“And all Windows computers should already be restricted so that random, unsigned (not signed by the organization), PowerShell commands should not be allowed. Every organization and machine should already have the following PowerShell command setting: ‘Set-ExecutionPolicy Restricted -Force‘ enabled. If not, your organization’s cybersecurity risk is far higher than it needs to be.”
Payload chain ‘built to last’
Joshua Roback, principal security solution architect at Swimlane, noted the campaign outlined by Microsoft pushes the ClickFix playbook into more trusted, everyday workflows by getting users to run pasted command content inside legitimate Windows tooling that feels routine and safe. That matters, he said, because it slips past the usual mental red flags people associate with sketchy popups, and it can also dodge some of the controls and detections that security teams have tuned to the more obvious ClickFix patterns.
The payload chain is also more built to last than previous variants, he added. Instead of a quick one-and-done retrieval trick, it uses a more layered delivery and persistence approach that helps it blend in, stick around longer, and quietly escalate the damage once it lands. One path adds an additional indirection layer that helps the attacker’s infrastructure blend in and stay reachable, which can make takedowns and straightforward blocking a lot less effective.