Microsoft has recently unveiled a new and extensive social engineering campaign known as ClickFix, which leverages the Windows Terminal application to initiate a sophisticated attack vector aimed at deploying the Lumma Stealer malware. The Redmond-based tech giant shared these insights on Thursday, shedding light on how this campaign has been actively exploiting the built-in terminal emulator to trick users into executing malicious commands under the guise of legitimate administrative activities.
Exploiting Windows Terminal for Cyber Attacks
This campaign, observed in February 2026, creatively utilizes Windows Terminal by instructing users to employ the Windows + X → I shortcut. This shortcut directly opens Windows Terminal (wt.exe), guiding users into an environment that appears credible and trustworthy, thereby increasing the likelihood of successful command execution. According to the Microsoft Threat Intelligence team, this method circumvents traditional detection systems that are designed to identify abuses of the Run dialog, thereby enhancing the campaign’s effectiveness.
The attackers exploit the inherent trust users place in Windows Terminal to manipulate them into executing commands sourced from deceptive prompts like erroneous CAPTCHA verifications or troubleshooting requests. This tactic marks a significant evolution in the attackers’ techniques, blending legitimate tools with malicious intent.
Intricate Attack Chain Mechanisms
Once a user engages with the ClickFix lure page and pastes a hex-encoded, XOR-compressed command into Windows Terminal, a series of automated processes are triggered. The command initiates additional instances of Terminal and PowerShell, culminating in the launch of a PowerShell process that decodes a script leading to further actions. This includes downloading a ZIP file and a disguised 7-Zip binary, which is then extracted to execute a multi-stage attack sequence.
The subsequent stages of the attack involve retrieving additional payloads, establishing persistence through scheduled tasks, configuring Microsoft Defender to ignore certain activities, and exfiltrating data from the compromised machine. A notable technique within this sequence is the use of QueueUserAPC() to inject the Lumma Stealer malware into the ‘chrome.exe’ and ‘msedge.exe’ processes, targeting high-value browser data such as stored credentials and login information.
Alternative Attack Pathways and Techniques
In addition to the primary attack chain, Microsoft identified a secondary pathway where the compressed command, when executed in Windows Terminal, results in the download of a batch script to the AppDataLocal directory. This batch script, executed via cmd.exe, writes a Visual Basic Script to the Temp folder and is subsequently run with specific command-line arguments. This leads to abuse of legitimate Windows tools, known as LOLBins, and establishes connections to Crypto Blockchain RPC endpoints, a process referred to as etherhiding.
The attackers employ similar QueueUserAPC()-based injection techniques in this pathway to access browser data, further emphasizing the campaign’s sophistication and the need for heightened awareness and protective measures against such evolving threats.
Microsoft’s disclosure of this complex attack highlights the continuous evolution of cyber threat tactics, underscoring the importance of robust cybersecurity measures and user vigilance in identifying and mitigating such sophisticated schemes.
