Microsoft Uncovers Sophisticated ClickFix Social Engineering Campaign Targeting Windows Terminal Users
In a recent revelation, Microsoft has highlighted a sophisticated social engineering campaign that extensively exploits bogus CAPTCHA pages, aiming to trick users into executing malicious commands within the Windows Terminal. This campaign effectively bypasses traditional Run dialog detections, leading to the deployment of the Lumma Stealer malware, which is designed to harvest sensitive browser data and user credentials.
The initiative, described as the ClickFix operation, was uncovered by Microsoft researchers working diligently to understand current cybersecurity threats. Detected in early 2026, this campaign represents a notable tactical shift from previous methods that typically relied on the Windows Run dialog. Instead of guiding users to simply paste commands into a straightforward run box, the attackers have devised a more sophisticated workflow. Users are now instructed to use the Windows + X → I keyboard shortcut, which opens the Windows Terminal. This advanced application is perceived as more legitimate, particularly among users accustomed to executing administrative tasks.
The attack process commences with the user falling victim to a deceptive lure, which may present itself as a fake troubleshooting prompt or a verification-style CAPTCHA page. This misleading content instructs the user to copy a specific string of text and paste it directly into their terminal session. Owing to the trust associated with the Windows Terminal as a legitimate system utility, victims often do not suspect that the hex-encoded and compressed command they are pasting is designed to elude security detections crafted for more simplistic command-line tools. Once the command is entered, it sets off a complex series of operations involving PowerShell and multiple Terminal instances, initiating the infection process.
At the heart of the primary attack pathway, the script decoded from the initial command downloads a ZIP payload along with a renamed version of the 7-Zip utility. This particular, legitimate file compression tool is then used by the malware to extract its components and establish a foothold on the compromised machine. The malicious actors follow a structured approach that encompasses several stages. Notably, these stages include the creation of scheduled tasks aimed at ensuring persistence and the configuration of exclusions within Microsoft Defender, which helps to avoid detection by antivirus software. This meticulous process allows the attackers to operate with minimal interference while they prepare for the eventual theft of user data.
The ultimate goal of this malicious campaign is the deployment of Lumma Stealer, an advanced malware variant specifically designed to target high-value browser data. Utilizing a method labeled QueueUserAPC, the malware injects its code into active browser processes such as Chrome and Microsoft Edge. Once embedded in these processes, Lumma Stealer proceeds to harvest stored credentials, web data, and login information. The exfiltrated data is then sent back to servers controlled by the attackers, significantly jeopardizing the online accounts and overall personal security of the victims.
Moreover, Microsoft has identified a secondary attack pathway that incorporates a technique referred to as etherhiding. In this variant, the pasted command involves cmd.exe, which is tasked with dropping a batch script and a Visual Basic Script into local folders. From there, the script leverages the legitimate MSBuild utility to execute additional malicious code and connects to cryptocurrency blockchain endpoints to retrieve hidden instructions. Similar to the primary pathway, this method ultimately leads to process injection and credential harvesting, illustrating the adaptability and complexity of the ClickFix infrastructure in targeting Windows users.
The implications of this campaign are far-reaching, providing a stark reminder of the evolving nature of cyber threats. As attackers refine their techniques to exploit human psychology and system vulnerabilities, it becomes increasingly crucial for users to maintain vigilance, particularly regarding suspicious prompts and requests. With sophisticated social engineering campaigns like ClickFix on the rise, Microsoft’s findings serve as a clarion call for both users and security professionals alike to enhance their awareness and protective measures against such threats.
In conclusion, Microsoft’s ongoing commitment to unveiling and understanding emerging cybersecurity threats underscores its pivotal role in safeguarding digital environments. As the landscape continues to evolve, awareness and education will be key components in combatting sophisticated social engineering tactics aimed at compromising user data.
Source: Microsoft Exposes ClickFix Campaign Using Windows Terminal To Deploy Lumma Stealer