CyberWire Daily - Picture perfect deception. [Research Saturday]
Episode Date: January 17, 2026Today we are joined by Ben Folland, Security Operations Analyst from Huntress, discussing their work on "ClickFix Gets Creative: Malware Buried in Images." This analysis covers a ClickFix campaign tha...t uses fake human verification checks and a realistic Windows Update screen to trick users into manually running malicious commands. The multi-stage attack chain leverages mshta.exe, PowerShell, and .NET loaders, ultimately delivering infostealers like LummaC2 and Rhadamanthys, with payloads hidden inside PNG images using steganography. While technically sophisticated, the campaign hinges on simple user interaction, underscoring the importance of user awareness and controls around command execution. The research can be found here: ClickFix Gets Creative: Malware Buried in Images Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave.
And with Threat Locker, DAC, defense against configurations, you get real assurance that your environment is free,
of misconfigurations and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their own.
environments. Schedule your demo at Threatlocker.com slash N2K today.
Hello everyone and welcome to the CyberWires Research Saturday. I'm Dave Bittner and this is
our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
ClickFix is a malware to
delivery technique. It's not sophisticated. It's very simple. And it typically involves just
tricking the user to copy and pasting a malicious command. That's Ben Fallon, security
operations analyst from Huntress. The research we're discussing today is titled Click Fix Gets Creative,
Malware Buried in Images. I noticed there was a specific campaign, a Click Fix campaign,
and we started seeing certain indicators of compromise
that would indicate it's the same campaign on multiple incidents.
So this happened for a few days.
I was doing my analysis and I was doing the investigation,
and we observed that the ClickFix campaign started with a user being instructed
to copy and paste a malicious command,
and it was encoded with a hex
hex encoded IP address.
We did this investigation and did some maura analysis
and we realized, and this is what made the campaign interesting,
is the malware leveraged technique called steganography.
And it hid malicious payloads,
the actual final core info-stealing malware payload
within a benign PNG image.
and only during the Mao's execution chain
did the image get extracted
and the malware forensically pulled from the image
and then ran dynamically.
So the steganography in the campaign made it really interesting
is this is something we don't often see
and it's an interesting evasion technique
a way of hiding the malicious code within a benign image.
Yeah, I mean you mentioned certainly I think of
image formats as being benign,
but this use of steganography shows that that's not always the case.
Yeah, exactly.
And if you were to even analyze the image yourself or inspect it,
it would look benign.
If you didn't have the context in which the malware was unpacking it and unraveling it,
it is really hard to extract what is actually going on
and extract that malicious code.
And this is why it's so effective.
you can have malware embedded with images
and they can be written to disk
and antivirus can scan them all they want
but they won't be able to identify the hidden payload
with inside the image
because the method in which
the malware is extracted using steganography
it's really hard for antiviruses to automatically detect that
well the research describes
two versions of the lure here
the robot verification page, and there's a fake Windows update screen.
Can you describe to us how are these different and what makes the update-themed lure so convincing?
Yeah, of course.
So when we've got Click Fix campaigns, we've got two real core components.
We've got the lure, and this is where we trick the user into actually copying or pasting and running a command,
and then we've got the actual malware, and this is as a result of the command.
and the lure is really the most important part.
The lure is where you convince the user or you trick the user that they need to do something.
They need to copy a command or they need to maybe follow these steps in order to enter the website.
So the first case was the robot verification law.
This is more one of the traditional click-fix, fake capture type lures that we've been seeing for the good part of the robot.
a year now. This law was, I believe, likely vibe coded or AI developed in it. It didn't really look
too genuine. However, we still see victims and it still tricks people. This could be because they're
going to a trusted website, maybe a website which is they visit often and it's been compromised,
and they're just getting a pop-up. And to somebody who works in tech or one of us in cybersecurity,
it may be obvious that this is suspicious or unexpected,
but for most people or for all people, this is not the case,
and especially with Click Fix, which is a new threat,
which is something which has only been around for a few years,
and it's not in everyone's security awareness training packages.
We've got the Windows Update Lur, which we've been seeing only in the last few months,
and this is very different to the traditional ClickFix Lures,
which where you would visit the website
and you'd be given a fake capture or some pop-up
in order to access the website you were meant to be originally visiting.
With the Windows Update Lur, when you visit the website,
it will try to trick you into thinking Windows has started an update sequence
and your browser will go into full screen,
your mouse cursor will go hidden, you won't be able to see it,
and you will see the blue Windows Update screen,
and it follows the sequence,
and you'll wait for 30, 40 seconds,
and then you're given the classic ClickFix instructions
to press Control R or Windows key R on your keyboard,
and that's to open the Windows Run box,
and then the JavaScript in the background
automatically copies to the clipboard a malicious command,
and the Lur,
instructs the user to paste the command into that Windows run box and then press enter.
And a lot of users would do this.
Their screen would go into full screen.
They may not be able to get out of that.
They wouldn't be able to see their cursor.
So a lot of users wouldn't know what to do in this position.
And they're unlikely to call up IT or ask for help when they've got some instructions
right in front of them saying how they can potentially fix this issue.
And this is why we saw it was so effective.
and when the user presses enter and they run the command at that point,
seconds later, malware, infighting malware is running.
It is looking throughout the computer, commonplaces on disk for browser credentials.
Maybe there's cryptocurrency wallets.
Maybe there are sensitive files, and the infestinely malware will look in all these places,
and then it will extradate it and steal it.
And this data will be now in the hands of a criminal who can,
either sell it or use it.
We'll be right back.
So it is a multi-stage execution chain, yes?
Yes, it is.
So when I say we've got this, it's two parts, right?
There's the lure and then the malware.
The malware execution chain is itself made up of four or five stages.
