Find notable cyber news and cases, enriched with sources, timelines, and signals.

ClickFix variants delivering LummaC2 and Rhadamanthys

Malware Activity
First reported
Last updated
Happening score
H score 29
2 unique sources, 2 articles

Summary

Hide ▲

Since October 1, ClickFix variants have been using a fake Windows Update screen and human verification lures to trick Windows users into pasting commands that execute malware. The chain hides payloads in PNG steganography and uses mshta and PowerShell to deliver LummaC2 and Rhadamanthys information stealers. The activity matters because the payload is reconstructed in memory, making the malicious delivery harder to spot and block.

Related Happenings

AI-generated PowerShell Active Directory reconnaissance script

Malware Activity
H score23 First: 09.07.2026 17:00 Last: 09.07.2026 17:00 Sources 1

About this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...

Veil#Drop PureLog Stealer in-memory delivery operation

Malware Activity
H score30 First: 01.07.2026 17:30 Last: 01.07.2026 17:30 Sources 1

About this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...

ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion

Technical Analysis
H score74 First: 01.07.2026 08:32 Last: 01.07.2026 08:32 Sources 1

About this happening: Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...

TONResolver RAT delivered via ZIP, LNK, and PowerShell

Malware Activity
H score22 First: 30.06.2026 13:30 Last: 30.06.2026 13:30 Sources 1

About this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...

OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading

Malware Activity
H score20 First: 22.06.2026 16:20 Last: 22.06.2026 16:20 Sources 1

About this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...

Timeline

  1. 24.11.2025 22:42 1 articles · 7mo ago

    ClickFix lures users with fake Windows Update pages

    Initial Disclosure

    ClickFix variants used a full-screen fake Windows Update page or a human verification lure to trick Windows users into pasting attacker-controlled commands into Windows Command Prompt and executing malware on the system.

    Show sources
  2. 24.11.2025 22:42 1 articles · 7mo ago

    Operation Endgame disrupts Rhadamanthys Windows Update delivery

    Campaign Scope Update

    On November 13, Operation Endgame disrupted a Rhadamanthys infrastructure segment behind the fake Windows Update lure, and payload delivery stopped on the affected fake Windows Update domains even though the domains remained active.

    Show sources
  3. 24.11.2025 22:42 2 articles · 7mo ago

    PNG steganography and in-memory payload reconstruction

    Technical Analysis Update

    ClickFix variants hid malicious code inside PNG images, used mshta and PowerShell to launch a multi-stage chain, and reconstructed an AES-encrypted payload in memory through a .NET assembly named Stego Loader and the Donut tool. The analyzed attacks delivered LummaC2 and Rhadamanthys information stealers and used ctrampoline evasion with 10,000 empty functions.

    Show sources