ClickFix campaigns — social engineering attacks that trick users into manually executing malicious commands — have been a persistent fixture in the threat landscape. Microsoft has now identified a variant that replaces the commonly abused Windows Run dialog with a more credible execution environment: Windows Terminal.
The Microsoft Threat Intelligence team disclosed the activity on Thursday, attributing observations to February 2026. According to the announcement, the campaign instructs targets to use the Windows + X → I keyboard shortcut to open Windows Terminal (wt.exe) directly, rather than the traditional Run dialog method that existing detections are tuned to flag. The team described the approach as one that “blends into legitimate administrative workflows and appears more trustworthy to users.”
The infection begins on bogus CAPTCHA pages, troubleshooting prompts, or other verification-style lures that instruct users to paste a hex-encoded, XOR-compressed command into the Terminal session. Execution of that command spawns additional Terminal and PowerShell instances, culminating in a PowerShell process that decodes the embedded script. That script then retrieves a ZIP payload alongside a legitimate but renamed 7-Zip binary — saved to disk under a randomized file name — which extracts the ZIP contents and triggers a multi-stage chain ending in the deployment of Lumma Stealer.
Two Distinct Attack Pathways
The company identified a second pathway running parallel to the first. In this variant, pasting the compressed command into Terminal causes cmd.exe to download a randomly named batch script to the AppData\Local folder, which then writes a Visual Basic Script to the %TEMP% directory. The batch script executes via cmd.exe with the /launched command-line argument, and subsequently runs through MSBuild.exe — a living-off-the-land binary abuse technique. The script connects to Crypto Blockchain RPC endpoints, indicating an etherhiding technique, and performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes.
Both pathways converge on the same objective. “The stealer targets high-value browser artifacts, including Web Data and Login Data, harvesting stored credentials and exfiltrating them to attacker-controlled infrastructure,” Microsoft said.
Why the Terminal Pivot Matters
The operational logic behind swapping the Run dialog for Windows Terminal is straightforward: security tooling that specifically monitors for Run dialog abuse does not automatically extend that coverage to Terminal sessions. The shift also exploits the visual legitimacy of a developer-facing tool — users accustomed to seeing administrators work inside Terminal are less likely to treat a command prompt there as inherently suspicious.
More Read
The multi-layer obfuscation chain — hex encoding, XOR compression, renamed binaries, LOLBin abuse, and process injection — reflects a deliberate effort to distribute detection surface across several stages, making any single defensive layer insufficient on its own.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
