NextFin News - Microsoft Threat Intelligence has uncovered a sophisticated evolution of the "ClickFix" social engineering tactic, where attackers are now weaponizing the Windows Terminal app to bypass traditional security defenses and deploy the Lumma Stealer malware. The campaign, which surged in February 2026, marks a strategic shift away from the well-documented abuse of the Windows Run dialog, instead tricking users into executing privileged commands through a terminal emulator that many associate with legitimate administrative tasks.
The attack begins with deceptive web pages—often disguised as fake CAPTCHA verifications or technical support prompts—that instruct users to press the "Windows + X" shortcut followed by "I" to launch Windows Terminal. By moving the field of play to wt.exe, the threat actors exploit a psychological blind spot: users are more likely to trust a command-line environment that appears professional and "official" compared to the more basic Run box. Once the terminal is open, the victim is prompted to paste a hex-encoded, XOR-compressed command, which triggers a multi-stage infection chain designed to evade detection by standard endpoint protection tools.
According to Microsoft, the technical execution of this campaign is notably complex. The initial pasted command spawns additional PowerShell instances to decode a script, which then downloads a ZIP payload and a renamed 7-Zip binary. This utility extracts the malware, sets up persistence via scheduled tasks, and configures exclusions in Microsoft Defender to ensure the infection remains undisturbed. The final objective is the deployment of Lumma Stealer, which uses the QueueUserAPC() process injection technique to hide within "chrome.exe" and "msedge.exe" processes, where it can silently harvest login credentials and sensitive browser data.
This shift to Windows Terminal represents a calculated response to the security industry's success in flagging Run dialog abuse. By leveraging "Living off the Land" binaries (LOLBins) like MSBuild.exe and utilizing etherhiding techniques—connecting to Crypto Blockchain RPC endpoints to hide malicious traffic—the attackers have created a workflow that is difficult for automated systems to distinguish from legitimate developer or IT admin activity. The use of randomized file names and multi-stage decoding further complicates the forensic trail, making real-time intervention a significant challenge for enterprise security teams.
The broader implications for corporate security are stark. As attackers move higher up the stack of trusted system tools, the traditional reliance on "don't click this link" training is proving insufficient. This campaign demonstrates that social engineering has moved into the realm of "don't follow these system instructions," a much harder behavior to unlearn when the instructions mimic the troubleshooting steps a legitimate IT professional might provide. The focus on stealing high-value browser artifacts suggests that the ultimate goal remains the compromise of corporate accounts and financial data, a threat that continues to grow as more business operations migrate to the cloud.
Explore more exclusive insights at nextfin.ai.
