Microsoft Threat Intelligence has identified a new variant of the ClickFix social engineering campaign that tricks Windows users into opening Windows Terminal (via Win+X → I) and pasting a malicious PowerShell command themselves. Unlike earlier versions that used the Run dialog, this approach exploits the legitimacy of Windows Terminal to evade security detections. The pasted command triggers a multi-stage infection chain involving 7-Zip, Defender exclusion tampering, and optionally blockchain-based EtherHiding infrastructure, ultimately deploying Lumma Stealer to harvest credentials from Chrome and Edge browsers.
Sort: