Microsoft on Thursday disclosed particulars of a brand new widespread ClickFix social engineering marketing campaign that has leveraged the Home windows Terminal app as a technique to activate a complicated assault chain and deploy the Lumma Stealer malware.
The exercise, noticed in February 2026, makes use of the terminal emulator program as an alternative of instructing customers to launch the Home windows Run dialog and paste a command into it.
“This marketing campaign instructs targets to make use of the Home windows + X → I shortcut to launch Home windows Terminal (wt.exe) straight, guiding customers right into a privileged command execution setting that blends into reliable administrative workflows and seems extra reliable to customers,” the Microsoft Menace Intelligence crew mentioned in a collection of posts on X.
What makes the newest variant notable is that it bypasses detections particularly designed to flag Run dialog abuse, to not point out reap the benefits of the legitimacy of Home windows Terminal to trick unsuspecting customers into working malicious instructions delivered by way of bogus CAPTCHA pages, troubleshooting prompts, or different verification-style lures.
The post-compromise assault chain can also be distinctive: when the person pastes a hex-encoded, XOR-compressed command copied from the ClickFix lure web page right into a Home windows Terminal session, it spans extra Terminal/PowerShell situations to in the end invoke a PowerShell course of chargeable for decoding the script.
This, in flip, results in the obtain of a ZIP payload and a reliable however renamed 7-Zip binary, the latter of which is saved to disk with a randomized file identify. The utility then proceeds to extract the contents of the ZIP file, triggering a multi-stage assault chain that entails the next steps –
- Retrieving extra payloads
- Organising persistence by way of scheduled duties
- Configuring Microsoft Defender exclusions
- Exfiltrating machine and community information
- Deploying Lumma Stealer utilizing a way known as QueueUserAPC() by injecting the malware into “chrome.exe” and “msedge.exe” processes
“The stealer targets high-value browser artifacts, together with Net Knowledge and Login Knowledge, harvesting saved credentials and exfiltrating them to attacker-controlled infrastructure,” Microsoft mentioned.
The Home windows maker mentioned it additionally detected a second assault pathway, as a part of which, when the compressed command is pasted into Home windows Terminal, it downloads a randomly named batch script to the “AppDataLocal” folder via “cmd.exe” to be able to write a Visible Fundamental Script to the Temp folder (aka %TEMP%).
“The batch script is then executed by way of cmd.exe with the /launched command-line argument. The identical batch script is then executed via MSBuild.exe, leading to LOLBin abuse,” it added. “The script connects to Crypto Blockchain RPC endpoints, indicating an etherhiding method. It additionally performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to reap Net Knowledge and Login Knowledge.”
