Cybersecurity experts are warning of a new evolution in the ClickFix phishing campaign, where attackers are leveraging the Windows Terminal to install malware on unsuspecting systems. This shift represents a more sophisticated approach designed to bypass traditional security measures and employee awareness training, according to Microsoft’s recent analysis.
The ClickFix campaign has long been known for urging users to copy and paste malicious commands into the Run dialog. Yet, this latest tactic instructs potential victims to utilize the Windows + X shortcut, then select Windows Terminal (wt.exe). Once inside this legitimate interface, users are prompted to paste harmful PowerShell commands, often delivered through deceptive CAPTCHA pages, troubleshooting prompts, or verification messages designed to appear harmless. This method is particularly concerning given that it circumvents defenses that monitor for unusual run commands and sidesteps security awareness training focused on the Run command.
Joshua Roback, principal security solution architect at Swimlane, explained that this new approach pushes the ClickFix playbook into more trusted, everyday workflows. “Attackers are getting users to run pasted command content inside legitimate Windows tooling that feels routine and safe,” Roback said. “That matters, because it slips past the usual mental red flags people associate with sketchy popups, and it can similarly dodge some of the controls and detections that security teams have tuned to the more obvious ClickFix patterns.”
The campaign’s sophistication extends beyond simply using a different interface. According to Microsoft, the payload chain is now “built to last,” employing a more layered delivery and persistence approach. This allows the malware to blend in, remain active for longer periods, and quietly escalate the damage once it has gained access. One tactic involves adding an additional indirection layer to support the attacker’s infrastructure remain reachable and evade takedown efforts.
PowerShell Restrictions: A Critical Defense
Experts emphasize that a fundamental security measure – restricting the execution of unsigned PowerShell commands – could significantly mitigate the risk posed by ClickFix and similar attacks. “Every organization and machine should already have the following PowerShell command setting: ‘Set-ExecutionPolicy Restricted -Force’ enabled,” Roback stated. “If not, your organization’s cybersecurity risk is far higher than it needs to be.” This setting prevents the execution of scripts that haven’t been digitally signed by a trusted publisher.
The rise of weaponized CAPTCHAs is also contributing to the problem. Since the second half of 2024, threat actors have increasingly used fake CAPTCHA challenges to trick users into executing malicious PowerShell commands and infecting their systems with malware like Lumma Stealer, an information-stealing program, according to Cybersecurity News.
Blending into Routine Workflows
The shift towards using Windows Terminal is not a new development, having been observed for months, but its increasing prevalence is raising alarms. The ability to blend into routine workflows is a key factor in the campaign’s success. As Roback noted, the tactic leverages the familiarity and trust users place in legitimate Windows tools. This makes it harder for individuals to recognize the malicious intent behind the prompts they receive.
The layered approach to delivery and persistence also makes the attacks more resilient. Instead of a simple, one-time retrieval of the malicious payload, the attackers are using techniques to ensure their infrastructure remains accessible and their malware remains active on compromised systems. This makes it more difficult for security teams to detect and remove the threat.
Organizations should review their security awareness training programs to ensure they address the risks associated with PowerShell and the importance of verifying the legitimacy of prompts, even within trusted applications. Regularly updating security software and implementing robust endpoint detection and response (EDR) solutions are also crucial steps in defending against these evolving threats.
As attackers continue to refine their tactics, a proactive and layered security approach is essential. The focus must be on empowering users to identify and report suspicious activity, while simultaneously strengthening technical defenses to prevent malicious code from executing in the first place. The evolution of ClickFix underscores the demand for continuous vigilance and adaptation in the face of an ever-changing threat landscape.
What comes next will likely involve further refinement of these techniques, potentially incorporating new social engineering tactics and exploiting emerging vulnerabilities. Staying informed about the latest threat intelligence and implementing robust security measures will be critical for organizations seeking to protect themselves from these evolving attacks.
Have you experienced any suspicious prompts or CAPTCHAs recently? Share your experiences and thoughts in the comments below.
