{"id":176,"date":"2026-03-06T09:01:08","date_gmt":"2026-03-06T09:01:08","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=176"},"modified":"2026-03-06T09:01:08","modified_gmt":"2026-03-06T09:01:08","slug":"microsoft-reveals-clickfix-campaign-using-windows-terminal-to-deploy-lumma-stealer","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=176","title":{"rendered":"Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 06, 2026<\/span><\/span><span class=\"p-tags\">Endpoint Security \/ Browser Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj8H7sofZNyrZMv3vcKOeRa7Rw948uDto8VgAXNO8ZKLjUdzhpZW-ub4M_fxuM631fZplWm8BkPK8OifkblZnbNgFKXUB4PoFXXSeg1D0_olC5lAxQ0KtidSFQHlUvxVn1subQyQtI2qbzhChm0Sm3ADLs9C120EfhvLoBtNLbbtrSiyl3AKcss7u-WT-lS\/s1700-e365\/clickfix.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>Microsoft on Thursday disclosed details of a new widespread ClickFix social engineering campaign that has leveraged the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Windows_Terminal\" rel=\"noopener\" target=\"_blank\">Windows Terminal app<\/a> as a way to activate a sophisticated attack chain and deploy the Lumma Stealer malware.<\/p>\n<p>The activity, observed in February 2026, makes use of the terminal emulator program instead of instructing users to launch the Windows Run dialog and paste a command into it.<\/p>\n<p>\u00abThis campaign instructs targets to use the Windows + X \u2192 I shortcut to launch Windows Terminal (wt.exe) directly, guiding users into a privileged command execution environment that blends into legitimate administrative workflows and appears more trustworthy to users,\u00bb the Microsoft Threat Intelligence team <a href=\"https:\/\/x.com\/MsftSecIntel\/status\/2029692925118992473\" rel=\"noopener\" target=\"_blank\">said<\/a> in a series of posts on X.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>What makes the latest variant notable is that it bypasses detections specifically designed to flag Run dialog abuse, not to mention take advantage of the legitimacy of Windows Terminal to trick unsuspecting users into running malicious commands delivered via bogus CAPTCHA pages, troubleshooting prompts, or other verification-style lures.<\/p>\n<p>The post-compromise attack chain is also unique: when the user pastes a hex-encoded, XOR-compressed command copied from the ClickFix lure page into a Windows Terminal session, it spans additional Terminal\/PowerShell instances to ultimately invoke a PowerShell process responsible for decoding the script.<\/p>\n<p>This, in turn, leads to the download of a ZIP payload and a legitimate but renamed 7-Zip binary, the latter of which is saved to disk with a randomized file name. The utility then proceeds to extract the contents of the ZIP file, triggering a multi-stage attack chain that involves the following steps &#8211;<\/p>\n<ul>\n<li>Retrieving more payloads<\/li>\n<li>Setting up persistence via scheduled tasks<\/li>\n<li>Configuring Microsoft Defender exclusions<\/li>\n<li>Exfiltrating machine and network data<\/li>\n<li>Deploying Lumma Stealer using a technique called <a href=\"https:\/\/nyameeeain.medium.com\/queueuserapc-process-injection-6f31fcb89410\" rel=\"noopener\" target=\"_blank\">QueueUserAPC()<\/a> by injecting the malware into \u00abchrome.exe\u00bb and \u00abmsedge.exe\u00bb processes<\/li>\n<\/ul>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/xm-cyber-comm-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjeddeABvLw_c_ToOCMJPgQbMsApaTV3NUf6HM6UvXJMdWuMwDjqX3SsAJ3AFa2tLmqtvPxYwtaaAxhEbjMflJYYBOEtruJgSbLmu5axVBfkb-epbRoJmYPS79p3QMYea_Z3OfeaKYa4ocXewrWsdMRRSUW7UE5dNMGns2eNUwSelaseMB4sblfZnEgxWTH\/s728-e100\/risk-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abThe stealer targets high-value browser artifacts, including Web Data and Login Data, harvesting stored credentials and exfiltrating them to attacker-controlled infrastructure,\u00bb Microsoft said.<\/p>\n<p>The Windows maker said it also detected a second attack pathway, as part of which, when the compressed command is pasted into Windows Terminal, it downloads a randomly named batch script to the \u00abAppData\\Local\u00bb folder by means of \u00abcmd.exe\u00bb in order to write a Visual Basic Script to the Temp folder (aka %TEMP%).<\/p>\n<p>\u00abThe batch script is then executed via cmd.exe with the \/launched command-line argument. The same batch script is then executed through MSBuild.exe, resulting in LOLBin abuse,\u00bb it added. \u00abThe script connects to Crypto Blockchain RPC endpoints, indicating an etherhiding technique. It also performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest Web Data and Login Data.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 06, 2026Endpoint Security \/ Browser Security Microsoft on Thursday disclosed details of a new widespread ClickFix social engineering campaign that has leveraged the Windows Terminal app as a&hellip;<\/p>\n","protected":false},"author":1,"featured_media":177,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[6,225,229,477,147,475,478,476,307],"class_list":["post-176","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-campaign","tag-clickfix","tag-deploy","tag-lumma","tag-microsoft","tag-reveals","tag-stealer","tag-terminal","tag-windows"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/176","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=176"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/176\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/177"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=176"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=176"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=176"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}