ClickFix: Social engineering that turns Windows Terminal into input door to steal data

Recently, Microsoft security researchers gave the alarm about a social engineering campaign that takes advantage of a legitimate piece of the Windows ecosystem to induce victims to run malicious code. Instead of asking people to open the Run box and stick a command - a tactic already known and monitored by many detection solutions - attackers are guiding users to launch the application directly Windows Terminal, which makes the operation look more technical and, in the user's eyes, more legitimate. You can read the original explanation of the Microsoft team in its public thread on X Here. and a general description of the application itself at its reference entry in Wikipedia.

The trap starts on web pages that simulate verification processes - false CAPTCHA, troubleshooting instructions or verification forms - and that ask the visitor to copy a seemingly harmless text block. This text is not a direct command but a coded chain: hex which has also been compressed and subjected to a XOR operation to hide its purpose. If the user hits that chain in a Windows Terminal session and runs it, the flow opens new command interpreters and PowerShell sessions until a process that decodes and decompresses the original script is finally invoked.

The result of this decoding is the download of artifacts that include a multiple-stage ZIP file of the attack and a legitimate copy of 7-Zip, renamed and stored on disk with a random name. When running, this utility removes the ZIP and triggers a chain of actions that persist in the machine, deactivate controls and exfilter data. The adversaries get to program tasks to ensure their presence, add exclusions to Microsoft Defender and finally deploy a credentials extractor known as Lumma Stealer.

One of the most technically relevant techniques is the use of QueueUserAPC, a Windows API that allows you to inject code into processes already in operation. In this case, the stealer ends up being injected into browser processes such as chrome.exe and msedge.exe to read local databases where passwords and other valuable artifacts are usually saved. If you want to review the technical explanation of that API call, the official Microsoft documentation details the function QueueUserAPC ().

The researchers also observed an alternative way: instead of a decoded chain that triggers PowerShell, the compressed command can cause the download of a random name batch script that is located in AppData and generates, in turn, a VBScript file in the Temp folder. This lot is run with special parameters and is rereleased through MSBuild.exe, a legitimate binary that many administrators use to compile .NET projects. Abusing system tools - the so-called HOLBins or "living-off-the-land binaries" - makes it easier to avoid controls because the malicious software is camouflaged after reliable executables; MITRE collects this type of techniques in its ATT & CK framework, for example on MSBuild-related routes Here..

Another interesting detail that Microsoft reports is the apparent connection with blockchain services: part of the script communicates with the RPC block chain endpoints, suggesting a "etherhiding" technique to mix traffic or camouflage your exfiltration communications. While all this happens, malware continues with the main task: to collect browser data - Web Data and Login Data - and send them to servers controlled by attackers.

Beyond the concrete technique, the disturbing thing about this campaign is the combination of social engineering and legitimate software abuse. The attackers rely on the perception of reliability that has a modern tool like Windows Terminal and in the comfort of the suggested keyboard shortcut (Windows + X → I) to convince the victim that what he is doing is a routine and safe thing.

For users and security officials, there are several practical implications. The first is to remember that no reliable site will ever ask you to run arbitrary commands on your machine as a verification method. If a website requests to stick instructions to a terminal, it is a strong risk indicator. It is appropriate to close the page and to check through official channels with the service that supposedly requests the action. In addition, organizations should review their exclusions and implementation policies to ensure that shortcuts are not being created that the attackers can benefit from. Microsoft publishes guides on how to manage exclusions in Defender that can be useful for administrators: Defender's Exclusions Guide.

It is also recommended to apply complementary technical controls: filter or block downloads from suspicious pages, restrict the execution of renowned binaries in temporary locations, monitor the creation of unusual scheduled tasks and monitor processes that inject code into browsers. Behavior-based detections, along with the segmentation of permits (avoid the use of accounts with unnecessary privileges), reduce the attack surface. For general advice on how to recognize and avoid phishing and other similar scams, the American initiative Stop.Think.Connect. of CISA offers useful resources: recommendations for phishing detection.

If you suspect that a machine has been compromised by this campaign, it is appropriate to isolate it from the network, collect information for forensic analysis (PowerShell records, creation / execution events and process chains), and deploy a scan with updated tools. The presence of renowned legitimate executables, new scheduled tasks or recent exclusions in antivirus solutions are signs that deserve immediate research.

In short, the campaign known as "ClickFix" shows a classic lesson that remains in place: legitimate technology can become dangerous when humans are manipulated to use it to their own detriment. User surveillance, prudent security configuration and administrative tool use policies are the first line of defence against threats that combine social engineering and advanced infection techniques.

To deepen technical details and specific response recommendations, you can consult the Microsoft intelligence team's release on X Here., documentation on the API used for injection QueueUserAPC () and the official page of 7-Zip if you need to verify the integrity of legitimate copies of that discompressor on your website.