Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Microsoft warns of ClickFix campaign exploiting Windows Terminal to deliver Lumma Stealer

Microsoft warns of ClickFix campaign using Windows Terminal to deliver Lumma Stealer via social engineering attacks. Microsoft revealed a new ClickFix campaign where attackers exploit Windows Terminal to run a complex attack chain, ultimately deploying Lumma Stealer malware. The campaign uses social engineering to trick users into executing malicious commands, highlighting growing risks to Windows […]

ClickFix Lumma Stealer

Microsoft warns of ClickFix campaign using Windows Terminal to deliver Lumma Stealer via social engineering attacks.

Microsoft revealed a new ClickFix campaign where attackers exploit Windows Terminal to run a complex attack chain, ultimately deploying Lumma Stealer malware. The campaign uses social engineering to trick users into executing malicious commands, highlighting growing risks to Windows environments.

In February 2026, Microsoft Defender experts uncovered a widespread ClickFix campaign exploiting Windows Terminal. The researchers noticed that instead of the usual Run dialog method, attackers guide users to launch Terminal via Windows + X → I, creating a trusted-looking admin environment. This bypasses Run-dialog detections while prompting targets to paste malicious PowerShell commands from fake CAPTCHAs, troubleshooting prompts, or verification-style lures, blending the attack seamlessly into routine Windows workflows.

“Rather than the traditional Win + R → paste → execute technique, this campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, guiding users into a privileged command execution environment that blends into legitimate administrative workflows and appears more trustworthy to users.” reads the post published by Microsoft on X.

This ClickFix campaign also stands out for its post-compromise actions. Users paste a hex-encoded, XOR-compressed command into Windows Terminal, spawning PowerShell processes that decode it. The script downloads a renamed 7-Zip and ZIP payload, which then extracts and executes a multi-stage attack, enabling additional payloads, persistence via scheduled tasks, Defender evasion, and exfiltration of machine and network data.

“The final-stage payload, deployed to C:\ProgramData\app_config\ctjb, is found to be a Lumma Stealer component that performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes. The stealer targets high-value browser artifacts, including Web Data and Login Data, harvesting stored credentials and exfiltrating them to attacker-controlled infrastructure.” continues Microsoft.

Microsoft Defender identifies several threat components linked to ClickFix, offering guidance on how to defend against this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ClickFix)