Microsoft warns of a new ClickFix variant that evades Run-dialog protections by instructing victims to open Windows Terminal (wt.exe) via the Windows + X → I shortcut. The campaign launches PowerShell from Terminal to decode hex payloads, establish persistence, evade defenses, and deliver data-stealing payloads culminating in a Lumma Stealer infection. #ClickFix #LummaStealer
Keypoints
- The campaign tells victims to use Windows Terminal (Windows + X → I) instead of the Run dialog.
- Using Terminal allows attackers to bypass protections designed to stop Run-dialog abuse.
- Malicious PowerShell decodes embedded hex commands and triggers a multi-stage attack chain.
- Attackers achieve persistence with scheduled tasks, use anti‑malware evasion, and target browser data for exfiltration.
- Variants include batch/MSBuild execution, QueueUserAPC code injection into chrome.exe and msedge.exe, and InstallFix lures via cloned AI tool sites.
Read More: https://www.securityweek.com/clickfix-attack-uses-windows-terminal-to-evade-detection/