Microsoft says a widespread ClickFix campaign observed in February 2026 used Windows Terminal instead of the Windows Run dialog to launch a multi-stage infection chain that ultimately deployed Lumma Stealer. The company said the activity relied on social engineering pages that convinced users to paste a malicious command into the terminal emulator, kicking off a staged sequence of downloads, persistence changes, defense evasion, and browser-targeted malware injection.
According to Microsoft, the pasted command contained a hex-encoded and XOR-obfuscated script that decompressed into the next stage. That stage downloaded a ZIP archive and a renamed copy of 7-Zip, unpacked the files, and used scheduled-task persistence to maintain access on the compromised system.
The company said the same chain added Microsoft Defender exclusions before loading Lumma Stealer into Chrome and Microsoft Edge using QueueUserAPC. Microsoft linked the campaign to a broader ClickFix social engineering trend in which attackers use fake error prompts or update lures to convince targets to execute attacker-supplied commands.
The Windows Terminal variation marks a shift from the more familiar ClickFix flows that direct victims to the Run dialog. Cyberwarzone previously covered other ClickFix-style delivery campaigns, including a PureRAT campaign that targeted hotel systems with ClickFix phishing and the JackFix operation that used fake Windows update pop-ups to deliver multiple stealers.
Microsoft said the attack chain ended with Lumma Stealer injected into browser processes to harvest data from infected endpoints. The company did not frame the technique as a vulnerability exploitation case, but as a user-execution campaign that abused trust in interface prompts and native Windows tooling to stage the malware.
