Microsoft Warns of ClickFix Campaign Exploiting Windows Terminal to Deliver Lumma Stealer

The ClickFix operation marks a notable evolution in living‑off‑the‑land attacks, swapping the familiar Win + R run box for the Windows + X menu that opens Windows Terminal (wt.exe). By directing victims to a trusted‑looking admin console, attackers exploit user familiarity and reduce suspicion. This social‑engineering vector blends seamlessly with routine troubleshooting steps, making it harder for security teams to flag the initial command as malicious. The shift underscores a broader trend: threat actors are increasingly weaponizing built‑in utilities that enjoy default elevated privileges.

Technically, the campaign delivers a hex‑encoded, XOR‑compressed PowerShell snippet that, once pasted into Terminal, decodes and spawns a secondary PowerShell process. That process retrieves a renamed 7‑Zip executable, extracts a ZIP archive, and drops the final payload in C:\ProgramData\app_config\ctjb. The payload is a Lumma Stealer component that leverages QueueUserAPC to inject code into chrome.exe and msedge.exe, siphoning browser databases such as Web Data and Login Data. Post‑compromise actions include creating scheduled tasks for persistence, employing Defender‑evasion techniques, and exfiltrating both machine and network metadata to attacker‑controlled servers.

For enterprises, the campaign highlights the need to extend monitoring beyond classic execution paths. Detecting anomalous Windows Terminal launches, especially those preceded by unusual shortcut usage, can provide early warning. Microsoft’s guidance recommends enforcing script‑execution policies, restricting Terminal access to privileged accounts, and deploying endpoint detection that inspects decoded PowerShell payloads. As legitimate admin tools become attack vectors, a layered defense—combining user education, application control, and behavior‑based analytics—remains essential to mitigate the rising risk of credential‑stealing operations like ClickFix.