Fake Windows Update Notifications: ClickFix Malware Campaign Uses PNG Steganography to Evade Detection
#Security #Malware #Cybercrime #Phishing #Microsoft #Windows11 #Cybersecurity #Hackers #Steganography #Rhadamanthys #ClickFix #Infosecurity #ThreatIntel
Gefälschte Windows‑Updates: Wie der ClickFix‑Angriff Malware auf Windows-PCs schleust
Ein neuer Einfall von Cyberkriminellen macht die Gefahr von gefälschten Windows‑Updates deutlich. Unter dem Namen ClickFix locken Angreifer Windows-Nutzer:innen mit einer täuschend echten Update‑Animation, die in einem Vollbild‑Browserfenster angezeigt wird. Während das Bild den Anschein erweckt, ein echtes Systemupdate zu installieren, steckt dahinter ein heimlicher Schadcode, der in den Pixeln eines Bildes verborgen ist.
Mehr: https://maniabel.work/archiv/564
#clickfixphishing #WindowsUpdate #ClickFix #PNGstagnography #LummaC2 #Rhadamanthys #infosec #infosecnews #BeDiS
ClickFix Gets Creative: Malware Buried in Images
A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a standard 'Human Verification' and a convincing fake Windows Update screen. The execution chain involves mshta.exe, PowerShell, and .NET assemblies, ultimately extracting and injecting shellcode into target processes. The steganographic technique encodes malicious data directly into image pixel data, using specific color channels for payload reconstruction and decryption in memory. This sophisticated approach helps evade signature-based detection and complicates analysis.
Pulse ID: 6924c9a94b1c7374cf444b82
Pulse Link: https://otx.alienvault.com/pulse/6924c9a94b1c7374cf444b82
Pulse Author: AlienVault
Created: 2025-11-24 21:10:01
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #LummaC2 #Mac #Malware #NET #OTX #OpenThreatExchange #PowerShell #Rhadamanthys #ShellCode #Steganography #Windows #bot #AlienVault
#OperationEndgame3: 1025 Server von Netz genommen | Security https://www.heise.de/news/Operation-Endgame-3-1025-Server-von-Netz-genommen-11077049.html #OperationEndgame #Malware #Infostealer #Botnet #Elysium #VenomRAT #Rhadamanthys
October 2025 Infostealer Trend Report
This analysis provides insights into Infostealer malware trends for October 2025, focusing on distribution volume, methods, and disguise techniques. The data is collected through AhnLab's automated systems and analyzed for maliciousness and C2 information. Key findings include the prevalence of Rhadamanthys, ACRStealer, and LummaC2 as the most distributed Infostealers. Distribution methods have evolved, with threat actors now using legitimate websites to bypass search engine restrictions. The report highlights two significant trends: the mass distribution of a new Loader malware using DLL sideloading, and changes in LummaC2 Infostealer distribution patterns. The analysis also covers disguise techniques, targeted companies, and phishing email statistics related to Infostealers.
Pulse ID: 691f29a1fb65b42a9f9f4e0e
Pulse Link: https://otx.alienvault.com/pulse/691f29a1fb65b42a9f9f4e0e
Pulse Author: AlienVault
Created: 2025-11-20 14:45:53
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AhnLab #CyberSecurity #Email #ICS #InfoSec #InfoStealer #LummaC2 #Mac #Malware #OTX #OpenThreatExchange #Phishing #Rhadamanthys #SideLoading #bot #AlienVault
Lees tip -> Operatie Endgame schakelt grote cybernetwerken uit | In Operatie Endgame zijn grote cybernetwerken uitgeschakeld, met aanhoudingen, neergehaalde servers en verstoring van infostealers, botnets en RAT’s door internationale samenwerking. | #botnet #cybercrime #Europol #hacking #infostealers #internationalesamenwerking #OperatieEndgame #politie #ransomware #Rhadamanthys #VenomRAT |
https://hbpmedia.nl/operatie-endgame-cybernetwerken-uitgeschakeld/
À la suite de l’opération Endgame, qui a démantelé une partie de l’infrastructure criminelle derrière plusieurs malwares, abuse.ch a partagéla liste des adresses IP liées aux serveurs de commande et contrôle (C2) du voleur d’informations Rhadamathis (Descriptif du malware & opération ici --> https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-011/) .
⬇️
Si vous retrouvez l’une de ces IP dans les logs de vos routeurs ou firewalls, il est fortement probable qu’un poste de votre réseau ait été compromis (et que probablement des informations ont pu être exfiltrées).
