Individuals are inadvertently installing malware through Windows Terminal, a method some security professionals consider to be an established threat. Nonetheless, there’s a consensus that cybersecurity leaders must inform employees about this particular tactic.
Microsoft reports that cybercriminals are employing a new method to entice employees into malware-installing ClickFix phishing schemes.
Instead of instructing potential targets to copy and paste a harmful command into the Run dialog (accessed via Windows + R), attackers are now directing them to open Windows Terminal (wt.exe) directly using the Windows + X → I shortcut.
After launching the terminal, users are then asked to paste malicious PowerShell commands, which are presented through deceptive CAPTCHA pages, troubleshooting requests, or other seemingly harmless verification prompts.
The rationale behind this approach is that it circumvents security measures designed to detect suspicious run commands and bypasses employee training that advises against actions involving the Run command.
This week, Microsoft detailed the method in an X post, highlighting the significant post-compromise results of this campaign. For instance, multiple Windows Terminal/PowerShell instances are initiated, leading to the execution of another PowerShell process tasked with decoding embedded hex commands.
Subsequently, the decoded PowerShell script retrieves a legitimate, yet renamed, 7-Zip executable, saving it under a random filename alongside a compressed malicious payload. This disguised archive utility then extracts and runs the malware, initiating a sophisticated multi-stage attack. This attack chain involves fetching more payloads, establishing persistence via scheduled tasks, evading detection by configuring Microsoft Defender exclusions, and extracting sensitive machine and network data.
Alternatively, in a different attack scenario, the victim pastes a command, which is hex-encoded and XOR-compressed, directly into Windows Terminal. This command proceeds to download a batch file with a random name into AppData\Local. This batch file is then executed by cmd.exe to create a VBScript in %Temp%. The batch script subsequently runs again through cmd.exe using the /launched argument, and is further executed via MSBuild.exe, leading to LOLBin exploitation. Additionally, the script establishes connections to Crypto Blockchain RPC endpoints, suggesting an etherhiding technique, and employs QueueUserAPC()-based code injection into chrome.exe and msedge.exe to steal web and login credentials.
Is This Tactic Truly Novel?
Despite Microsoft’s revelation, several specialists promptly commented on the X post, asserting that the Windows + X approach is not a recent development.
Roger Grimes, a CISO advisor at KnowBe4, a provider of security awareness training, concurred with this sentiment.
In an email, he stated, “ClickFix attacks that utilize Win+X instead of Win+R have been present for at least half a year, possibly even longer. The execution methods themselves are also not novel.”
Nevertheless, he emphasized that the ongoing and growing prevalence of ClickFix attacks underscores the critical need for infosec leaders to keep employees informed about these threats.
He explained, “We’ve consistently provided training materials covering this specific attack vector. Users must understand that no legitimate request will ever involve pressing Win+ and any other keys to paste obscure code for execution. Any such instruction should be disregarded.”
He further advised, “All Windows systems ought to be configured to prevent the execution of arbitrary, unsigned (not organization-approved) PowerShell commands. Every organization and device should already have the PowerShell command setting: ‘Set-ExecutionPolicy Restricted -Force’ activated. Failing to do so significantly elevates your organization’s cybersecurity risk beyond acceptable levels.”
Enduring Malware Delivery Method
Joshua Roback, Principal Security Solution Architect at Swimlane, observed that Microsoft’s described campaign integrates the ClickFix strategy into more familiar and trusted daily workflows. This is achieved by persuading users to execute pasted commands within legitimate Windows tools that appear normal and secure. This tactic is crucial, he explained, because it circumvents common mental alarms triggered by suspicious pop-ups and can also bypass certain security controls and detection mechanisms that teams have optimized for more overt ClickFix behaviors.
He also pointed out that the payload delivery sequence in this variant is designed for greater longevity compared to earlier versions. Rather than a simple, single retrieval method, it employs a multi-layered approach to delivery and persistence. This allows it to remain stealthy, persist longer on systems, and gradually increase its destructive impact once deployed. One specific attack vector introduces an extra layer of indirection, which helps the attacker’s infrastructure remain inconspicuous and accessible, making direct countermeasures like takedowns and simple blocking less effective.
He advised that CISOs must convey a direct message to their employees: “Adhere to a straightforward principle: never execute pasted commands, refrain from authorizing unexpected sign-in requests, and report all security incidents via authorized company support channels.”
Understanding ClickFix Operations
Microsoft first documented ClickFix phishing campaigns in 2024, and subsequently, last year, they published a security blog post detailing the campaign’s methods and indicators of compromise. These attacks typically initiate with an employee receiving an email or text message, often themed around payments or invoices, prompting them to click a link or open an attachment. To bypass security measures designed to prevent unauthorized file downloads, a pop-up instructs the user to “verify the download” by opening the Run dialog and pasting a specific command.
The primary objective is to trick unsuspecting victims into downloading various forms of malware, including infostealers (such as LummaStealer), remote access tools like Xworm, AsyncRAT, NetSupport, and SectopRAT, as well as loaders such as Latrodectus and MintsLoader, and rootkits.
Within the blog post, Microsoft offers advice to cybersecurity defenders on how to combat ClickFix attacks. This includes the recommendation to activate PowerShell script block logging. This feature helps in detecting and analyzing obfuscated or encoded commands, thereby providing crucial insight into malicious script execution that might otherwise escape standard logging mechanisms.
This content was initially published by CSOonline.
