All news with #steganography tag

New ClickFix Attacks Use Fake Windows Update Lures

🛡️Huntress warns of an evolved ClickFix campaign that uses a convincing full‑screen Windows Update splash and steganographic PNGs to trick employees into pasting and running commands. Those commands deliver loaders that in turn deploy LummaC2 and Rhadamanthys infostealers. The firm reports a 313% increase in ClickFix incidents over six months and noted multiple active lure domains even after the Nov 13 Operation Endgame takedown. Primary mitigation advice is to disable the Windows Run dialog via Registry or GPO and pair user awareness with endpoint monitoring and EDR.

JackFix uses fake Windows update pop-ups to deliver stealers

⚠️ Cybersecurity researchers report a JackFix campaign that uses fake Windows Update pop-ups on cloned adult sites to trick users into running mshta.exe and PowerShell commands. According to Acronis and Huntress, the attack chain leverages obfuscation, privilege escalation and can deploy multiple stealers including Rhadamanthys, RedLine and Vidar. Organizations are advised to train users and consider disabling the Windows Run box via Group Policy or Registry changes to reduce risk.

ClickFix Uses Fake Windows Update to Deliver Malware

🔒 Researchers warn of ClickFix attack variants that display a realistic full‑screen fake Windows Update animation in the browser to trick users into pasting commands that execute malware. Operators use steganography to hide AES‑encrypted shellcode inside PNG pixel data and leverage mshta, PowerShell, and a .NET Stego Loader to reconstruct and run payloads. Huntress observed delivery of LummaC2 and Rhadamanthys info stealers and a dynamic evasion ctrampoline technique to hinder analysis. A law enforcement takedown in November disrupted payload delivery on some fake update domains.

AI-Enhanced Tuoni Framework Targets US Real Estate Firm

🔍 Morphisec observed an AI-enhanced intrusion in October 2025 that targeted a major US real estate firm using the modular Tuoni C2 framework. The campaign began with a Microsoft Teams impersonation and a PowerShell one-liner that spawned a hidden process to retrieve a secondary script. That loader downloaded a BMP file and used least significant bit steganography to extract shellcode, executing it entirely in memory and reflectively loading TuoniAgent.dll. Researchers noted AI-generated code patterns and an encoded configuration pointing to two C2 servers; Morphisec's AMTD prevented execution.

Report Links BIETA Research Firm to China's MSS Operations

📰 Recorded Future assesses that the Beijing Institute of Electronics Technology and Application (BIETA) is likely directed by China's Ministry of State Security, citing links between at least four BIETA personnel and MSS officers and ties to the University of International Relations. Its subsidiary Beijing Sanxin Times Technology Co., Ltd. (CIII) develops steganography, covert-communications tools, and network-penetration and simulation software. The report warns these capabilities can support intelligence, counterintelligence, military, and other state-aligned cyber operations.

Rhadamanthys Stealer Adds Fingerprinting, PNG Steganography

🛡️ Check Point researchers report that the Rhadamanthys information stealer (v0.9.2) has been updated to collect extensive device and browser fingerprints and to deliver payloads via steganography embedded in WAV, JPEG and PNG files. The operator—initially known as kingcrete2022 and now marketing as RHAD security/Mythical Origin Labs—offers the malware as a tiered MaaS product with subscription plans and enterprise options. The sample includes sandbox-evasion checks, an embedded Lua runner for plugins, obfuscated configurations, and a PNG-based payload decryption step that requires a shared secret.

FileFix Campaign Uses Steganography and Multistage Payloads

🛡️ Acronis researchers have uncovered a rare FileFix campaign that hides a second-stage PowerShell script and encrypted executables inside JPG images using steganography. Attackers employ multilingual, heavily minified phishing pages that mimic a Meta support flow and trick victims into pasting a payload into file upload address bars. An obfuscated PowerShell one-liner downloads images from Bitbucket, extracts and decrypts components, and executes a Go-based loader that deploys StealC. Organizations should combine user training with process blocking and monitoring to mitigate this evolving threat.

SlopAds Ad-Fraud Ring Exploits 224 Android Apps Globally

🔍 A coordinated ad and click-fraud operation named SlopAds ran 224 Android apps that amassed roughly 38 million downloads across 228 countries, according to HUMAN's Satori Threat Intelligence and Research Team. The campaign generated up to 2.3 billion bid requests per day and primarily targeted traffic from the U.S., India, and Brazil. Google removed the offending apps from the Play Store after the investigation, which found sophisticated evasion tactics including steganography and conditional payloads.

FileFix Steganography Attack Drops StealC Infostealer

🛡️ A new FileFix campaign impersonates Meta support to trick users into pasting a disguised PowerShell command into the File Explorer address bar, which then downloads and executes malware. The attackers hide a second-stage script and encrypted binaries inside a seemingly benign JPG hosted on Bitbucket using steganography. The final payload is the StealC infostealer, designed to harvest browser credentials, messaging logins, crypto wallets, cloud keys and more. Security vendor Acronis observed multiple evolving variants over a two-week period and urges user education on these novel ClickFix/FileFix tactics.