ClickFix malware is a multi-stage attack using steganography to conceal infostealing malware within images. It begins with social engineering tactics, tricking users into executing malicious commands. Huntress identified two main ClickFix lures—one using a “Human Verification” tactic and the other mimicking a Windows Update interface. The process involves JavaScript to copy commands to the clipboard, PowerShell for loading .NET assemblies, and a complex steganographic algorithm to hide and extract shellcode from PNG images. This shellcode is then injected into target processes, ultimately delivering LummaC2 malware for data theft. The campaign has evolved with increasingly convincing user interfaces to deceive targets effectively.
https://www.huntress.com/blog/clickfix-malware-buried-in-images

