New ClickFix Attack Uses Windows Terminal for Malicious Payload Execution

An uncovered clever evolution in the ClickFix social engineering attacks was spotted widely in February 2026. Attackers now trick users into firing up Windows Terminal instead of the usual Run dialogue, making the scam feel more like everyday IT troubleshooting.​

Attackers direct victims to press Windows + X, then I, popping open wt. ex,e a legit tool admins use daily. This skips security flags tuned for Win + R abuse, as Terminal looks trustworthy and runs with elevated privileges by default.​

Unlike older ClickFix tricks with fake “browser fix” pop-ups, this blends into real workflows. Victims see phone CAPTCHA, error alerts, or “verify your device” prompts urging them to copy-paste a command into the sleek Terminal window.​

Paste the bait, a hex-encoded, XOR-compressed PowerShell string, and chaos unfolds across Terminal tabs and shells.

First path: Decoding grabs a renamed 7-Zip tool and ZIP from the web. It unzips to C:\ProgramData\app_config\ctjb, firing off Lumma Stealer.

Steps include snagging extra payloads, scheduled tasks for comeback, Defender exclusions, and data theft before injecting into chrome.exe or msedge.exe via QueueUserAPC() for stealthy browser credential grabs.​

Second path: swaps ZIP for a sneaky .bat in AppData\Local. Cmd.exe writes a VBS to %TEMP%, runs it with /launched, then MSBuild.exe abuses it as a LOLBin.

This ties in crypto RPC calls for etherhiding, hiding data in blockchain traffic, and more browser injection.​

This isn’t just “paste and pray.” The multi-Tab spawn mimics sysadmin multitasking, dodging behavioural alerts. Etherhiding adds C2 evasion, and targeting high-value SQLite browser files (Web Data, Login Data) maximises loot from Chrome/Edge users.​

Lumma Stealer loves this: Once injected, it slurps credentials without full process creation, flying under the radar. Microsoft notes it’s hit thousands, proving Terminal’s “helpful” vibe is a goldmine for phishers.​

Block suspicious Terminal launches via AppLocker or Endpoint tools. Train teams: No pasting from pop-ups, verify via phone. Enable Defender’s Attack Surface Reduction for PowerShell/7-Zip blocks, and hunt XOR/hex in logs.​

Watch for QueueUserAPC in chrome.exe ETW logging catches it. Update Windows, patch Terminal, and segment browsers. This ClickFix twist shows attackers adapting fast.

Site: https://cybersecuritypath.com

Source: Said by Microsoft

About the Author

David

Editor

David cybersecurity researcher and threat intelligence writer focused on malware campaigns, data breaches, OSINT, and emerging attack techniques. Passionate about breaking down complex security threats into clear, actionable insights.

Visit Website View All Posts