Redazione RHC : 15 July 2025 14:43
A new form of digital attack called RenderShock has hit corporate Windows systems. It doesn’t require any clicks or opening attachments: everything happens completely in the background, via trusted preview and indexing mechanisms built into the operating system itself. Unlike classic malware, RenderShock uses so-called passive execution surfaces, which are services that run automatically and process files without user intervention. These vulnerable connections include Explorer preview panes, virus scanners, indexing services, and cloud synchronization tools.
The main idea of the attack is to use trusted system processes to process obviously malicious files. It’s enough for such a file to end up in a folder available for previewing or indexing for the infection mechanism to be immediately activated. This can happen if the file ends up in corporate email, on a shared drive, in a cloud folder, or via a flash drive. Even simply hovering the cursor over the file can trigger an attempt to connect to a remote server.
RenderShock works according to a clearly structured five-stage scheme. First, a malicious file is created, which could be a document, an image, or a link. Attackers then place these files in locations where systems are guaranteed to detect them. Automatic activation then occurs when the file interacts with one of the passive system components. Information gathering then begins, such as sending DNS queries or capturing NTLM hashes to steal credentials. The final stage is remote code execution or further penetration of the infrastructure.
The particular danger of RenderShock is that the attack masquerades as standard system process activity. The explorer.exe, searchindexer.exe, or Microsoft Office Document Preview processes perform “normal actions” and remain undetected by most security systems. Most corporate antivirus programs don’t monitor the network activity of such processes, which means they can’t react in time.
An example shows how an infected LNK file inside a ZIP archive can force Windows Explorer to download an icon via SMB from a remote server. The system automatically transmits authentication data, even if the user hasn’t opened anything. These actions occur instantly and stealthily.
The new RenderShock scheme clearly demonstrates how even routine, seemingly secure operations are becoming vulnerable in today’s enterprise environments. Organizations that rely on built-in previews and automatic indexing should reconsider their security practices.
Experts recommend disabling file previews, limiting outbound SMB traffic, strengthening Office security settings, and monitoring atypical preview-related process activity. RenderShock challenges the fundamental principles of trust in your systems and requires a completely new approach to digital hygiene in enterprises.
Redazione