New ClickFix Attack Exploits Windows Terminal to Deploy Lumma Stealer Malware
Cybersecurity experts have identified a sophisticated evolution in ClickFix attacks, now leveraging Windows Terminal to infiltrate systems with malicious payloads. This method marks a significant shift from previous tactics that utilized the Windows Run dialog, enhancing the attack’s stealth and credibility.
Evolution of ClickFix Attacks
First detected in early 2024, ClickFix attacks initially involved deceptive browser error prompts that tricked users into executing harmful commands. The prevalence of these attacks has surged dramatically, with a 517% increase reported in 2025, positioning ClickFix as a leading global attack vector, second only to phishing.
The New Attack Vector: Windows Terminal
In February 2026, Microsoft Threat Intelligence analysts uncovered a widespread ClickFix campaign targeting Windows Terminal. Unlike earlier methods that directed users to the Run dialog via the Win + R shortcut, this campaign instructs victims to use the Windows + X shortcut followed by I to open Windows Terminal. This strategy allows attackers to bypass security tools designed to detect misuse of the Run dialog and places victims in a command-line environment that appears routine.
Impact and Payload
The consequences of this campaign are significant. According to Microsoft’s 2025 Digital Defense Report, ClickFix has become the primary initial access method, accounting for 47% of all attacks tracked by Microsoft Defender Experts, surpassing traditional phishing at 35%. The final payload in this campaign is Lumma Stealer, a credential-harvesting malware that extracts saved usernames, passwords, and sensitive browser data from Chrome and Edge.
Attack Execution Process
The attack initiates when a victim visits a compromised or malicious website. Hidden JavaScript on the page silently copies a hex-encoded, XOR-compressed PowerShell command into the user’s clipboard without any visible indication. A fake CAPTCHA or verification prompt then appears, impersonating trusted brands like Cloudflare or Microsoft, instructing the user to open Windows Terminal and paste the clipboard contents to fix a supposed issue.
Upon execution in Windows Terminal, the PowerShell process decodes the compressed script in memory and establishes connections to attacker-controlled servers. It downloads a renamed 7-Zip executable and a ZIP archive containing the next stage of the attack. The file is extracted and executed silently, with no visible prompts, leaving the victim unaware of the infection.
Persistence Mechanism
The malware establishes persistence by creating a scheduled task that runs upon system restart. Lumma Stealer is placed in `C:\ProgramData\app_config\ctjb` and uses QueueUserAPC() injection to embed itself into active browser processes, including chrome.exe and msedge.exe. Once embedded, it reads login data and web data files stored by the browser, harvesting saved credentials and sensitive autofill entries before transmitting them to the attacker’s remote infrastructure.
Detection Challenges
Detection is complicated because wt.exe (Windows Terminal) is a trusted system component on many Windows machines. Security monitoring tools may not immediately flag PowerShell activity initiated from Windows Terminal, allowing the attacker undetected time to complete the infection chain.
Mitigation Strategies
To mitigate exposure to this threat, organizations should educate employees to never paste commands into any terminal prompted by a website. Windows Terminal and PowerShell should be restricted to administrative accounts through Group Policy. Security teams should regularly inspect registry keys under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` and review Windows Task Scheduler for unrecognized scheduled tasks. Endpoint detection tools should be configured to monitor and alert on PowerShell processes spawned by wt.exe, and antimalware definitions should be updated regularly across all endpoints.
Conclusion
The evolution of ClickFix attacks to exploit Windows Terminal underscores the need for continuous vigilance and adaptation in cybersecurity practices. By understanding the mechanisms of such attacks and implementing robust security measures, organizations can better protect themselves against these sophisticated threats.
