- Fake Windows Updates Deliver Advanced Malware Hidden in Encrypted PNG Images
- Hackers trick their victims with update screens that secretly execute malicious commands
- Stego Loader rebuilds dangerous payloads entirely in memory using C# routines
Hackers are increasingly using fake Windows Update screens to distribute complex malware via social engineering tactics.
ClickFix attacks convince users to execute commands in Windows by mimicking legitimate update prompts in full-screen web browser pages, Huntress researchers Ben Folland and Anna Pham found.
Experts have reported that in some cases, attackers ask their victims to press specific keys, which automatically pastes malicious commands into the Windows execution area.
Steganography and multi-stage payloads
These commands then trigger the execution of malware, bypassing standard system protections and affecting both individual and corporate systems.
Malware payloads are hidden using steganography in PNG images, encrypted with AES and reconstructed by a .NET assembly called Stego Loader.
This loader extracts shellcode using custom C# routines and repackages it with the Donut tool, allowing VBScript, JScript, EXE, DLL, and .NET assemblies to run entirely in memory.
Analysts identified the resulting malware as variants of LummaC2 and Rhadamanthys.
The use of steganography in these attacks demonstrates that malware delivery extends beyond traditional executable files, creating a new challenge for threat detection and incident response teams.
Attackers also implement dynamic evasion tactics such as ctrampoline, which calls thousands of empty functions to make parsing more difficult.
A variant using the fake Windows Update lure was detected in October 2025 and law enforcement disrupted part of its infrastructure via Operation Endgame in November.
This prevented the delivery of the final payload via malicious domains, although the fake update pages remained active.
The attacks continue to evolve, alternating between human verification prompts and update animations to trick users into executing commands.
Researchers recommend monitoring process chains for suspicious activity, such as explorer.exe generating mshta.exe or PowerShell.
Investigators can also examine the RunMRU registry key for executed commands.
Organizations are advised to combine malware removal practices with antivirus scanning and firewall protection to limit exposure.
Disabling the Windows runtime area, when possible, and carefully inspecting image-based payloads are additional recommended precautions.
Businesses must consider the risks of weaponizing legitimate-looking assets, such as images and scripts, making logging, monitoring and forensic analysis more difficult.
It also raises concerns about supply chain security and the potential for attackers to exploit trusted update mechanisms as entry points.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
