Cybersecurity experts have identified a fresh wave of ClickFix attacks exploiting Windows Terminal to insert malicious software directly onto computers. This latest method uses social engineering to prompt users into opening a command-line interface, making it more difficult to detect.
Evolution of ClickFix Attacks
Initially observed in early 2024, ClickFix attacks were first identified by Proofpoint researchers. These attacks used fake browser error messages to deceive users into executing harmful commands. The technique rapidly gained traction, and by 2025, ESET reported a 517% increase in such attacks, ranking them just behind phishing as a major cyber threat.
Traditionally, attackers employed fake CAPTCHA pages or security alerts to manipulate users. In February 2026, Microsoft Threat Intelligence noted a major ClickFix campaign that specifically targeted the Windows Terminal, instructing users to open it using keyboard shortcuts. This strategy allowed attackers to bypass security measures that monitor Run dialog misuse.
Impact and Mechanism of Latest Attack
The impact of these attacks is significant. Microsoft’s 2025 Digital Defense Report indicates that ClickFix now accounts for 47% of initial access incidents, surpassing phishing attacks. The final payload, Lumma Stealer, is designed to extract sensitive data like credentials from browsers such as Chrome and Edge.
Victims are led to compromised websites where hidden JavaScript copies an encoded PowerShell command to their clipboard. A fake verification prompt then instructs them to paste this command into Windows Terminal, executing the malware. The payload downloads additional malicious files silently, establishing persistence and stealing browser-stored data.
Defense Strategies and Recommendations
These attacks exploit human behavior rather than software vulnerabilities, making traditional patches ineffective. Security awareness and policy controls are essential defenses. Organizations should educate employees not to paste unknown commands into terminals prompted by websites.
Restricting Windows Terminal and PowerShell to administrative accounts through Group Policy is advised. Regular inspections of registry keys and scheduled tasks can help detect anomalies. Endpoint detection systems should monitor PowerShell activities initiated by wt.exe, and updating antimalware definitions is crucial.
As cyber threats evolve, staying informed and vigilant is critical. Follow CSN for more updates on cybersecurity developments.
