/pcq/media/agency_attachments/2025/02/06/2025-02-06t100846387z-pcquest-new-logo-png.png){kind=logo}
/pcq/media/member_avatars/2024-08-28t070132803z-img_7046.jpg )
Follow Us
/pcq/media/media_files/2026/03/06/clickfix-malware-campaign-hijacks-windows-terminal-to-spread-lumma-stealer-2026-03-06-15-16-48.jpg)
A recent malware campaign is using a trusted Windows application to launch attacks for stealing credentials via social engineering with the exploitation of the Windows Terminal with the use of Lumma Stealer malware by the attackers, as per researchers from the Microsoft Security team.
This represents a change of tactics for the ClickFix attack group from exploiting technical vulnerabilities to using social engineering to trick users into executing the malicious commands themselves. It is this crowbar alignment and incident in user behavior that makes it far more difficult to identify the attack using standard security controls.
How the Attack Tricks Its Victims
The whole thing kicks off with some pretty standard online traps. People get sent to fake CAPTCHA pages or get a message that says they need to take some action to keep going. It usually asks them to open up the Windows Terminal using the Windows + X → I shortcut, claiming it's to sort out some issue.
Because Windows Terminal is basically standard kit for developers and sysadmins, it can look like the request is legit. However, the command they're asked to paste basically contains a payload, i.e., a sneaky bit of code designed to launch malware.
What's interesting is that these attackers used to be using the Windows Run dialog to get their malware in. But by switching to Windows Terminal, they can avoid getting caught out by the security software that spots misuse of the Run feature.
What Happens After They Run the Command
So you plug in the command, and it all kicks off in a right old mess.
The script starts up multiple PowerShell processes, which then unravel the hidden instructions and start grabbing files off the bad guys' servers. And guess what gets grabbed? The malware components are tucked away inside a compressed archive, and a renamed version of a pretty useful tool called 7-Zip that they can use to unpack it all.
Once it's all out, the malware hangs around to collect all sorts of system data. Researchers have seen some pretty key behaviors during the whole infection process:
- Creating scheduled tasks to maintain access
- Adding exclusions to Microsoft Defender
- Downloading additional payloads
- Exfiltrating machine and network information
The final stage involves deploying Lumma Stealer, a credential-harvesting malware widely used in cybercrime operations.
How Lumma Stealer Swipes Browser Data
Lumma Stealer really zeros in on browser goodies. It digs out the sensitive stuff from files like Web Data and Login Data,, the ones that contain all your saved passwords and login info.
To stay under the radar, the malware burrows its code into an active browser process like chrome.exe or msedge.exe by using a sneaky Windows API trick called QueueUserAPC(). By living inside a trusted process, it can get at your stored passwords and session tokens.
This is basically a key to the kingdom, giving attackers access to your email, bank accounts, and even the company network.
A second attack chain uses trusted Windows tools
Microsoft also found another way that the attackers are getting in. Instead of the first method, the initial command is dropped into the AppData\Local folder as a batch script.
The script then creates a VBS file in the system's temporary folder and runs it through cmd.exe. But that's not all; they're also running it using MSBuild.exe, a perfectly legit Microsoft tool that people actually use.
This technique is known as Living-off-the-Land Binary (LOLBin) abuse, where attackers rely on built-in system utilities instead of custom malware to evade security detection.
Researchers also observed connections to blockchain remote procedure call endpoints, indicating the possible use of EtherHiding, a method that retrieves malicious content through blockchain infrastructure.
Why This Attack Matters So Much
The ClickFix campaign shows that cybercrime is evolving; it'snow more about tricking you than exploiting a software bug.
By making you run your own command in a trusted tool like Windows Terminal, the attackers can fool most traditional security systems.
Security pros have a simple rule that still works: don't copy and paste any commands from the web unless you're dead sure where they came from.
More For You
Inside Coruna: the exploit kit chaining 23 iOS vulnerabilities to hack older iPhones
Kali Linux just made penetration testing conversational with Claude AI
Deepfakes and automated malware are redefining identity risk
Google Chrome Emergency Update Patches Three High Severity Flaws