RenderShock: New Zero-Click Attack Explores Hidden Vulnerabilities in OS & Enterprise Environments

CYFIRMA has uncovered a new threat model called RenderShock — a zero-click attack strategy that turns convenience into compromise. This modular, stealthy framework exploits the silent background processes in operating systems and enterprise environments to execute payloads without any user interaction.

“RenderShock is a comprehensive zero-click attack strategy that targets passive file preview, indexing, and automation behaviours,” CYFIRMA warns in their report.

Unlike traditional phishing attacks, RenderShock doesn’t rely on convincing users to click or execute anything. Instead, it manipulates trusted system behaviors — the silent file previews, metadata indexing, antivirus scanning, and automated rendering processes — to deliver malware, reverse shells, and credential harvesting tools without lifting a finger.

“By chaining legitimate automation features with novel file behaviours, RenderShock elevates these tactics to a near-zero-day capability,” the report explains.

CYFIRMA breaks down the “invisible front doors” of modern systems that RenderShock abuses:

• Windows Explorer Preview Pane – Triggers malware by simply selecting a file.
• macOS Quick Look – Auto-previews files with embedded malicious content.
• Outlook and Apple Mail – Previewing email attachments silently activates payloads.
• Search Indexers (e.g., Windows Search, Spotlight) – Parse and execute metadata on files during background indexing.
• Antivirus Engines – Mistakenly execute payloads embedded in “safe” file formats.
• Cloud Sync Tools – Auto-download and process files on OneDrive, Google Drive, and Dropbox.

“These systems often process files without explicit user action, trusting that the rendering process is safe.”

The threat isn’t in the file type—it’s in how it behaves without being opened. RenderShock payloads are split into:

Foundational Payloads (Known, still dangerous):

• .LNK shortcuts with UNC icon paths – Trigger NTLM hash leaks when previewed.
• RTF files with INCLUDEPICTURE or clipboard field injection
• JPEGs with poisoned EXIF metadata – Crash or confuse indexing engines.
• ZIP/ISO files – Contain stealthy .LNKs or macro-enabled docs.

Advanced Payloads (Creative zero-click triggers):

• Polyglot Files – One file, multiple interpretations (e.g., PNG + HTML).
• Remote Template Injection in DOCX – No macros, just preview-based beaconing.
• CHM or .library-ms files – NTLM leak via background SMB requests.
• Poisoned ICC Color Profiles – Crash image viewers or search indexers.

“RenderShock operates on the principle that many file formats… can trigger code execution or network callbacks without requiring user interaction.”

Attackers don’t need phishing emails to land these payloads. They only need a processing point:

• Support portals, HR inboxes, and helpdesk uploads
• Shared folders or ticketing systems (e.g., Zendesk)
• Cloud platforms (e.g., OneDrive, Google Workspace)
• USB drives casually browsed by curious employees

“Attachments uploaded to document approval workflows… are often passively rendered by API services or preview engines.”

RenderShock’s kill chain includes:

• Reconnaissance – Identify systems that auto-preview or index.
• Weaponization – Embed payloads into DOCX, JPG, LNK, CHM, etc.
• Delivery – Upload files to cloud shares or public portals.
• Trigger – Victim previews, indexes, or scans the file.
• Payload Execution – Triggers RCE, NTLM leaks, or beaconing.
• Persistence – Drops .desktop or .lnk into autostart folders.
• Post-Exploitation – Use harvested hashes for lateral movement.

Example: A .lnk file inside a .zip, when previewed in Windows Explorer, silently loads a remote icon, leaking NTLMv2 credentials — no click required.

RenderShock introduces a broad range of potential consequences depending on the attacker’s objective and payload sophistication:

• Reconnaissance – Collect hostnames, domain names, OS versions.
• Credential Theft – NTLM hash leaks over SMB.
• Remote Code Execution – Through macros, PowerShell, or DLL loading.
• Persistence – Set up via auto-launch folders and scheduled indexers.
• Denial of Service – Crash Spotlight, Windows Search, or preview engines.

Related Posts:

• Chrome OS will support to run Android applications in the background
• SLOW#TEMPEST: Advanced Obfuscation Evades Static Analysis With CFG & Indirect Calls