You Just Hovered Your Mouse – And Lost Everything: Inside the RenderShock Attack
A new type of digital assault, dubbed RenderShock, is targeting corporate Windows systems. Unlike traditional malware, it requires no user interaction—no clicks, no opening attachments. The attack unfolds entirely in the background, exploiting trusted preview and indexing mechanisms built into the OS itself.
How RenderShock Works: Silent Exploitation
Instead of relying on user actions, RenderShock abuses passive execution surfaces—system services that automatically process files without user involvement. These include:- File Explorer preview panes
- Antivirus scanners
- Windows Indexing Service
- Cloud sync tools
The Five-Stage Attack Chain
- Malicious File Creation – Attackers craft a booby-trapped document, image, shortcut, or polyglot file (a hybrid of multiple formats).
- Silent Deployment – The file is placed where automatic system processes (like indexing or preview handlers) will process it.
- Automatic Activation – A trusted Windows component (e.g., explorer.exe, searchindexer.exe) interacts with the file, triggering the exploit.
- Data Harvesting – The malware sends DNS queries, steals NTLM hashes, or exfiltrates credentials.
- Remote Code Execution (RCE) – Attackers gain a foothold, moving laterally through the network.
Why It’s So Dangerous
- Zero Clicks Needed – No user action required; even hovering over a file can trigger it.
- Blends with Legitimate Activity – Runs under trusted processes (explorer.exe, Office preview handlers), evading most security tools.
- Steals Credentials via SMB – Example: A malicious LNK file inside a ZIP can force Windows to fetch an icon from a remote SMB server, leaking authentication hashes silently.
Defending Against RenderShock
Security teams should:
Disable file previews in Windows Explorer Block outbound SMB traffic at the firewall Harden Office security settings (disable automatic previews) Monitor "trusted" processes for unusual network activity