"Rather than the traditional Win + R → paste → execute technique, this campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, guiding users into a privileged command execution environment that blends into legitimate administrative workflows and appears more trustworthy to users."
"The execution of the malicious command in Windows Terminal spawns a PowerShell process that decodes embedded hex commands, triggering a multi-stage attack chain that leads to a Lumma Stealer infection. The code achieves persistence using scheduled tasks, contains anti-malware evasion routines, and targets browser data and other sensitive information for exfiltration."
"The script connects to Crypto Blockchain RPC endpoints, indicating etherhiding technique. It also performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest Web Data and Login Data."
Microsoft has identified a new ClickFix attack variant that evades traditional detection methods by directing victims to open Windows Terminal instead of using the Run dialog. The campaign uses fake CAPTCHA pages and troubleshooting prompts to deceive users into executing malicious PowerShell commands. By using the Windows + X → I shortcut to launch Windows Terminal directly, attackers create a more trustworthy appearance that blends with legitimate administrative workflows. The malicious commands trigger a multi-stage attack chain resulting in Lumma Stealer infections, with persistence achieved through scheduled tasks and anti-malware evasion routines. Alternative variants execute batch scripts via command prompt and MSBuild.exe, targeting browser data and sensitive information through code injection into Chrome and Edge processes.
#clickfix-attack #windows-terminal-exploitation #malware-distribution #credential-theft #evasion-techniques
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]