Cybersecurity researchers have identified a sophisticated new variant of the ClickFix attack that leverages the Windows Terminal application to directly execute malicious payloads on unsuspecting user systems. This evolved social engineering tactic bypasses traditional defenses by tricking users into initiating the attack themselves, making it both harder to detect and more convincingly disguised as a legitimate user action. The increased use of Windows Terminal in these campaigns represents a significant shift in attacker methodology, as reported by Microsoft Threat Intelligence.
The ClickFix social engineering technique first emerged in early 2024, with initial reports highlighting its ability to deliver fake browser error prompts that coerced users into running harmful commands. The method has since seen a dramatic surge in activity. By 2025, ClickFix attacks had escalated significantly, accounting for a substantial portion of global attack vectors, second only to phishing. Attackers commonly employ deceptive tactics such as counterfeit CAPTCHA pages, fabricated troubleshooting notices, or urgent security alerts to pressure victims into immediate action, often before they can critically assess the situation.
New ClickFix Attack Utilizes Windows Terminal for Payload Execution
Microsoft Threat Intelligence analysts observed a widespread ClickFix campaign in February 2026 that specifically weaponized Windows Terminal as its chosen execution environment. Unlike prior iterations that relied on the familiar Windows Run dialog (accessed via Win + R), this new campaign instructs victims to utilize the Windows + X shortcut followed by the “I” key to launch Windows Terminal directly. This strategic shift allows attackers to circumvent security measures designed to flag misuse of the Run dialog. Furthermore, it places the user within a command-line interface that can resemble routine IT administrative tasks, increasing the perceived legitimacy of the prompt.
The impact of ClickFix attacks is substantial and well-documented. According to Microsoft’s 2025 Digital Defense Report, ClickFix has become the leading initial access method, responsible for an alarming 47% of all attacks tracked by Microsoft Defender Experts. This surpasses traditional phishing, which accounts for 35%. The final payload observed in this recent campaign is Lumma Stealer, a potent credential-harvesting malware. Lumma Stealer is designed to extract saved usernames, passwords, and sensitive browser data from popular browsers like Chrome and Edge.
This campaign’s effectiveness is rooted in its exploitation of human behavior rather than a specific software vulnerability, meaning traditional software patches are not applicable. Therefore, enhanced security awareness training for employees and the implementation of stringent organizational policy controls are identified as the most effective defenses against this evolving threat. The reliance on user interaction makes user education a critical component of the defense strategy against these types of social engineering attacks.
How the Infection Unfolds
The infection chain commences when a user visits a compromised or malicious website. Malicious JavaScript embedded within the webpage silently copies a hex-encoded, XOR-compressed PowerShell command into the user’s clipboard without any visible indication. Subsequently, a deceptive CAPTCHA or verification prompt appears, often impersonating trusted brands such as Cloudflare or Microsoft. This prompt instructs the user to open Windows Terminal and paste the contents of the clipboard to purportedly “fix” a non-existent issue.
Once the command is pasted into Windows Terminal, a PowerShell process decodes the compressed script entirely in memory. This process then initiates outbound connections to attacker-controlled servers to download further malicious components. The attack downloads a renamed 7-Zip executable alongside a ZIP archive containing the next stage of the malicious payload. This archive is extracted and executed silently, without any on-screen prompts, leaving the victim unaware that their system has been compromised.
The malware establishes persistence on the victim’s machine by creating a scheduled task that automatically runs upon each system restart. Lumma Stealer is then strategically placed in a specific directory, for example, C:ProgramDataapp_configctjb. It employs QueueUserAPC() injection to embed itself into active browser processes, including chrome.exe and msedge.exe. Once embedded, the malware accesses and reads the browser’s Login Data and Web Data files, diligently harvesting saved credentials and sensitive autofill entries before transmitting them to the attacker’s remote infrastructure. The use of wt.exe, a legitimate and trusted system component, makes detection more challenging, as security monitoring tools might not immediately flag PowerShell activity originating from Windows Terminal, allowing attackers an undetected window to complete the infection chain.
To mitigate the risk posed by this threat, organizations are advised to train employees to avoid pasting commands into any terminal prompted by a website. Furthermore, restricting the use of Windows Terminal and PowerShell to administrative accounts via Group Policy is recommended. Security teams should conduct regular inspections of registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and meticulously review Windows Task Scheduler for any unrecognized scheduled tasks. Endpoint detection and response (EDR) solutions should be configured to actively monitor and alert on PowerShell processes spawned by wt.exe, and antimalware definitions must be kept consistently updated across all endpoints.