ClickFix Attack Uses Windows Terminal to Evade Detection

Fake CAPTCHA pages instruct victims to paste malicious commands in the Windows Terminal instead of the Run dialog.

A new variant of the ClickFix attack evades detection by instructing victims to use Windows Terminal instead of the Run dialog, Microsoft warns.

Like traditional ClickFix attacks, the campaign relies on fake CAPTCHA pages, troubleshooting prompts, and verification lures to trick victims into executing malicious PowerShell commands.

What sets the new campaign apart, however, is the fact that victims are instructed to open Windows Terminal directly, instead of relying on the Windows Run dialog.

“Rather than the traditional Win + R → paste → execute technique, this campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, guiding users into a privileged command execution environment that blends into legitimate administrative workflows and appears more trustworthy to users,” Microsoft says.

The new approach, observed in the wild in February ...