Microsoft Exposes ClickFix Campaign Utilizing Windows Terminal to Distribute Lumma Stealer Malware
A Sophisticated Social Engineering Campaign Exploits Windows Terminal to Deploy Lumma Stealer Malware
A recently uncovered social engineering campaign, dubbed ClickFix, has been leveraging the Windows Terminal app to deploy the Lumma Stealer malware. This campaign, observed in February 2026, employs a novel approach by instructing targets to use the Windows + X shortcut to launch Windows Terminal, thereby creating a privileged command execution environment that appears legitimate to users.
Exploiting Trust in Windows Terminal
The attackers exploit the trust associated with Windows Terminal to trick users into running malicious commands delivered via fake CAPTCHA pages, troubleshooting prompts, or other verification-style lures. Notably, this tactic bypasses traditional detections designed to flag Run dialog abuse, making it a more sophisticated and evasive threat.
Attack Chain
Once the user pastes a hex-encoded, XOR-compressed command into a Windows Terminal session, the attack chain unfolds. The command spawns additional Terminal/PowerShell instances, ultimately invoking a PowerShell process responsible for decoding the script. This, in turn, leads to the following malicious activities:
- Retrieving additional payloads
- Setting up persistence via scheduled tasks
- Configuring Microsoft Defender exclusions
- Exfiltrating machine and network data
- Deploying Lumma Stealer using the QueueUserAPC() technique, which injects the malware into “chrome.exe” and “msedge.exe” processes
Lumma Stealer Malware
The Lumma Stealer malware targets high-value browser artifacts, including Web Data and Login Data, to harvest stored credentials and exfiltrate them to attacker-controlled infrastructure.
Secondary Attack Pathway
Microsoft researchers also identified a secondary attack pathway, where the compressed command is executed via cmd.exe with the /launched command-line argument. This leads to LOLBin abuse, as the batch script is executed through MSBuild.exe. The script connects to Crypto Blockchain RPC endpoints, indicating an etherhiding technique, and performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest Web Data and Login Data.
Conclusion
The ClickFix campaign highlights the evolving nature of social engineering attacks, which continue to adapt and exploit legitimate system features to evade detection and compromise unsuspecting users.
According to Microsoft researchers, the ClickFix campaign is a sophisticated social engineering attack that exploits the trust associated with Windows Terminal to deploy Lumma Stealer malware.
About Author
English