Microsoft has identified a sophisticated social engineering campaign that uses bogus CAPTCHA pages to trick users into executing malicious commands within the Windows Terminal. By bypassing traditional Run dialog detections, the attack successfully deploys the Lumma Stealer malware to harvest sensitive browser data and credentials.
Microsoft researchers recently uncovered a widespread social engineering operation known as ClickFix that leverages the Windows Terminal app to compromise systems. Observed in early 2026, the campaign marks a tactical shift from older methods that relied on the Windows Run dialog. Instead of prompting users to paste commands into a simple run box, attackers now guide targets to use the Windows + X → I keyboard shortcut. This specific sequence opens the Windows Terminal, a more advanced environment that often appears more legitimate to users accustomed to administrative workflows.
The attack begins when a user encounters a deceptive lure, such as a fake troubleshooting prompt or a verification-style CAPTCHA page. These pages instruct the user to copy a string of text and paste it directly into their terminal session. Because the Windows Terminal is a trusted system utility, many users do not realize that the hex-encoded and compressed command they are pasting is designed to bypass security detections specifically tuned for simpler command-line tools. Once the command is entered, it triggers a complex chain of PowerShell and Terminal instances to begin the infection process.
In the primary attack pathway, the initial command decodes a script that downloads a ZIP payload and a renamed version of the 7-Zip utility. Using this legitimate file-archiving tool, the malware extracts its components and establishes a foothold on the machine. The attack chain then moves through several stages, including the creation of scheduled tasks for persistence and the configuration of Microsoft Defender exclusions to avoid being caught by antivirus software. This structured approach allows the attackers to operate with minimal interference while they prepare for data theft.
The ultimate objective of this campaign is the deployment of Lumma Stealer, a sophisticated malware variant designed to target high-value browser data. The malware uses a technique called QueueUserAPC to inject its code into active browser processes like Chrome and Microsoft Edge. Once inside these processes, the stealer harvests stored credentials, web data, and login information. This stolen information is then exfiltrated to infrastructure controlled by the attackers, putting the user’s online accounts and personal security at significant risk.
Microsoft also noted a secondary pathway that utilizes a technique known as etherhiding. In this version, the pasted command uses cmd.exe to drop a batch script and a Visual Basic Script into local folders. This script then abuses the legitimate MSBuild utility to execute further malicious code and connects to cryptocurrency blockchain endpoints to retrieve hidden instructions. Like the primary path, this method eventually leads to the same process injection and credential harvesting, demonstrating the flexibility and complexity of the ClickFix infrastructure in targeting Windows users.
Source: Microsoft Exposes ClickFix Campaign Using Windows Terminal To Deploy Lumma Stealer