Overview
- Recent campaigns swap CAPTCHA tricks for full-screen Windows Update pages that auto-copy commands and instruct victims to press Win+R, paste, then run them.
- The execution chain starts with mshta, pivots to PowerShell, then loads a .NET steganographic module that reconstructs Donut-packed shellcode from PNG pixel data.
- Huntress observed evasive techniques including encrypted in-memory payloads and a ctrampoline call chain before recovering LummaC2 and Rhadamanthys samples.
- Operation Endgame on November 13 disrupted parts of Rhadamanthys infrastructure, and Huntress reports the fake update domains remain live but no longer deliver that payload.
- Researchers logged 76 incidents across the US, EMEA and APJ from late September to late October, and advise disabling the Windows Run box, training users, and monitoring explorer.exe spawning mshta.exe or PowerShell; Microsoft says ClickFix is now the most common initial access method.