"This campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, guiding users into a privileged command execution environment that blends into legitimate administrative workflows and appears more trustworthy to users."
"What makes the latest variant notable is that it bypasses detections specifically designed to flag Run dialog abuse, not to mention take advantage of the legitimacy of Windows Terminal to trick unsuspecting users into running malicious commands delivered via bogus CAPTCHA pages, troubleshooting prompts, or other verification-style lures."
"When the user pastes a hex-encoded, XOR-compressed command copied from the ClickFix lure page into a Windows Terminal session, it spans additional Terminal/PowerShell instances to ultimately invoke a PowerShell process responsible for decoding the script. This, in turn, leads to the download of a ZIP payload and a legitimate but renamed 7-Zip binary."
Microsoft identified a sophisticated ClickFix social engineering campaign observed in February 2026 that exploits Windows Terminal as an attack vector. The campaign instructs users to launch Windows Terminal via Windows + X → I shortcut, creating a deceptive appearance of legitimate administrative activity. Attackers deliver hex-encoded, XOR-compressed commands through fake CAPTCHA pages and troubleshooting prompts. When executed, the commands trigger a multi-stage attack chain involving PowerShell processes, ZIP payload downloads, and renamed 7-Zip binaries. The attack establishes persistence through scheduled tasks, configures Microsoft Defender exclusions, exfiltrates system data, and deploys Lumma Stealer malware into Chrome and Edge processes using QueueUserAPC injection techniques.
#clickfix-campaign #lumma-stealer-malware #windows-terminal-exploitation #social-engineering #malware-deployment
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]