- Fake Windows Updates Deliver Advanced Malware Hidden Inside Encrypted PNG Images
- Hackers trick victims with update screens that secretly execute malicious commands
- Stego Loader rebuilds dangerous payloads completely in memory using C# routines
Hackers are increasingly using fake Windows Update screens to distribute complex malware using social engineering tactics.
ClickFix attacks convince users to execute commands in Windows by imitating legitimate update messages on full-screen web browser pages, Huntress researchers Ben Folland and Anna Pham discovered.
Experts reported that in some cases, attackers instruct victims to press specific keys, which automatically paste malicious commands into the Windows Run box.
Steganography and multi-stage payloads.
These commands then trigger malware execution, bypassing standard system protections and affecting both individual and enterprise systems.
Malware payloads are hidden using steganography inside PNG images, encrypted with AES, and reconstructed using a .NET assembly called Stego Loader.
This loader extracts shellcode using custom C# routines and repackages it with the Donut tool, allowing VBScript, JScript, EXE, DLL, and .NET assemblies to run completely in memory.
Analysts identified the resulting malware as variants of LummaC2 and Rhadamanthys.
The use of steganography in these attacks demonstrates that malware delivery is moving beyond traditional executable files, creating a new challenge for threat detection and incident response teams.
Attackers also implement dynamic evasion tactics such as ctrampoline, which calls thousands of empty functions to make analysis difficult.
A variant using the fake Windows Update honeypot was detected in October 2025, and law enforcement disrupted part of its infrastructure during Operation Endgame in November.
This prevented the final payload from being delivered via malicious domains, although the fake update pages remain active.
The attacks continue to evolve, alternating between human verification messages and update animations to trick users into executing commands.
Researchers recommend monitoring process chains for suspicious activity, such as explorer.exe generating mshta.exe or PowerShell.
Researchers can also review the RunMRU registry key to see the commands executed.
Organizations Recommended to Combine Malware Removal Practices with Antivirus scanning and firewall protection to limit exposure.
Disabling the Windows Run check box, when possible, and carefully inspecting image-based payloads are additional recommended precautions.
Companies must be aware of the risks that arise from using seemingly legitimate assets, such as images and scripts, which complicate recording, tracking and forensic analysis.
This also raises concerns about supply chain security and the possibility of attackers leveraging trusted update mechanisms as entry points.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
