ClickFix variants delivering LummaC2 and Rhadamanthys
Malware Activity
Summary
Hide ▲
Show ▼
Since October 1, ClickFix variants have been using a fake Windows Update screen and human verification lures to trick Windows users into pasting commands that execute malware. The chain hides payloads in PNG steganography and uses mshta and PowerShell to deliver LummaC2 and Rhadamanthys information stealers. The activity matters because the payload is reconstructed in memory, making the malicious delivery harder to spot and block.
Related Happenings
AI-generated PowerShell Active Directory reconnaissance script
Malware Activity
H score23
First: 09.07.2026 17:00
Last: 09.07.2026 17:00
Sources 1
About this happening:
An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
AI-generated PowerShell Active Directory reconnaissance script
Malware ActivityAbout this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
Veil#Drop PureLog Stealer in-memory delivery operation
Malware Activity
H score30
First: 01.07.2026 17:30
Last: 01.07.2026 17:30
Sources 1
About this happening:
**Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
Veil#Drop PureLog Stealer in-memory delivery operation
Malware ActivityAbout this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical Analysis
H score74
First: 01.07.2026 08:32
Last: 01.07.2026 08:32
Sources 1
About this happening:
Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical AnalysisAbout this happening: Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware Activity
H score22
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
About this happening:
The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware ActivityAbout this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityAbout this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
Timeline
-
24.11.2025 22:42 1 articles · 7mo ago
ClickFix lures users with fake Windows Update pages
Initial DisclosureClickFix variants used a full-screen fake Windows Update page or a human verification lure to trick Windows users into pasting attacker-controlled commands into Windows Command Prompt and executing malware on the system.
Show sources
- ClickFix attack uses fake Windows Update screen to push malware — www.bleepingcomputer.com — 24.11.2025 22:42
-
24.11.2025 22:42 1 articles · 7mo ago
Operation Endgame disrupts Rhadamanthys Windows Update delivery
Campaign Scope UpdateOn November 13, Operation Endgame disrupted a Rhadamanthys infrastructure segment behind the fake Windows Update lure, and payload delivery stopped on the affected fake Windows Update domains even though the domains remained active.
Show sources
- ClickFix attack uses fake Windows Update screen to push malware — www.bleepingcomputer.com — 24.11.2025 22:42
-
24.11.2025 22:42 2 articles · 7mo ago
PNG steganography and in-memory payload reconstruction
Technical Analysis UpdateClickFix variants hid malicious code inside PNG images, used mshta and PowerShell to launch a multi-stage chain, and reconstructed an AES-encrypted payload in memory through a .NET assembly named Stego Loader and the Donut tool. The analyzed attacks delivered LummaC2 and Rhadamanthys information stealers and used ctrampoline evasion with 10,000 empty functions.
Show sources
- ClickFix attack uses fake Windows Update screen to push malware — www.bleepingcomputer.com — 24.11.2025 22:42
- JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers — thehackernews.com — 25.11.2025 16:18