BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

ClickFix Malware Spreads Via Windows Terminal Lure

ClickFix attack uses trusted Windows Terminal to deploy Lumma Stealer malware

  • A widespread social engineering scheme, dubbed ClickFix, is now using the legitimate Windows Terminal app to trick users and deploy malware.
  • The campaign bypasses security measures by guiding users to paste malicious commands into Windows Terminal, which appears more trustworthy than the traditional Run dialog.
  • The sophisticated attack chain ultimately deploys the Lumma Stealer malware, which steals valuable browser data like stored credentials, according to posts from the Microsoft Threat Intelligence team.

Microsoft disclosed a sophisticated social engineering campaign in February 2026 that weaponizes the legitimate Windows Terminal app to execute malware. This ClickFix campaign uses bogus CAPTCHA and troubleshooting pages to lure victims into pasting malicious commands, according to the company’s threat intelligence team.

- Advertisement -

This new method bypasses detections designed to flag Run dialog abuse by leveraging the trusted aura of administrative workflows. Consequently, the campaign tricks users into activating a privileged command execution environment within Windows Terminal.

When a user pastes the encoded command, it spawns multiple terminal instances to decode a script and download a payload. The attack chain then retrieves more payloads, sets persistence, configures Microsoft Defender exclusions, and exfiltrates machine data.

It ultimately deploys Lumma Stealer using a QueueUserAPC() injection technique into browser processes. “The stealer targets high-value browser artifacts, including Web Data and Login Data, harvesting stored credentials and exfiltrating them to attacker-controlled infrastructure,” Microsoft said.

Microsoft also observed a second pathway where the command downloads a batch script that abuses LOLBins. Meanwhile, this script connects to Crypto Blockchain RPC endpoints, indicating an etherhiding technique, and also injects code to harvest browser data.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Saylor and Back oppose BIP-110 fork over Bitcoin security fears

Michael Saylor and Adam Back have publicly opposed BIP-110, a temporary Bitcoin fork proposal...

China, India groups target Pakistani police in cyber espionage

Suspected China- and India-aligned threat actors targeted Pakistani law enforcement in a sustained cyber...

AMD Stock Dips 10% Amid AI Volatility Ahead of Q3 Earnings

AMD stock fell nearly 10% from $580 on June 30 to roughly $516 by...

Bitcoin Creator Back Warns BIP-110 Data Limit Could Split Network

Adam Back said Bitcoin has "robustly rejected" BIP-110, arguing the proposal conflicts with the...

Analyst Says Bitcoin Bear Market Nearing End as Momentum Slows

Bitcoin may be entering the latter stages of the bear market as downside momentum...

Must Read

9 Best Books On Ethereum And Blockchain Technology

QUICK LINKSHow to Choose Your First Blockchain Book: A Simple Framework1. Define Your Goal: Are you looking to Build, Invest, or Understand?2. Assess Your...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading