Picture perfect deception. [Research Saturday]

CyberWire Daily

N2K Networks, Inc.

Tech News, News, Daily News, Technology

4.6 • 1K Ratings

🗓️ 17 January 2026

⏱️ 21 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Today we are joined by Ben Folland, Security Operations Analyst from Huntress, discussing their work on "ClickFix Gets Creative: Malware Buried in Images." This analysis covers a ClickFix campaign that uses fake human verification checks and a realistic Windows Update screen to trick users into manually running malicious commands. The multi-stage attack chain leverages mshta.exe, PowerShell, and .NET loaders, ultimately delivering infostealers like LummaC2 and Rhadamanthys, with payloads hidden inside PNG images using steganography. While technically sophisticated, the campaign hinges on simple user interaction, underscoring the importance of user awareness and controls around command execution. The research can be found here: ClickFix Gets Creative: Malware Buried in Images Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript

Click on a timestamp to play from that location

0:00.0	You're listening to the Cyberwire Network, powered by N2K.
0:09.7	Most environments trust far more than they should, and attackers know it.
0:16.3	Threat Locker solves that by enforcing default deny at the point of execution.
0:25.6	With Threat Locker Allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave.
0:29.6	And with Threat Locker DAC, defense against configurations, you get real assurance that your environment is free of misconfigurations, and clear visibility into whether you meet compliance standards.
0:41.3	Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
0:46.3	It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
0:52.3	Threat Locker makes zero-trust attainable, even for small security teams.
0:58.0	See why thousands of organizations choose Threat Locker to minimize alert fatigue,
1:02.4	stop ransomware at the source, and regain control over their environments.
1:07.1	Schedule your demo at Threatlocker.com slash N2K today.
1:11.6	Hello, everyone, and welcome to the CyberWires Research Saturday.
1:28.2	I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities,
1:36.1	solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace.
1:41.9	Thanks for joining us.
1:54.2	Clickfix is a malware delivery technique. It's not sophisticated. It's very simple. And it typically involves just tricking the user to copy and pasting a malicious command.
2:00.6	That's Ben Fallon, security operations analyst from Huntress.
2:04.6	The research we're discussing today is titled Click Fix Gets Creative, Malware Buried in Images.
2:15.6	I noticed there was a specific campaign, a click-fix campaign, and we started seeing certain
2:27.5	indicators of compromise that would indicate it's the same campaign on multiple incidents.
2:36.5	So this happened for a few days.
2:54.7	I was doing my analysis and I was doing the investigation, and we observed that the ClickFix campaign started with a user being instructed to copy and paste a malicious command, and it was encoded with a hex hex encoded IP address. We did this investigation and did some Maurer analysis and we realized,
	...

Transcript will be available on the free plan in 27 days. Upgrade to see the full transcript now.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from N2K Networks, Inc., and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of N2K Networks, Inc. and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.