Microsoft Threat Intelligence has disclosed a large-scale ClickFix social engineering campaign in which threat actors abuse Windows Terminal (wt.exe) to execute a multi-stage attack chain and deploy the Lumma Stealer infostealer. The activity, observed in February 2026, is primarily aimed at stealing browser-stored credentials and other sensitive data from compromised systems.
ClickFix social engineering: abusing Windows Terminal instead of the Run dialog
Previous phishing and support-scam campaigns commonly tricked users into opening the classic Run dialog and pasting a malicious command there. In the updated ClickFix campaign, attackers have shifted tactics: victims are instructed to press Windows + X, then I to launch Windows Terminal directly, making the operation look more legitimate and “IT-like”.
According to Microsoft, Windows Terminal is perceived by many users as a tool for administrative maintenance and troubleshooting. Attack sites present fake CAPTCHA challenges, verification pages, diagnostic pop-ups, or step‑by‑step “fix” guides, all designed to persuade the victim to manually copy and paste a seemingly technical command into Windows Terminal.
The key advantage for attackers is evasion of security controls tuned to the Run dialog. Many endpoint defenses look specifically for suspicious use of Run, while wt.exe often blends into normal administrative workflows. This subtle change in user instructions significantly reduces the chance of automated detection.
Technical analysis: from obfuscated commands to Lumma Stealer deployment
Obfuscated hex/XOR payload and PowerShell execution
On the ClickFix lure page, users are given a long command string that is hex-encoded and compressed with XOR-based obfuscation. Once pasted into Windows Terminal, this command spawns additional instances of wt.exe and PowerShell, ultimately establishing a dedicated PowerShell process responsible for decoding and executing the malicious payload.
This approach allows attackers to hide the real logic of the malware behind layers of encoding, making static and simple behavioral detection more difficult. PowerShell, which is deeply integrated into Windows administration, continues to be a favored tool for adversaries because blocking it outright is often impractical in enterprise environments.
ZIP payload delivery, 7-Zip LOLBin, and Lumma Stealer installation
The decoded PowerShell script downloads a ZIP archive along with a legitimate but renamed 7-Zip executable with a random file name. In this context, 7-Zip is used as a LOLBin (Living-off-the-Land Binary)—a trusted, signed tool repurposed for malicious actions—complicating detection based on process reputation or simple allowlists.
After extraction, a multi-stage execution chain culminates in the deployment of Lumma Stealer. This infostealer focuses on high‑value browser artifacts, particularly the Web Data and Login Data files that store saved logins, passwords, and autofill information. Stolen data is packaged and exfiltrated to attacker‑controlled infrastructure, enabling account takeover, lateral movement, and resale on cybercrime markets.
Alternative infection path: batch scripts, MSBuild abuse, and etherhiding
Microsoft has also documented a second ClickFix infection chain. In this variant, the compressed command executed in Windows Terminal downloads a randomly named batch script (.bat) into the %LocalAppData% directory via cmd.exe. This batch file then creates a Visual Basic Script (VBS) in %TEMP% and writes additional malicious logic to disk.
The batch script is run again through cmd.exe with the /launched argument and additionally executed via MSBuild.exe—a classic example of MSBuild LOLBin abuse, where built-in development tools are misused to execute arbitrary code without dropping traditional executables that are easier to flag.
In this chain, the malware communicates with cryptocurrency blockchain RPC endpoints, indicating the use of etherhiding—a technique where command‑and‑control and data exchange are disguised as legitimate queries to blockchain nodes. The malware further employs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes, covertly extracting the same Web Data and Login Data directly from running browsers.
Why the ClickFix Lumma Stealer campaign is so dangerous
The operation combines two dominant trends in contemporary cybercrime: highly tailored social engineering and the widespread use of infostealers offered as Malware‑as‑a‑Service (MaaS). Industry reports, such as the Verizon Data Breach Investigations Report, repeatedly show that the majority of breaches involve a human element—phishing, pretexting, or user error—rather than pure exploit chains.
Organizations are particularly exposed where Windows Terminal, PowerShell, 7‑Zip, and MSBuild are heavily used for administration and DevOps. These tools cannot simply be removed, and their presence gives attackers a rich ecosystem of trusted binaries to abuse. Infostealers like Lumma are then used to harvest credentials at scale, providing a low‑cost entry point for ransomware, business email compromise, and cloud account takeover.
Defensive measures against Windows Terminal–based social engineering attacks
User awareness remains the first line of defense. Employees should be clearly instructed to never copy and paste commands from a website into Windows Terminal, PowerShell, or cmd.exe, especially when prompted by supposed “browser fixes”, “security checks”, or “account verification” steps.
Technical controls are equally critical. Security teams should consider controlling or monitoring the execution of wt.exe, PowerShell, and MSBuild.exe using AppLocker, Windows Defender Application Control (WDAC), or similar application control frameworks. Endpoint detection and response (EDR) solutions should be tuned to flag suspicious chains such as Windows Terminal → PowerShell → ZIP download → renamed 7‑Zip execution.
Administrators should monitor for randomly named .bat and .vbs files in %LocalAppData% and %TEMP%, inspect unusual traffic to blockchain RPC endpoints, and deploy solutions capable of detecting QueueUserAPC()-based code injection and broader LOLBin abuse patterns across the environment.
Strengthening credential protection significantly reduces impact. Minimizing password storage in browsers, deploying enterprise password managers, enforcing multi‑factor authentication (MFA), and periodically reviewing and clearing saved logins in Chrome, Edge, and other browsers all help limit the damage if an infostealer such as Lumma is executed on a workstation.
The ClickFix campaign underscores how quickly adversaries adapt to defensive controls, shifting from the Run dialog to Windows Terminal and chaining legitimate tools to deliver Lumma Stealer while avoiding straightforward detections. Organizations that combine continuous user education with strict governance over administrative utilities and proactive use of vendor intelligence—such as reports from Microsoft Threat Intelligence—will be far better positioned to disrupt similar social engineering campaigns and prevent large‑scale credential theft.
