Picture perfect deception. [Research Saturday]

12 snips

Jan 17, 2026

Ben Folland, a Security Operations Analyst at Huntress with expertise in malware campaigns, delves into the ClickFix campaign that cleverly uses steganography to bury malicious payloads in PNG images. He explains how fake human verification checks and a convincing Windows Update screen lure users into executing harmful commands. The discussion highlights the technical intricacies of multi-stage attacks and the functions of infostealers like LummaC2 and Rhadamanthys, while emphasizing the critical need for user awareness and defensive practices.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Malware Hidden Inside Images

Attackers hid final malware payloads inside benign PNG images using steganography.
The hidden shellcode is extracted at runtime, making static AV detection ineffective.

ANECDOTE

Convincing Windows Update Lure

Victims saw a realistic full-screen Windows Update simulation that hid the cursor and instructed them to open Run and paste a command.
Users often comply because they cannot exit the screen and follow the on-screen fix instructions.

INSIGHT

Multi-Stage Living-Off-The-Land Chain

The execution chain uses living-off-the-land binaries (mshta.exe, PowerShell, .NET) across multiple stages to avoid detection.
The final .NET loader extracts shellcode from an embedded image and injects it into memory immediately after user action.

Get the Snipd Podcast app to discover more snips from this episode

Get the app