Cybercriminals behind the ClickFix phishing attacks are now using a different approach to trick employees and install malware. Instead of the common method of asking users to copy and paste commands into the Windows Run dialog, they are now instructing victims to use a different shortcut to open the Windows Terminal. This change helps them bypass security tools that look for unusual commands and tricks employees into thinking the steps are routine.

How the New Tactic Works

Instead of using the familiar Windows + R shortcut, attackers are now telling victims to press Windows + X and then select I to launch Windows Terminal directly. Once open, victims are prompted to paste malicious PowerShell commands. These commands often come from fake CAPTCHA pages, troubleshooting prompts, or verification screens designed to look harmless and trustworthy.

The goal is to avoid detection by security systems that monitor for unusual run commands or scripts. By using Windows + X, the attackers make the attack seem like a normal system operation, making it harder for defenses to flag the activity as malicious.

Details of the Attack Chain

Microsoft explained that after the initial compromise, multiple Windows Terminal or PowerShell instances are opened. These then launch a secondary PowerShell process that decodes embedded hex commands. The script then downloads a legitimate tool—often renamed 7-Zip—and uses it to extract and run malware stored in a zipped payload. This malware then performs various malicious activities, including downloading additional payloads, establishing persistence on the system, avoiding defenses through exclusions, and stealing data from the machine and network.

Another variation involves pasting a hex-encoded, XOR-compressed command into Windows Terminal. This command downloads a batch file stored in the user’s local app data folder, which then triggers a script to be written to the temporary folder. The script is executed through different methods, including using MSBuild.exe, to abuse legitimate system tools for malicious purposes. This allows attackers to connect to blockchain endpoints, hide their activity, and inject code into browsers to harvest login data.

Is This Really New or Just a Variation?

Many security experts argue that this method isn’t entirely new. A cybersecurity advisor noted that using Windows + X instead of Windows + R has been seen in attacks for at least six months, if not longer. The core techniques, like pasting commands into the terminal and using legitimate system tools for malicious ends, have been around for some time.

However, the increasing frequency of these ClickFix attacks means organizations must stay vigilant. Security awareness training still plays a critical role—employees should be taught that no legitimate process will ask them to press Windows + X or paste commands into the terminal. Recognizing these signs can help prevent successful infections and limit the damage caused by these evolving tactics.

Inspired by

• https://www.computerworld.com/article/4141964/clickfix-attackers-using-new-tactic-to-evade-detection-says-microsoft-2.html

Sources

• csoonline.com
• huntress.com
• knowbe4.com
• microsoft.com
• csoonline.com