Microsoft Defender Experts identified a widespread ClickFix social-engineering campaign in February 2026 that leverages Windows Terminal as the primary execution method. Unlike the traditional Win + R → paste → execute technique commonly associated with ClickFix lures, this campaign instructs victims to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly. By guiding users into a terminal session, attackers place them in a command-execution environment that closely resembles legitimate administrative workflows, making the activity appear more credible and less suspicious.

This shift allows attackers to evade security detections that specifically monitor abuse of the Run dialog, while simultaneously exploiting the familiarity and perceived legitimacy of Windows Terminal. Once the terminal window is opened, victims are prompted to paste malicious PowerShell commands copied from fake CAPTCHA pages, troubleshooting prompts, or verification-style messages designed to look routine.

A key aspect of this campaign is its post-compromise attack chain. In the first attack path, the victim pastes a hex-encoded and XOR-compressed command obtained from the ClickFix lure into a Windows Terminal session. This action spawns additional Windows Terminal and PowerShell instances, eventually launching another powershell.exe process responsible for decoding the embedded hexadecimal commands.

After decoding, the PowerShell script downloads a legitimate 7-Zip binary that has been renamed and saved with a randomized filename, along with a ZIP archive containing malicious components. The renamed archive utility is then used to extract and execute a multi-stage infection chain. This stage includes downloading additional payloads, establishing persistence through scheduled tasks, evading defenses by adding Microsoft Defender exclusions, and exfiltrating sensitive machine and network data.

The final payload is deployed to C:\ProgramData\app_config\ctjb and has been identified as a Lumma Stealer component. This malware performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes. It specifically targets valuable browser artifacts such as Web Data and Login Data, harvesting stored credentials and transmitting them to attacker-controlled infrastructure.

A second attack path follows a slightly different execution chain. When the victim pastes the same hex-encoded, XOR-compressed command into Windows Terminal, it downloads a randomly named .bat file to the AppData\Local directory. This batch file is invoked via cmd.exe, which writes a VBScript file to the %Temp% directory. The batch script is then executed using cmd.exe with the /launched command-line argument.

The same batch file is also executed through MSBuild.exe, demonstrating Living-off-the-Land Binary (LOLBIN) abuse. During execution, the script connects to cryptocurrency blockchain RPC endpoints, indicating the use of the Etherhiding technique to conceal command-and-control infrastructure. Similar to the first attack path, it ultimately performs QueueUserAPC()-based injection into chrome.exe and msedge.exe, allowing it to harvest browser Web Data and Login Data for credential theft.