"Traditionally, these scams try to persuade victims to open the Windows Run dialog with the old Win + R shortcut and paste in a command supplied by a fake CAPTCHA or troubleshooting prompt. This time, the crooks are pointing users somewhere slightly different: the Windows + X → I shortcut, which launches Windows Terminal."
"While security tools have become fairly good at spotting suspicious activity launched from the Run dialog, Windows Terminal is a legitimate administrative tool that many developers open every day. In other words, it looks normal enough to blend into routine system activity, which is exactly what attackers want."
"What the victims actually paste is a heavily encoded PowerShell command that kicks off a surprisingly elaborate chain of events. In one version of the attack, the command unpacks itself and pulls down a renamed copy of the 7-Zip archive utility along with a compressed payload."
A sophisticated evolution of the ClickFix scam emerged in February, targeting Windows users through social engineering. Rather than using the traditional Win + R Run dialog, attackers now direct victims to launch Windows Terminal via Windows + X → I. Victims encounter fake verification prompts, CAPTCHA checks, or troubleshooting guides instructing them to paste encoded PowerShell commands. Windows Terminal appears legitimate to security tools since developers use it regularly. The pasted command executes a complex attack chain: it unpacks itself, downloads a renamed 7-Zip utility, extracts malicious components that establish persistence and disable Microsoft Defender protections, then deploys Lumma Stealer to inject into Chrome and Edge processes and steal stored login credentials.
#clickfix-scam #windows-terminal-exploitation #lumma-infostealer #credential-theft #social-engineering
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]