ClickFix Attack Chain Evolves: Hijacking Windows Terminal to Spread Lumma Stealer

Social engineering remains the most reliable initial access vector for cybercriminals, and the techniques they employ are constantly shifting to bypass user awareness and security controls. In a significant evolution of the "ClickFix" campaigns, Microsoft has uncovered a new operation that leverages the modern Windows Terminal application to deploy the notorious Lumma Stealer malware.

Observed in February 2026, this campaign abandons the traditional technique of instructing victims to launch the legacy Windows Run dialog (Win + R). Instead, it manipulates users into executing malicious commands directly within the Windows Terminal interface. This subtle shift poses new challenges for endpoint detection and user education, as the terminal emulator is increasingly seen as a standard, trusted tool for developers and administrators.

The Mechanics of the New ClickFix Vector

The core of the ClickFix technique is psychological manipulation. Victims are typically lured to fraudulent websites masquerading as legitimate software download pages or technical support guides. Upon arrival, they are presented with a fabricated error message—often styled to look like a system crash or a browser extension failure.

To "fix" the issue, the user is instructed to copy a specific command string and paste it into a command-line interface. Historically, this involved the Run dialog or Command Prompt (cmd.exe). In this latest iteration, the instructions explicitly guide the user to open Windows Terminal.

Once the user pastes the provided command, the terminal executes a PowerShell one-liner. This script silently reaches out to a remote server to retrieve a second-stage payload, which is then executed on the victim's machine. The abuse of Windows Terminal is particularly insidious because it adds a layer of perceived legitimacy; the interface is modern, sleek, and increasingly pre-installed on Windows 11 environments, making it less suspicious to the average user than a stark black console window.

The Payload: Lumma Stealer

The ultimate goal of this campaign is the deployment of Lumma Stealer (also known as LummaC2). This is an information-stealing malware (InfoStealer) available as a Malware-as-a-Service (MaaS). It is designed to exfiltrate sensitive data from compromised browsers and cryptocurrency wallets.

Lumma Stealer is highly modular and capable of harvesting:

• Saved cookies and login credentials from browsers like Chrome, Edge, and Firefox.
• Cryptocurrency wallet keys and extension data.
• Two-factor authentication (2FA) tokens.
• Autocomplete and form history data.

Once stolen, this data is either sold on dark web forums or used directly by the attackers to hijack accounts and siphon funds. The use of Lumma Stealer suggests a financial motivation, targeting both individual users and employees whose corporate credentials may be cached on personal devices.

Detection and Threat Hunting

Detecting this attack requires looking for the unusual parent-child process relationships created when Windows Terminal launches a shell, combined with suspicious network activity. Standard PowerShell logging is critical here.

KQL Queries (Microsoft Sentinel / Defender)

The following KQL query identifies suspicious process creations where Windows Terminal spawns a PowerShell instance that attempts to download content from the internet—a strong indicator of this attack chain.

DeviceProcessEvents
| where Timestamp > ago(7d)
// Look for Windows Terminal as the initiating process
| where InitiatingProcessFileName =~ "WindowsTerminal.exe"
// Filter for PowerShell or CMD execution
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe")
// Hunt for common download mechanisms used in ClickFix
| where ProcessCommandLine has_any ("Invoke-WebRequest", "IEX", "DownloadString", "FromBase64String", "Start-BitsTransfer")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName
| order by Timestamp desc

Additionally, we can hunt for the specific pattern of users opening Windows Terminal and immediately executing a command, which is often behavior indicative of a user following a script rather than performing admin tasks.

DeviceProcessEvents
| where Timestamp > ago(3d)
| where FileName == "WindowsTerminal.exe"
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(3d)
    | where FileName in~ ("powershell.exe", "cmd.exe")
) on DeviceId, $left.Timestamp <= $right.Timestamp and $right.Timestamp <= $left.Timestamp + 30s
| where ProcessCommandLine has_any ("http", "paste", "copy")
| summarize count() by DeviceName, AccountName

PowerShell Investigation Script

If you suspect a machine has been compromised, you can use the following PowerShell script to check for recent PowerShell process events associated with Windows Terminal.

$Events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; Id=4104} -ErrorAction SilentlyContinue

if ($Events) {
    $SuspiciousScripts = $Events | Where-Object { 
        $_.Message -match 'WindowsTerminal' -or 
        $_.Message -match 'DownloadString' -or 
        $_.Message -match 'IEX'
    }
    
    if ($SuspiciousScripts) {
        Write-Host "Potential ClickFix activity found:" -ForegroundColor Red
        $SuspiciousScripts | Select-Object TimeCreated, Id, Message | Format-List
    } else {
        Write-Host "No suspicious PowerShell script blocks detected related to Windows Terminal." -ForegroundColor Green
    }
} else {
    Write-Host "PowerShell Operational Log not found or empty." -ForegroundColor Yellow
}

Mitigation Strategies

Stopping this campaign requires a blend of technical controls and user awareness.

1. Attack Surface Reduction (ASR) Rules: Enable the ASR rule "Block Office applications from creating child processes" and "Block Adobe Reader from creating child processes" if applicable, but more importantly, utilize rules that prevent PowerShell from executing obfuscated scripts or downloading content from the internet.
2. Application Control: Implement AppLocker or Windows Defender Application Control (WDAC) to restrict which applications can launch Windows Terminal and what scripts can be executed in an unsigned context.
3. Network Filtering: Inspect DNS requests and HTTPS traffic for known indicators of compromise (IoCs) associated with Lumma Stealer command-and-control (C2) servers. Block access to suspicious file-sharing domains often used for payload delivery.
4. User Education: Update security awareness training to specifically cover the "ClickFix" tactic. Users must understand that legitimate technical support will never ask them to open a terminal window and paste a random command to "fix" a browser error or video player issue.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub