Crooks tweak familiar copy-paste ruse so that victims run malicious commands themselves

A new twist on the long-running ClickFix scam is now tricking Windows users into launching Windows Terminal and pasting malware into it themselves – handing the credential-stealing Lumma infostealer the keys to their browser vault.

According to Microsoft Threat Intelligence, the campaign surfaced in February and tweaks the familiar ClickFix playbook in a way designed to sidestep some existing security detections. Traditionally, these scams try to persuade victims to open the Windows Run dialog with the old Win + R shortcut and paste in a command supplied by a fake CAPTCHA or troubleshooting prompt. This time, the crooks are pointing users somewhere slightly different: the Windows + X → I shortcut, which launches Windows Terminal.

While security tools have become fairly good at spotting suspicious activity launched from the Run dialog, Windows Terminal is a legitimate administrative tool that many developers open every day. In other words, it looks normal enough to blend into ...