New ClickFix campaign uses Windows Terminal to launch Lumma Stealer
5 min. read 
Published on
A new ClickFix campaign has shifted from the Windows Run box to Windows Terminal, giving attackers a more believable way to trick victims into launching malware themselves. Microsoft says its Defender Experts spotted the campaign in February 2026 and found that targets were told to open Windows Terminal with the Windows + X, then I shortcut before pasting a malicious command.
That change matters because ClickFix already sits near the top of the current threat landscape. In its 2025 Digital Defense Report, Microsoft said ClickFix was the most common initial access method seen in Defender Expert notifications over the previous year, accounting for 47% of attacks, ahead of phishing at 35%. The same report says attackers use fake pop-ups, job prompts, and support messages to get users to paste commands into Run or a terminal, often pulling payloads directly into memory.
In this latest campaign, Microsoft says the final payload is Lumma Stealer, a well-known information stealer that targets browser data and other sensitive information. Microsoft’s own Lumma research says the malware can steal data from browsers and applications such as cryptocurrency wallets and can also install additional malware.
What changed in this ClickFix wave
Older ClickFix lures usually pushed users toward the Windows Run dialog with Win + R. Microsoft says this campaign instead guided victims into Windows Terminal, a trusted tool that looks more like routine administrative work and may slip past detections tuned to Run dialog abuse.
Microsoft’s public warning says the lure pages used fake CAPTCHA, troubleshooting, or verification-style prompts. Once the target opened Terminal, they were told to paste a malicious PowerShell command that the page had already placed on the clipboard. That command kicked off a multi-stage infection chain.
How the infection works
According to Microsoft’s public summary, the pasted command is hex-encoded and XOR-compressed. After execution in Windows Terminal, the chain spawns additional Terminal and PowerShell activity, decodes the script in memory, then downloads a ZIP payload and a renamed legitimate 7-Zip binary. The archive is then extracted to continue the attack.
Microsoft says later stages can set persistence through scheduled tasks, configure Microsoft Defender exclusions, collect machine and network data, and deploy Lumma Stealer by injecting it into Chrome and Edge processes with QueueUserAPC(). The stealer then targets browser artifacts such as Login Data and Web Data to harvest saved credentials and related information.
Microsoft also said it observed a second pathway in which the Terminal-pasted command downloaded a randomly named batch file into AppData\Local and used cmd.exe to write a Visual Basic Script into the Temp folder. That means defenders should not assume every observed ClickFix chain will look identical after the first paste action.
Why Windows Terminal helps the attackers
Windows Terminal is a legitimate Microsoft tool, which makes the prompt feel less suspicious to many users. A fake page that tells someone to “open Terminal as part of a fix” can look more credible than a request to open Run and paste a random command. Microsoft’s February 2026 warning framed that trust effect as a core part of the campaign’s social engineering success.
The technique also lines up with broader ClickFix trends. Microsoft’s August 2025 ClickFix analysis and the 2025 Digital Defense Report both emphasized that this attack style works because users perform the execution step themselves, which weakens many traditional detections that focus on malicious attachments or obvious exploit activity.
ClickFix by the numbers
| Metric | Verified detail |
|---|---|
| Microsoft observation window | February 2026 campaign using Windows Terminal |
| Top initial access method in Microsoft Defender Experts notifications | ClickFix at 47% |
| Phishing share in the same Microsoft chart | 35% |
| ESET growth figure | ClickFix detections grew 517% between H2 2024 and H1 2025 |
| ESET share of blocked attacks | Nearly 8% in H1 2025 |
| Final payload in this campaign | Lumma Stealer |
What defenders should do
Microsoft’s Digital Defense Report says security teams need to move away from static indicators and focus more on behavior. The company specifically recommends awareness training, PowerShell script block logging, clipboard-to-terminal monitoring, browser hardening, and contextual detections that correlate clipboard usage with later execution activity.
That guidance fits this campaign well. Security teams should watch for unusual clipboard activity followed by wt.exe, powershell.exe, cmd.exe, or mshta.exe launches, especially when those processes appear after a browser session on an untrusted site. Reviewing scheduled tasks and persistence created shortly after Terminal use can also help catch infections before Lumma steals browser data. This recommendation is an inference drawn from Microsoft’s published attack chain and defensive advice.
FAQ
ClickFix is a social engineering technique that tricks users into copying and pasting malicious commands into Windows Run or a terminal. Microsoft says it often relies on fake pop-ups, support messages, or CAPTCHA-style prompts.
Microsoft says the attackers shifted users into Windows Terminal instead of the Run dialog. The campaign used the Windows + X, then I shortcut to open Terminal and make the action look more legitimate.
Microsoft says the payload is Lumma Stealer, an information-stealing malware family that targets browser credentials and other sensitive data.
Because Terminal is a trusted system component and the victim launches it manually. Microsoft says the shift also helps attackers bypass detections built around Run dialog abuse.
Microsoft says it accounted for 47% of the initial access methods seen in Defender Expert notifications over the last year. ESET separately reported a 517% jump in ClickFix detections between H2 2024 and H1 2025.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages