ClickFix Attack Uses Windows Terminal to Evade Detection
Fake CAPTCHA pages instruct victims to paste malicious commands in the Windows Terminal instead of the Run dialog.
Aggregated from SecurityWeek
This article was automatically aggregated from an external source. Content may be summarized.
Full Analysis
A new variant of the ClickFix attack evades detection by instructing victims to use Windows Terminal instead of the Run dialog, Microsoft warns.
Like traditional ClickFix attacks, the campaign relies on fake CAPTCHA pages, troubleshooting prompts, and verification lures to trick victims into executing malicious PowerShell commands.
What sets the new campaign apart, however, is the fact that victims are instructed to open Windows Terminal directly, instead of relying on the Windows Run dialog.
“Rather than the traditional Win + R → paste → execute technique, this campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, guiding users into a privileged command execution environment that blends into legitimate administrative workflows and appears more trustworthy to users,” Microsoft says.
The new approach, observed in the wild in February, allows attackers to bypass protections designed to prevent Run dialog abuse, the tech giant notes.
The execution of the malicious command in Windows Terminal spawns a PowerShell process that decodes embedded hex commands, triggering a multi-stage attack chain that leads to a Lumma Stealer infection.
Advertisement. Scroll to continue reading.
The code achieves persistence using scheduled tasks, contains anti-malware evasion routines, and targets browser data and other sensitive information for exfiltration.
In another variant of the attack, the malicious commands executed in Windows Terminal lead to a batch script executed via command prompt and through MSBuild.exe.
“The script connects to Crypto Blockchain RPC endpoints, indicating etherhiding technique. It also performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest Web Data and Login Data,” Microsoft says.
Another recently observed ClickFix attack variant, dubbed InstallFix, relies on cloned AI tool websites to trick victims into executing malicious commands, also leading to information-stealer infections.
Related: Microsoft Warns of ClickFix Attack Abusing DNS Lookups
Related: Sophisticated ClickFix Campaign Targeting Hospitality Sector
Related: ClickFix Attacks Against macOS Users Evolving
Related: New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack
Originally published by SecurityWeek
Original Source
SecurityWeek