Attackers are adapting one of the internet's most durable social engineering schemes, and they're betting on something crucial: that you won't question a command pasted into a tool you see as legitimate.
According to The Hacker News and security researchers tracking the activity,Microsoft has disclosed details of a new widespread ClickFix social engineering campaign that has leveraged the Windows Terminal app as a way to activate a sophisticated attack chain and deploy the Lumma Stealer malware. The shift matters because it reveals how cybercriminals think tactically about what tools will slip past defences.
The campaign operates via a simple social engineering formula.Victims land on pages posing as verification prompts, CAPTCHA checks, or troubleshooting guides, then are instructed to copy a command and paste it into Windows Terminal, usually framed as something harmless like verifying their connection or fixing an error. But what they're actually running is an encoded PowerShell command that unleashes credential theft.
Here's the tactical genius:while security tools have become fairly good at spotting suspicious activity launched from the Run dialog, Windows Terminal is a legitimate administrative tool that many developers open every day. By shifting the attack vector, threat actors leverage what looks like normal behaviour.The campaign instructs targets to use the Windows+X-I shortcut to launch Windows Terminal, guiding users into a privileged command execution environment that blends into legitimate administrative workflows and appears more trustworthy to users.
Once the malicious command executes, the payload unfolds in stages.In one version of the attack, the command unpacks itself and pulls down a renamed copy of the 7-Zip archive utility along with a compressed payload. The archive tool then extracts further components that establish persistence, fiddle with Microsoft Defender exclusions, and begin collecting system and browser data. The final stage deploys Lumma Stealer, which injects itself into Chrome and Edge processes to siphon off stored login credentials and other browser goodies.
The campaign represents not a technical breakthrough but a social engineering refinement.The effectiveness of ClickFix lies in its abuse of procedural trust rather than technical vulnerabilities. The instructions resemble troubleshooting steps or verification workarounds that users may have encountered previously. As a result, victims often fail to recognise that they are manually executing arbitrary code on their own system.
Scale and Persistence
This isn't a one-off attack.ClickFix campaigns have been circulating for well over a year now, largely because they rely on the depressingly reliable tactic of persuading users to run the malicious command themselves. Security researchers have documented the technique spreading across Windows and macOS, targeting everyone from individual users to corporate networks.
Lumma Stealer is back at scale, despite a major 2025 law enforcement takedown that disrupted thousands of its command-and-control domains. The operation has rapidly rebuilt its infrastructure and continues to spread worldwide. This resilience suggests that targeting the infrastructure alone won't solve the problem.
The threat actor ecosystem has evolved. Different gangs use different loaders and delivery mechanisms, but the social engineering core remains constant. Some campaigns impersonate venture capital firms on LinkedIn to target cryptocurrency professionals. Others use fake Windows Update screens or fake CAPTCHA checks on compromised websites. Each variant adjusts the lure while maintaining the fundamental trick: convince a user to run code.
What Makes This Hard to Stop
The Windows Terminal pivot illustrates a deeper challenge.Microsoft's latest findings suggest the scammers are simply adapting the formula to keep one step ahead of security tools and betting that if a command runs in a legitimate terminal window, many users will assume it's just fine.
Traditional endpoint detection focuses on suspicious command execution. But when a command executes via a legitimate tool in a legitimate way, the signal-to-noise ratio collapses. A developer running PowerShell scripts through Windows Terminal is normal. A user running an encoded PowerShell script via the same tool looks identical to security monitoring until the malware reaches a later stage of the attack chain.
This presents a genuine dilemma for security teams and software vendors. Locking down Windows Terminal would break legitimate administrative workflows. Allowing it freely leaves the door open. The real problem sits where it always has: the user has to make a decision under pressure, often without full information.
Defence requires layers.Effective defence against Lumma Stealer requires more than signature-based detection or infrastructure takedowns. Because the infection chain depends on user interaction, prevention must emphasise user awareness, behavioral monitoring, and rapid response to credential compromise.
For users and organisations: be sceptical of pages asking you to run commands. If Windows Update needed a manual command from you, something is already broken. Official Microsoft support never asks you to paste code you don't understand. Check official documentation first. And if a tool looks like it's asking you to verify you're human by copy-pasting something, you're almost certainly looking at a scam.
The broader question is whether security can ever outpace social engineering at scale. ClickFix succeeds because it turns the victim into the attack vector, bypassing the assumption that users won't deliberately infect themselves. Until that assumption changes, expect to see these tactics evolve with every new tool that users trust.