“`html
Cybersecurity analysts have discovered a fresh wave of ClickFix assaults that now utilize Windows Terminal to deliver malicious payloads directly onto victim systems.
In contrast to previous iterations of this social manipulation tactic, which depended on the Windows Run dialog, this recent campaign prompts users to initiate a privileged command environment on their own, complicating detection and making it appear more convincing to average users.
ClickFix was first noted in early 2024, when analysts at Proofpoint detected it delivering deceptive browser error messages that misled users into executing harmful commands.
The methodology spread rapidly, with ESET documenting a 517% increase in ClickFix incidents during 2025, ranking it just below phishing as a prevalent global attack method.
Perpetrators typically create fraudulent CAPTCHA pages, counterfeit troubleshooting alerts, or urgent security notifications, all crafted to rush victims into responding before they take a moment to question the request.
Microsoft Threat Intelligence researchers identified a widespread ClickFix initiative in February 2026 that specifically concentrated on Windows Terminal as its new execution platform.
Instead of directing victims to the conventional Run dialog through Win + R, this initiative instructed them to utilize the Windows + X shortcut followed by “I” to directly launch Windows Terminal.
This strategy allowed attackers to evade security tools intended to flag misuse of the Run dialog, while placing victims within a command-line environment that appears similar to standard IT tasks.
The damage inflicted by this initiative is tangible and quantifiable. According to Microsoft’s 2025 Digital Defense Report, ClickFix has now emerged as the primary initial access method, accountable for 47% of all incidents monitored by Microsoft Defender Experts, overshadowing traditional phishing at 35%.
The final payload in this recent campaign is Lumma Stealer, a credential-harvesting malware designed to extract stored usernames, passwords, and sensitive browser information from Chrome and Edge.
This campaign is specific to Windows users, and since it exploits human behavior rather than a software vulnerability, no conventional software patch is available. Security awareness and stringent policy controls remain the most effective defenses against this kind of assault.
How the Infection Unfolds
The attack initiates the moment a victim visits a compromised or harmful website. Concealed JavaScript operating behind the page silently copies a hex-encoded, XOR-compressed PowerShell command into the user’s clipboard without any visible notification.
A fraudulent CAPTCHA or verification prompt subsequently appears on the screen, mimicking trusted brands like Cloudflare or Microsoft, guiding the user to open Windows Terminal and paste what is in the clipboard to “resolve” an alleged issue.
Once the command is placed within Windows Terminal, a PowerShell process decodes the compressed script entirely in memory and starts establishing outbound connections to attacker-controlled servers.
It retrieves a renamed 7-Zip executable and a ZIP archive containing the subsequent phase of the assault. The file is extracted and executed discreetly, with no visible prompts displayed on the screen, leaving the victim with no cause for suspicion that anything has gone awry.
The malware then establishes persistence by creating a scheduled task that executes each time the system restarts. Lumma Stealer is installed into C:ProgramDataapp_configctjb and employs QueueUserAPC() injection to embed itself into active browser processes, encompassing chrome.exe and msedge.exe.
Once integrated into these processes, it accesses Login Data and Web Data files saved by the browser, collecting saved credentials and sensitive autofill details before transmitting everything to the attacker’s remote infrastructure.
Detection becomes more difficult since wt.exe is a trusted system component on numerous Windows devices. Security monitoring tools might not promptly identify PowerShell activities initiated from Windows Terminal, granting the attacker undetected time to finalize the entire infection sequence.
To minimize exposure to this threat, organizations ought to instruct employees never to paste commands into any terminal prompted by a website. Windows Terminal and PowerShell should be limited to administrative accounts via Group Policy.
Security teams should routinely examine registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and scrutinize Windows Task Scheduler for unrecognized scheduled tasks.
“`