ClickFix Malware Spreads Via Windows Terminal Lure

Microsoft disclosed a sophisticated social engineering campaign in February 2026 that weaponizes the legitimate Windows Terminal app to execute malware. This ClickFix campaign uses bogus CAPTCHA and troubleshooting pages to lure victims into pasting malicious commands, according to the company’s threat intelligence team.

This new method bypasses detections designed to flag Run dialog abuse by leveraging the trusted aura of administrative workflows. Consequently, the campaign tricks users into activating a privileged command execution environment within Windows Terminal.

When a user pastes the encoded command, it spawns multiple terminal instances to decode a script and download a payload. The attack chain then retrieves more payloads, sets persistence, configures Microsoft Defender exclusions, and exfiltrates machine data.

It ultimately deploys Lumma Stealer using a QueueUserAPC() injection technique into browser processes. “The stealer targets high-value browser artifacts, including Web Data and Login Data, harvesting stored credentials and exfiltrating them to attacker-controlled infrastructure,” Microsoft said.

Microsoft also observed a second pathway where the command downloads a batch script that abuses LOLBins. Meanwhile, this script connects to Crypto Blockchain RPC endpoints, indicating an etherhiding technique, and also injects code to harvest browser data.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• 10K XRP To $1M? $100 Price Target Calculated
• Original Penguin files lawsuit against Pudgy Penguins
• BRICS Energy Agenda Under Pressure as Hormuz Crisis Fuels Oil Spike
• Solv Protocol Loses $2.7M in Exploit; Offers Bounty
• OKX Launches ‘Orbit’ Social Trading Feature in App