CSOs and Windows admins should disable the ability of personal computers to automatically run commands to block the latest version of the ClickFix social engineering attacks.
This advice comes from researchers at Huntress, who this week warned that a new version of ClickFix-based attacks, where employees are tricked into running malicious commands, is circulating.
The latest tactics of this campaign include steganography — hiding malware in the pixels of an image — and a “highly convincing” fake Windows Update screen that asks the user to open a Run prompt, then paste in and run a malicious command.
That command delivers the LummaC2 and Rhadamanthys infostealers.
Huntress notes that its report comes after the November 13 Operation Endgame law enforcement takedowns targeting the Rhadamanthys infrastructure. As of November 19, multiple active domains continued to host the Windows Update Lure page associated with the Rhadamanthys campaign. All of these lures point to the same hex-encoded URL structure previously linked to the deployment of Rhadamanthys, although it appears this payload is no longer being hosted.
The first step defenders should take is to stop the ability of this malware to run, says the report. “The most effective way to mitigate ClickFix is by disabling the Windows Run box,” says Huntress, either by modifying the Windows Registry or deploying GPO (group policy object) rules to block interaction with the Windows Run box.
After that, the report recommends the standard response for fighting all social engineering attacks: Effective employee security awareness training. “Ensure users are trained on the ClickFix methodology,” says the report, “emphasizing that legitimate CAPTCHA or Windows Update processes will never require pasting and running commands.”
ClickFix warnings
Experts have been warning about ClickFix attacks (sometimes called pastejacking) since at least early 2024. They often start with a phishing lure that pulls the victim to a realistic fake landing page that purports to be a Windows Update page or a government department website. The heart of the attack is in giving users instructions that involve clicking on prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Windows Terminal, or Windows PowerShell. This leads to the downloading of scripts that launch malware.
Two new tactics are used in the latest ClickFix campaign, says Huntress:
the use since early October of a fake blue Windows Update splash page in full-screen, displaying realistic “Working on updates” animations that eventually conclude by prompting the user to follow the standard ClickFix pattern: open the Run prompt (Win+R), then paste and run the malicious command.
Why would an employee do this? Because the request is part of an alleged test to prove the victim is human. A screen saying “Human Verification. Follow 3 quick steps to verify you’re not a robot.” is displayed. It’s like a CAPTCHA request, which is familiar to employees these days. In this case, the three steps are: press the Windows button + R (which opens the Run box); press CTRL + V (which pastes in a command that was automatically copied to the clipboard); and then press Enter to “verify” (which actually runs the command that triggers downloading of scripts).
steganography, which conceals the final malware stages within an image. Rather than simply appending malicious data to a file, the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory;
In an email, report co-author Ana Pham said steganography is not new to malware operations. “What stands out here is the implementation: rather than simply appending malicious data to an image file, this campaign encodes the payload directly into the RGB pixel values of PNG images, extracting shellcode by reading specific color channels and applying XOR decryption. It’s a more involved approach than basic file-appending techniques, designed to evade signature-based detection.”
The Windows Update-themed tactic is particularly effective because it mimics something users expect to see: a full-screen Windows Update splash page with realistic animations, she said.
“Given how convincing this lure is compared to standard ‘robot verification’ pages, it’s reasonable to expect other threat actors will adopt similar approaches,” she added. “The source code for these lures contains Russian-language comments and isn’t heavily obfuscated, meaning it could be shared or copied by other groups relatively easily.”
Attacks are now ‘rampant’
ClickFix has become rampant among Huntress’ customers, she said, and is one of the most prevalent threats seen this year. In the past six months, the company has seen a 313% increase in ClickFix-related incidents.
Huntress responded to 76 separate incidents tied to this specific campaign over a one month period from late September through October, with attacks targeting organizations across multiple regions, including the United States, Europe/Middle East/Africa, and Asia-Pacific.
What ties the incidents together is a specific indicator, Pham said: the initial payload, which ultimately delivers the steganographic loader, always contains a URL where the second octet is encoded in hexadecimal format.
Researchers at Palo Alto Networks Unit 42 threat intelligence division have also reported seeing more ClickFix attacks. In a July report, they said attackers lure victims into copying and pasting commands to apply quick fixes to common computer issues such as performance problems, missing drivers, or pop-up errors. Fake tech support forums are one way these attack start. Threat actors have also been known, in other campaigns, to use fake DocuSign and Okta single-sign-on pages to trick users. Payloads include infostealers, remote access trojans (RATS), or tools that disable security.
“This delivery method bypasses many standard detection and prevention controls” says the Palo Alto report. “There is no exploit, phishing attachment, or malicious link. Instead, potential victims unknowingly run the command themselves, through a trusted system shell. This method makes infections from ClickFix more complicated to detect than drive-by downloads or traditional malware droppers.”
In yet another instance, researchers at NCC Group today issued this report on a ClickFix attack they discovered in May that involved a drive-by compromise and the use of a fake CAPTCHA popup, with the goal of installing the Lumma C2 Stealer.
What CSOs should do
But CSOs aren’t without defenses. One is disabling the Windows Run dialogue through registry modifications or Group Policy. As well, they should audit the RunMRU registry key (which keeps a copy of the most recently executed commands from the Run window) during investigations to check if users have executed suspicious commands through the Run dialog. Palo Alto Networks notes some key indicators for suspicious RunMRU contents could be obfuscated content, keywords related to the download and execution of payloads from unknown or suspicious domains, and keywords indicating calls to administrative interfaces.
Pham also said leaders should deploy endpoint monitoring for suspicious process chains, particularly watching for explorer.exe spawning mshta.exe, or PowerShell with unusual command-line arguments.
Palo Alto Networks also warned that some attackers aim to avoid exposing their activity in the RunMRU registry key by presenting instructions to launch a terminal for PowerShell (Windows 11) or Command Prompt (Windows 10). EDR telemetry or Windows Event Logs will show signs of this tactic.
While security awareness training is important, it shouldn’t be the only line of defense, said Pham.
“ClickFix succeeds because it exploits user trust and habitual behavior,” she said. “Users instinctively trust CAPTCHA checks and Windows update screens as routine parts of their day. Even well-trained users can be caught off guard by a convincing full-screen Windows Update animation. The most effective [mitigation] approach combines user education with technical controls: disabling the Run dialog, monitoring for suspicious process behavior, and maintaining robust endpoint detection. Defense in depth matters here, training reduces the likelihood someone falls for the lure, but technical controls provide a safety net when they do.”
At this time Huntress doesn’t have enough evidence to determine whether this specific campaign was run by a particular threat actor or multiple groups of threat actors, Pham noted.
No Responses