loader image
Dim office desk laptop with dialog box and cursor; red-tinted ghost image with binary code — ClickFix hack buries malware
ClickFix Hack Buries Malware Inside PNG Pixels

A new cyber campaign reveals how a ClickFix hack buries malware deep within image files by blending steganography and social engineering. Researchers at Huntress say attackers lure users with convincing fake Windows update prompts or captcha tests and trick them into pasting malicious commands into the Windows Run dialog. Once executed, these commands download a PNG file that hides shellcode inside pixel data using a custom algorithm.

The threat actors encode the final payload into the red color channel of these images, making detection harder. A PowerShell loader decrypts and runs a .NET assembly, which extracts the shellcode. Packed with Donut, the shellcode executes in memory and delivers malware strains like LummaC2 and Rhadamanthys.

This attack highlights how threat groups use familiar visuals and manual user input to bypass automated defenses. Security teams should consider disabling Run functionality and training users on social engineering red flags, especially as the ClickFix hack buries malware in increasingly stealthy forms.

Hackers Using ClickFix Technique to Hide Images within the Image Files

Write a Reply or Comment

Your email address will not be published. Required fields are marked *