Microsoft Warns of New Social Engineering Campaign
Security researchers have uncovered a new cyber campaign that tricks users into launching malicious commands through Windows Terminal, eventually installing the Lumma Stealer information-stealing malware.
The attack method, recently identified by Microsoft Threat Intelligence, is part of an evolving ClickFix social engineering campaign that manipulates users into executing harmful commands themselves.
Unlike earlier versions of ClickFix attacks that relied on the Windows Run dialog, this new approach takes advantage of Windows Terminal, a tool commonly used by developers and system administrators.
Attackers Exploit Trust in Windows Terminal
The campaign guides victims to press the Windows + X keyboard shortcut and open Windows Terminal (wt.exe).
Because Windows Terminal is often used for legitimate administrative tasks, victims may be less suspicious when running commands inside it. This allows attackers to disguise the malicious activity as normal system troubleshooting or verification steps.
To convince users to run the commands, attackers display fake pages such as:
- CAPTCHA verification pages
- Troubleshooting instructions
- Security or account verification prompts
These pages instruct users to copy a command and paste it into the Windows Terminal window.
Hidden Commands Trigger Multi-Stage Attack
Once the command is pasted into the terminal, it executes a hex-encoded script that has been compressed and disguised to avoid detection.
The script launches multiple PowerShell and Terminal processes, which decode and execute the hidden instructions.
From there, the malware begins downloading additional files from attacker-controlled servers.
Malware Installation Process
After the initial command runs, the attack downloads a ZIP archive along with a renamed version of the legitimate 7-Zip extraction utility.
The renamed tool is saved on the infected system with a random filename and used to extract the contents of the downloaded archive.
This triggers a series of actions designed to fully compromise the system.
The malware then:
- Downloads additional malicious payloads
- Creates scheduled tasks to maintain persistence
- Modifies Microsoft Defender settings to avoid detection
- Collects information about the infected device and network
Lumma Stealer Targets Browser Credentials
The final stage of the attack installs Lumma Stealer, a well-known information-stealing malware.
The stealer focuses on extracting sensitive browser data such as:
- Saved login credentials
- Autofill information
- Stored website data
To hide its activity, Lumma Stealer injects malicious code into legitimate browser processes such as Google Chrome and Microsoft Edge.
This injection technique uses a Windows function called QueueUserAPC(), allowing the malware to run within trusted applications.
Alternative Attack Method Also Discovered
Researchers also identified a second infection pathway linked to the same campaign.
In this variation, when the malicious command is executed in Windows Terminal, it downloads a batch script to the victim’s AppData\Local folder.
This script then creates a Visual Basic Script (VBS) file in the system’s temporary directory.
The batch file is executed using cmd.exe, and later runs again through MSBuild.exe, a legitimate Microsoft development tool. Using trusted programs like this is known as LOLBins abuse, where attackers exploit legitimate system utilities to perform malicious actions.
Malware Uses Cryptocurrency Infrastructure to Hide Activity
Investigators also noticed the malware communicating with cryptocurrency blockchain RPC endpoints.
This suggests attackers may be using a technique known as EtherHiding, where blockchain services are used to hide malicious infrastructure or instructions.
The malware ultimately performs the same browser data theft operation by injecting code into Chrome and Edge processes to collect sensitive information.
Why This Attack Is Dangerous
The campaign highlights how attackers are increasingly relying on social engineering techniques rather than software vulnerabilities.
By convincing users to run commands themselves, attackers can bypass many traditional security protections.
Using trusted tools such as:
- Windows Terminal
- PowerShell
- MSBuild
- 7-Zip
also helps the malware blend into normal system activity.
How Users Can Protect Themselves
Security experts recommend the following precautions to reduce the risk of infection:
- Avoid copying and pasting commands from unknown websites
- Be cautious of CAPTCHA or verification pages asking for command execution
- Keep Windows security tools and antivirus software updated
- Monitor unusual activity involving PowerShell or Terminal processes
- Enable advanced endpoint detection tools where possible
As attackers continue to refine social engineering methods, organizations and users should remain cautious when executing commands from unfamiliar sources.