Ethical Hacking News
ClickFix Campaign: A New Low in Social Engineering Attacks
Microsoft has revealed a new widespread ClickFix campaign using Windows Terminal to deploy Lumma Stealer malware, which highlights an evolving threat landscape and underscores the importance of constant vigilance in safeguarding systems. Read more about this emerging attack vector and its implications for endpoint security.
Microsoft has revealed a new vulnerability in its Windows Terminal app, known as ClickFix, which is being used to deploy the Lumma Stealer malware. The attack vector uses social engineering tactics to trick users into running malicious commands, bypassing traditional detection mechanisms. The campaign involves a post-compromise attack chain that extracts payloads, sets up persistence via scheduled tasks, and exfiltrates machine and network data. The Lumma Stealer malware targets high-value browser artifacts, including Web Data and Login Data, and harvests stored credentials. Attackers are using advanced techniques to evade detection and maintain their foothold on compromised systems.
Microsoft, the tech giant that has been a stalwart defender against malicious software and cyber threats, recently revealed its latest vulnerability in the form of a widespread social engineering campaign known as ClickFix. This new attack vector leverages the Windows Terminal app to trick users into deploying the Lumma Stealer malware, leaving many wondering what prompted this seemingly innocuous program to be used for nefarious purposes.
According to Microsoft's Threat Intelligence team, the ClickFix campaign began in February 2026 and has been observed using the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly. This trick allows users to bypass traditional detection mechanisms that flag Run dialog abuse, making it easier for attackers to trick unsuspecting victims into running malicious commands delivered via bogus CAPTCHA pages, troubleshooting prompts, or other verification-style lures.
The post-compromise attack chain is a unique and sophisticated one, involving the use of Windows Terminal/PowerShell instances to ultimately invoke a PowerShell process responsible for decoding the script. This leads to the download of a ZIP payload and a legitimate but renamed 7-Zip binary, which is then saved to disk with a randomized file name. The utility then proceeds to extract the contents of the ZIP file, triggering a multi-stage attack chain that involves retrieving more payloads, setting up persistence via scheduled tasks, configuring Microsoft Defender exclusions, exfiltrating machine and network data, and deploying Lumma Stealer using a technique called QueueUserAPC().
The Lumma Stealer malware, in particular, has been identified as targeting high-value browser artifacts, including Web Data and Login Data. It harvests stored credentials and exfiltrates them to attacker-controlled infrastructure, indicating the presence of sophisticated cyber threats lurking beneath the surface. Microsoft's Threat Intelligence team warns that these attack vectors are becoming increasingly sophisticated, making it essential for users to remain vigilant and take steps to protect themselves from falling prey to such attacks.
The campaign also highlights an additional attack pathway involving a batch script downloaded by means of "cmd.exe" in order to write a Visual Basic Script to the Temp folder. The same batch script is then executed via MSBuild.exe, resulting in LOLBin abuse and QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes. This further reinforces the notion that attackers are employing advanced techniques to evade detection and maintain their foothold on compromised systems.
The article also touches upon a second attack pathway where the compressed command is pasted into Windows Terminal, leading to the download of a randomly named batch script to the "AppData\Local" folder by means of "cmd.exe". This script then executes via cmd.exe with the /launched command-line argument and again through MSBuild.exe. The script connects to Crypto Blockchain RPC endpoints, indicating an etherhiding technique. Moreover, it performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest Web Data and Login Data.
The Windows maker also warns that these attacks have a significant impact on organizations with compromised sites serving as conduits for the deployment of MIMICRAT malware. The use of compromised websites by attackers highlights the ever-evolving nature of cyber threats, underscoring the importance of constant vigilance and proactive measures in safeguarding systems.
To better understand this new campaign and its implications, it is crucial to examine Microsoft's actions and intentions behind using Windows Terminal as a vector for deploying malware. The company has taken steps to alert users and provide guidance on how to protect themselves from falling prey to these threats. It would be beneficial to explore the potential reasons behind this strategic move by Microsoft.
The recent ClickFix campaign highlights an important concern: the ever-evolving nature of social engineering attacks. These campaigns, which often rely on trickery and misdirection, can bypass traditional security measures, making it crucial for users to stay informed about emerging threats and take proactive steps in safeguarding their systems.
In conclusion, the use of Windows Terminal as a vector for deploying malware raises several concerns regarding the state of endpoint security. The fact that attackers have successfully leveraged this legitimate program to deploy highly sophisticated attacks underscores the need for continued vigilance and enhanced security measures to protect against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dark-Side-of-Microsofts-Latest-Windows-Terminal-Campaign-A-Deep-Dive-into-the-ClickFix-Malware-ehn.shtml
Published: Fri Mar 6 02:34:06 2026 by llama3.2 3B Q4_K_M