👇
https://threatfox.abuse.ch/browse/tag/OpEndgame/
Operation Endgame: Son aşamada üç siber suç örgütü çökertildi
#venomrat #endgame #Rhadamanthys
https://webrecord.media/operation-endgame-son-asamada-uc-siber-suc-orgutu-cokertildi/
🔥 Operation Endgame 3.0 is here! This phase targets the notorious information and credential stealer #Rhadamanthys. It's another major international effort that’s seen 1,025 servers taken down and 20 domains seized. 💪
👏 Excellent work by @Europol and all partners involved — the takedown of Rhadamanthys marks a significant win for the global cybersecurity community.
As with earlier phases of #OperationEndgame, Spamhaus is providing remediation support. Those affected will be contacted in due course with guidance on next steps.
Operation Endgame website 👉 https://www.operation-endgame.com
Europol press release ⤵️
https://europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down
#OperationEndgame: Authorities shut down infrastructure for Rhadamanthys Infostealer, VenomRAT and the Elysium botnet, seize 1025 servers and arrest one key suspect.
Read: https://hackread.com/operation-endgame-rhadamanthys-venomrat-elysium-malware/
#CyberCrime #Malware #Rhadamanthys #Infostealer #CyberSecurity
Proofpoint is proud to have assisted law enforcement in the #OperationEndgame investigation that led to the November 13, 2025 disruption of #Rhadamanthys and #VenomRAT, both #malware used by multiple cybercriminals.
• Rhadamanthys: https://brnw.ch/21wXs1N
• VenomRAT: https://brnw.ch/21wXs1O
---
Since May 2024, Operation Endgame—a global law enforcement and private sector effort that includes Proofpoint—has significantly disrupted the #malware and #botnet ecosystem.
👉 #Europol called the May 2024 Operation Endgame actions “the largest ever operation against botnets.”
👉 In May 2025, additional malware families and their creators, including #DanaBot, were taken down.
---
Each disruption forces threat actors to adapt and invest time and resources to retool their attack chains.
With our unique visibility and leading detection capabilities, Proofpoint researchers will continue monitoring the threat landscape and provide insight into the biggest cyber threats to society.
Operation Endgame’s latest phase targeted the infostealer #Rhadamanthys, Remote Access Trojan #VenomRAT, and the botnet #Elysium.
https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down
📢 Rhadamanthys: perturbation majeure de l’infostealer, probable action des autorités allemandes
📝 Selon BleepingComputer (Lawrence Abrams), l’opération...
📖 cyberveille : https://cyberveille.ch/posts/2025-11-12-rhadamanthys-perturbation-majeure-de-linfostealer-probable-action-des-autorites-allemandes/
🌐 source : https://www.bleepingcomputer.com/news/security/rhadamanthys-infostealer-disrupted-as-cybercriminals-lose-server-access/
#Operation_Endgame #Rhadamanthys #Cyberveille
👮 Operation « Endgame » (operation-endgame.com) #europol #malware #botnet #rhadamanthys #venomrat #threats [ https://europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down ]
Many of the victims were not aware of the infection of their systems. Check if your Windows has been infected and what to do if so : [ https://www.politie.nl/checkyourhack ] & [ https://haveibeenpwned.com ]
We are excited that we were once again part in the coordinated international operation #OpEndgame 📣, taking action against the notorious information and credential stealer #Rhadamanthys 🕵️ We assisted in the takedown of threat actor infrastructure and share a full list of #Rhadamanthys botnet C2s on ThreatFox 🦊
Full list of Rhadamanthys botnet C2s:
📡https://threatfox.abuse.ch/browse/tag/OpEndgame/
Europol press release:
🚨 https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down
And it's out!
End of the game for cybercrime infrastructure: 1025 servers taken down
Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol’s headquarters in The Hague. The actions targeted one of the biggest infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers. The main suspect for VenomRAT was arrested in Greece on 3 November 2025.
#OperationEndgame #rhadamanthys #infostealer #VenomRAT #Elysium
Less than 10 minutes left on the Operation Endgame's counter. Wonder what they gonna announce. Maybe just the takedown of rhadamanthys infostealer infra.
#Rhadamanthys #infostealer disrupted as cybercriminals lose server access
Rhadamanthys Infostealer’s TOR infrastructure goes offline in apparent law enforcement takedown - possibly tied to Operation Endgame.
https://www.technadu.com/rhadamanthys-infostealer-infrastructure-disrupted-in-apparent-law-enforcement-takedown/613164/
#CyberSecurity #Rhadamanthys #Infostealer #LawEnforcement #OperationEndgame
