Threat actors are trying a different tactic to sucker employees into falling for ClickFix phishing attacks that install malware, says Microsoft.
Rather than asking potential victims to copy and paste a (malicious) command into the Run dialog, launched by hitting the Windows button plus the letter R, they are being told to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly.
Once the terminal is opened, victims are prompted to paste in malicious PowerShell commands delivered through fake CAPTCHA pages, troubleshooting prompts, or verification-style lures designed to appear routine and benign.
Why? Going this route evades defenses looking for unusual run commands, and it bypasses security awareness training that tells employees not to do anything that invokes the Run command.
Microsoft described the tactic in a post on X this week, saying what makes this campaign notable are the post-compromise outcomes. In one case, several Windows Terminal/PowerShell instances are opened that ultimately launch another Powershell process responsible for decoding embedded hex commands.
The decoded PowerShell script then downloads a legitimate but renamed 7-Zip binary and saves it with a randomized file name, along with a zipped payload. The renamed archive utility extracts and runs the malware, which executes a multi-stage attack chain that includes retrieval of additional payloads, establishment of persistence through scheduled tasks, defense evasion through Microsoft Defender exclusions, and exfiltration of stolen machine and network data.
In a second attack path, the victim pastes a hex-encoded, XOR-compressed command into Windows Terminal. This command downloads a randomly named batch file to AppDataLocal that is then invoked through cmd.exe to write a VBScript to %Temp%. The batch script is executed via cmd.exe with the /launched command-line argument, and is then executed again through MSBuild.exe, resulting in LOLBin abuse. The script connects to Crypto Blockchain RPC endpoints, indicating etherhiding technique, and also performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest web and login data.
But is this really new?
However, a number of experts quickly added comments to the Microsoft post complaining that the Windows + X tactic isn’t new.
Roger Grimes, CISO advisor at awareness training provider KnowBe4, agreed.
“ClickFix attacks using Win+X instead of Win+R have been around for at least six months, if not a year or more,” he said in an email. “What they are doing during execution is not new.”
Regardless, he added, the continuing and increasing use of ClickFix attacks means infosec leaders still need to educate employees about them.
“We’ve long had training content around this type of attack. Users need to know that nothing legitimate will ever ask them to do Win+ whatever keys to paste gobblygook to run code. Anything that does that should simply not be performed,” he said.
“And all Windows computers should already be restricted so that random, unsigned (not signed by the organization), PowerShell commands should not be allowed. Every organization and machine should already have the following PowerShell command setting: ‘Set-ExecutionPolicy Restricted -Force‘ enabled. If not, your organization’s cybersecurity risk is far higher than it needs to be.”
Payload chain ‘built to last’
Joshua Roback, principal security solution architect at Swimlane, noted the campaign outlined by Microsoft pushes the ClickFix playbook into more trusted, everyday workflows by getting users to run pasted command content inside legitimate Windows tooling that feels routine and safe. That matters, he said, because it slips past the usual mental red flags people associate with sketchy popups, and it can also dodge some of the controls and detections that security teams have tuned to the more obvious ClickFix patterns.
The payload chain is also more built to last than previous variants, he added. Instead of a quick one-and-done retrieval trick, it uses a more layered delivery and persistence approach that helps it blend in, stick around longer, and quietly escalate the damage once it lands. One path adds an additional indirection layer that helps the attacker’s infrastructure blend in and stay reachable, which can make takedowns and straightforward blocking a lot less effective.
For CISOs, he said, the message to employees has to be clear. “Use a simple rule of thumb: never run pasted commands, never approve unexpected sign-ins, and report all incidents through official company support channels.”
How ClickFix works
ClickFix phishing campaigns began in 2024, Microsoft noted in a security blog last year that detailed the campaign’s tactics and indicators of compromise. The attack starts with an employee being asked to click on a link or open an attachment, often with a payment or invoice theme, within an email or text. To evade defenses looking to stop employees downloading unapproved files, the user is told in a popup box to “verify the download” by opening a Run dialog and copying and pasting something into it.
The goal is to get the unwitting victim to download malware such as infostealers (usually LummaStealer), remote access tools such as Xworm, AsyncRAT, NetSupport, and SectopRAT; loaders like Latrodectus and MintsLoader; and rootkits.
In the blog, Microsoft provides tips to defenders for fighting ClickFix attacks, including recommending they enable PowerShell script block logging to detect and analyze obfuscated or encoded commands, which would provide visibility into malicious script execution that might otherwise evade traditional logging.
No Responses