Microsoft spots ClickFix campaign getting users to self-pwn on Windows Terminal
Summary
Microsoft Threat Intelligence has flagged a new variant of the long-running ClickFix scam that tricks victims into opening Windows Terminal (via Windows+X → I) and pasting encoded commands. The copied commands expand into a multi-stage payload that downloads a renamed 7‑Zip, extracts components, alters Defender exclusions, establishes persistence and ultimately deploys the Lumma infostealer, which injects into Chrome and Edge to harvest stored credentials.
A second infection chain uses an encoded command to fetch a batch script that drops and runs a VBScript using built-in Windows utilities (including MSBuild), touches cryptocurrency blockchain infrastructure (so-called “EtherHiding”), and then launches the same credential-harvesting routine.
Key Points
- The campaign surfaced in February and adapts the ClickFix copy‑and‑paste trick to target Windows Terminal rather than the Run dialog, helping attackers evade detections that focus on Win+R activity.
- Victims are lured by fake CAPTCHAs, verification prompts or troubleshooting pages that instruct them to paste a command into Terminal.
- The pasted PowerShell is heavily encoded: it downloads a renamed 7‑Zip, extracts payloads, creates persistence, modifies Microsoft Defender exclusions and stages Lumma Stealer.
- Lumma Stealer injects into Chrome and Edge processes to siphon saved logins and browser data.
- An alternate path uses batch → VBScript → MSBuild and interacts with blockchain infrastructure before delivering the same infostealer.
- Attackers are exploiting Windows Terminal’s legitimacy — many developers and admins open it routinely, so malicious activity appears normal to heuristics that look for Run dialog abuse.
Why should I read this?
Because if you ever paste a command into a terminal from a random webpage, you might as well hand over your browser passwords on a silver platter. This one’s clever: it uses a legit admin tool so the nastiness blends in. Read it so you don’t become the cautionary tale.
Context and Relevance
ClickFix-style social engineering has been around for over a year because it preys on a simple human habit: following on-screen instructions. The tweak to Windows Terminal shows how attackers iterate to dodge defensive tooling. For IT teams and security-conscious users this is important — it underlines the need for user education, stricter policies around pasting and executing commands, and robust endpoint protections that look beyond merely which tool was used to launch a process.
Practical takeaways: never paste arbitrary commands into Terminal or Run; verify prompts with the service or vendor; consider application control and script-blocking policies; and if you suspect compromise, rotate credentials stored in browsers and run a thorough endpoint investigation.