ClickFix: Social Engineering Meets Windows Terminal

March 6, 2026 Faeem BLOGS, MICROSOFT 0

Microsoft has disclosed details of a new widespread ClickFix campaign that leverages Windows Terminal (wt.exe) as the launchpad for deploying the Lumma Stealer malware. This marks a shift in attacker tactics, moving away from the traditional Run dialog abuse toward a more trusted administrative workflow.

How the Attack Works

  • Entry point: Victims are lured via bogus CAPTCHA pages, troubleshooting prompts, or verification requests.
  • Shortcut abuse: Users are instructed to press Windows + X → I to open Windows Terminal directly.
  • Command injection: A hex‑encoded, XOR‑compressed command is pasted into Terminal, spawning PowerShell instances.
  • Payload delivery:
    • Downloads a ZIP file.
    • Uses a renamed 7‑Zip binary to extract contents.
    • Sets persistence via scheduled tasks.
    • Configures Microsoft Defender exclusions.
  • Final stage: Lumma Stealer is injected into chrome.exe and msedge.exe using QueueUserAPC(), harvesting stored browser credentials.

Alternate Pathway

Microsoft also observed a second attack chain:

  • Compressed command downloads a batch script into AppData\Local.
  • Script writes a Visual Basic Script into %TEMP%.
  • Executed via cmd.exe and MSBuild.exe, abusing LOLBins.
  • Connects to crypto blockchain RPC endpoints (etherhiding technique).
  • Performs QueueUserAPC() injection into browsers to harvest login data.

Why It Matters

  • Trust exploitation: Windows Terminal is seen as legitimate, making users more likely to comply.
  • Detection evasion: Bypasses security rules tuned to catch Run dialog abuse.
  • Multi‑stage sophistication: Combines obfuscation, persistence, LOLBin abuse, and credential theft.
  • Identity risk: Lumma Stealer targets high‑value browser artifacts, enabling account takeover.

Defensive Recommendations

  • User training: Warn staff about suspicious prompts instructing them to open Windows Terminal.
  • Endpoint monitoring: Watch for XOR‑compressed commands and anomalous PowerShell activity.
  • Browser hardening: Limit credential storage in browsers; enforce password managers.
  • Defender policies: Audit exclusion rules to detect unauthorized changes.
  • Threat hunting: Look for QueueUserAPC() injection patterns in browser processes.

Final Thought

ClickFix demonstrates how attackers continuously adapt — shifting from Run dialog abuse to Windows Terminal exploitation. For leaders, the lesson is clear: social engineering plus trusted tools equals high‑risk compromise. Organizations must combine user awareness, endpoint visibility, and identity‑centric defenses to stay ahead of evolving attack chains.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.