ACCORDING to Microsoft Defender Experts, a new ClickFix campaign uses Windows Terminal to deliver Lumma Stealer through a social engineering-led attack that begins with users pasting hex-encoded, XOR-compressed commands into Windows Terminal. In February 2026, researchers observed attackers guiding victims to launch Terminal via the Windows + X → I shortcut instead of the Run dialog, creating a more trusted-looking administrative environment.
The decoded payload spawns PowerShell processes, downloads a renamed 7-Zip and ZIP payload, and executes a multi-stage attack that includes persistence via scheduled tasks, Defender evasion, and data exfiltration. The final payload, located at C:\ProgramData\app_config\ctjb, performs QueueUserAPC()-based code injection into chrome[.]exe and msedge[.]exe to harvest credentials from browser artefacts such as Web Data and Login Data.
The campaign relies on social engineering to bypass typical detections and blends into routine Windows workflows, with Lumma Stealer acting as the post-compromise component. Microsoft Defender Experts described the overall operation as a coordinated chain designed to exfiltrate machine and network data.