So it starts off with the user, as I mentioned, being told to paste a command.
and when they paste the command, there will be a MSHTA executable.
This is Microsoft's HTML application.
This is native to Windows.
This is a signed binary.
This is legitimate, and it won't trigger an antivirus detection.
However, the context in which this MSHTA binary, we call them living off the land
because they're native to Windows, but they can be abused for malicious activity,
well, it will download an additional payload.
And it will run this in memory, once again, avoiding disk, avoiding antivirus.
And then this next payload will download us a PowerShell script.
And then the PowerShell script itself will decrypt and dynamically load some more code.
And it sort of goes through this stage of going from one binary to another
and detricting some content until we've got this final stage where we've got a dotnet binary,
and inside the dot net binary embedded within it is an image.
And this is where the steganography piece comes into it again.
And this is a PNG image, and the PNG images are made up of pixels.
And each pixel has colour information.
We often refer to the colour information, RGB,
or RGBA.
And if you looked at this particular PNG image
and you only looked at the strength,
the number representing the R pixel,
and you did some operations with this,
you did some exclusive or bitwise operations,
and you would eventually extract the shell code.
And the malware would do this.
It would extract the shell code and then inject it.
And this happens instantaneously,
basically after a user presses enter,
However, it does take a while to unravel the campaign and go through each of the stages because
the threat actors have put a lot of effort into obfuscating and using steganography.
That is something we don't often see.
And it's clear they wanted to make analysts like myself life's harder by splitting up into so many
different stages and also make it harder for antivirus and other EDRs to detect by obfuscating it.
Well, your research mentions the payload. So you talk about things like Luma C2 and the Radamathus
Steeler. What are the capabilities of these Info Steelers? So yeah, Lumas C2 and Radamphus.
These are super well-known info stealers.
They are known as and sort of malware as a service.
So if you go on some of the dark web forums,
you can buy, I guess, licenses or access to Lumer C2 and Radamphus.
And then as a criminal, as a cyber criminal,
you can go out and you can use this malware,
which you haven't developed yourself,
but you're buying access to it.
And then you can use this malware in these clicks,
fix campaigns, but these are both Info Steelers. And to answer the question about the capabilities,
they're both advanced info-stealers that can capture a very wide range of credentials. So if you're
using any sort of common browser that you would use on Windows or machine, the credentials in the
browser if this infesteadilers ran may be extradited. If you were using Outlawful,
or maybe some of the common applications,
once again, these would be pillaged.
The malware would strategically go through disk
looking for common file paths, which are hard-coded,
where these credentials can be found.
There is also interest in cryptocurrency,
cryptocurrency wallets and keys.
Luma C2 can do an interesting capability.
It can intercept clipboard information.
So let's say you are,
are you're doing a transaction, a crypto transaction, on your computer.
Luma InfoScealer can intercept the crypto wallets and the crypto keys as they're in the clipboard,
and they can detect them in the clipboard as being these keys and X will trade them back to the fret actor,
which is an interesting way of stealing this data.
But both of these are both Info Steelers.
and recently, interestingly, both of these infislias have been involved in takedowns this year,
Radamampis more recently. I think there was on the Operation Endgame.
So Europol takedown, a coordinated law enforcement, takedown of Radamphus infrastructure,
which was great to see.
However, Luma C2 also there was a takedown back in May.
I don't think these are, they're going to stop them permanently.
Infrastructure is going to be probably rebuilt over time, and we may see them resurface.
Who do you suppose is behind this? Is this a named threat actor?
The threat actors go by there, the malware names, so Luma C2.
That is like an account on the forums. They were advertised as that.
I don't know the individual.
They often advertise on Russian cybercrime forums
and they often advertise in Russian,
which may suggest the identity,
but I have no evidence to suggest that.
Yeah.
How do you rate their sophistication here?
So these are low...
We're talking about info-stealers,
and these aren't zero days.
We're not talking about APTs or nation-state threats.
These are infestilers which are targeting organizations via fresh fishing
or sort of opportunistic threats.
So as a whole, these aren't a super sophisticated threat,
but they're a high-impact threat.
Info-steelers as a whole are the most prolific malware we see in the wild.
They're the most delivered.
if you're going to have malware execution on the host, chances are it is an infestieler.
Well, let's talk about defenses here.
I mean, from a practical point of view, what should organizations be doing to protect themselves?
That is a really, really good question.
And there are a few good things organizations should be doing.
And I really think most importantly is security awareness training that involves click-fix,
and these fake capture techniques.
I mentioned before everyone or most people who've worked in a corporate job
have been through some security awareness training
where they've been told about the fishing threats
and they've been told about the Nigerian princes.
But most people aren't aware of what click fixes.
And most people don't know that they shouldn't just copy and paste
and run random commands that they're told to on websites.
This isn't a known malicious thing to most normal people.
Security awareness training is really important.
But as we all know, the same with fishing, right, it doesn't always work.
And this is why we need to implement stronger mitigation.
So this could be blocking the Windows Runbox.
You can do this by a group policy.
You could make a registry modification to stop the Windows Runbox being out to pop up.
And you can do the same with PowerShell.
If I was a sysadmin, I was in a domain, I would use group policy and potentially lock it down to users who aren't in IT.
Because I don't know, there's bound to be one sysadmin which complains about the run box being disabled.
But that is a great way you can control it.
Our thanks to Ben Fallen from Huntress for joining us.
The research is titled Click Fix Gets Creative, Malware Buried in.
images. We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K CyberWire.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the
insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at
N2K.com. This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin.
Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
If you only attend one cybersecurity conference this year, make it RASAC 2026.
It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders tackling today's toughest challenges
and shaping what comes next.
Register today at rsacconference.com slash cyberwire 26.
I'll see you in San Francisco.