MICROSOFT warns about a new variant of the ClickFix attack that uses Windows Terminal instead of the Run dialog to evade detection. This variant employs fake CAPTCHA pages and prompts to trick users into executing malicious PowerShell commands directly in an administrative environment, enhancing its appearance of legitimacy. The attacks initiate a multi-stage chain leading to a Lumma Stealer infection, leveraging scheduled tasks for persistence and evading anti-malware measures. Additionally, another variant utilizes a batch script for injecting malicious code into browser processes to exfiltrate sensitive information.
ClickFix Variant Uses Windows Terminal to Deliver Lumma Stealer
CyberSIXT Evidence Panel
Primary Source
x.com
Article by CyberSIXT