-%2520Huntress%29.webp?ssl=1\")
![\"Snippet](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgU_KBi5f73fUc7cGQ3e_SvQnhRbXKWvTCmRgZuRpv9-sRWr4rTqUWmRuoJ1EZte_l_nfQD7e8a5Vcdb11vumLFs1gpbIEuWVn4oBlyDUycWlMVOe_pqRQ2TjoZ2mYm9s0UBz5NY4bSZJRN_vuEbY5_2F_2LyMQ8AcVtLBrPl-zn58kBKu33k_3a5S4Trk\/s16000\/Snippet%2520of%2520ClickFix%2520Lure%2520Source%2520%28Source%2520-%2520Huntress%29.webp?ssl=1\")
Steganographic Payload Concealment<\/strong><\/h2>\n
![\"Execution](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiZK4FZ7q1BN9-fqVtXAoXcEaCHneP-un6iha8KKUeUnmkVMBB1li8l8SYCrG4pOTMdXaBvQe4NZ6Rytc4UmmMGXSmwU-D0qZ3aP0uxGewkVtt12UHtY0i2RSDdYvEYUH5iDA2nrpLPEBiSVfPIyu1O9Zw0DpOj6GuCedmpXXUqplsEjgKDGtRuGwRyIE4\/s16000\/Execution%2520chain%2520leading%2520to%2520LummaC2%2520%28Source%2520-%2520Huntress%29.webp?ssl=1\")
![\"dnSpy](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiXJp8a92CbKeCSFI5qo7aUqlxOpajYk1J8XUNjHB14KBbUIAzbsB6fR3tP5z_RYPE2jFCEZZcyDFC9MQUskN0ZGzkefxoQryk-aJz8LelSeZNVslyLIxQxqz8tUWRWvldkw35B6KQpWrz5dOyCZFiFFAa0eQhYXZ8V1Ri94HCsPYEH7E0D7lLk7jaM0Xk\/s16000\/dnSpy%2520output%2520displaying%2520manifest%2520resource%2520%28Source%2520-%2520Huntress%29.webp?ssl=1\")