- A widespread social engineering scheme, dubbed ClickFix, is now using the legitimate Windows Terminal app to trick users and deploy malware.
- The campaign bypasses security measures by guiding users to paste malicious commands into Windows Terminal, which appears more trustworthy than the traditional Run dialog.
- The sophisticated attack chain ultimately deploys the Lumma Stealer malware, which steals valuable browser data like stored credentials, according to posts from the Microsoft Threat Intelligence team.
Microsoft disclosed a sophisticated social engineering campaign in February 2026 that weaponizes the legitimate Windows Terminal app to execute malware. This ClickFix campaign uses bogus CAPTCHA and troubleshooting pages to lure victims into pasting malicious commands, according to the company’s threat intelligence team.
This new method bypasses detections designed to flag Run dialog abuse by leveraging the trusted aura of administrative workflows. Consequently, the campaign tricks users into activating a privileged command execution environment within Windows Terminal.
When a user pastes the encoded command, it spawns multiple terminal instances to decode a script and download a payload. The attack chain then retrieves more payloads, sets persistence, configures Microsoft Defender exclusions, and exfiltrates machine data.
It ultimately deploys Lumma Stealer using a QueueUserAPC() injection technique into browser processes. “The stealer targets high-value browser artifacts, including Web Data and Login Data, harvesting stored credentials and exfiltrating them to attacker-controlled infrastructure,” Microsoft said.
Microsoft also observed a second pathway where the command downloads a batch script that abuses LOLBins. Meanwhile, this script connects to Crypto Blockchain RPC endpoints, indicating an etherhiding technique, and also injects code to harvest browser data.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
