ClickFix Windows Terminal Lumma Stealer campaign
Campaign
Summary
Hide ▲
Show ▼
A widespread ClickFix campaign is abusing Windows Terminal (wt.exe) to run malicious commands and deploy Lumma Stealer, expanding the risk of credential theft and browser-data exfiltration. The operation was observed in February 2026 and disclosed in March 2026. It stands out because it bypasses Run dialog detections by pushing victims into a more trusted command-execution path.
Related Happenings
AI-generated PowerShell Active Directory reconnaissance script
Malware Activity
H score23
First: 09.07.2026 17:00
Last: 09.07.2026 17:00
Sources 1
About this happening:
An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
AI-generated PowerShell Active Directory reconnaissance script
Malware ActivityAbout this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
ClickFix mitigation guidance for Windows and macOS
Defensive Guidance
H score34
First: 30.06.2026 15:00
Last: 30.06.2026 15:00
Sources 1
About this happening:
Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
ClickFix mitigation guidance for Windows and macOS
Defensive GuidanceAbout this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
Vulnerability
H score33
First: 22.06.2026 20:28
Last: 22.06.2026 20:28
Sources 1
About this happening:
Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
VulnerabilityAbout this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
ClickFix attacks with PySoxy scheduled-task persistence
Malware Activity
H score22
First: 12.05.2026 15:00
Last: 12.05.2026 15:00
Sources 1
About this happening:
Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...
ClickFix attacks with PySoxy scheduled-task persistence
Malware ActivityAbout this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...
Windows Shell spoofing flaw actively exploited (CVE-2026-32202)
Vulnerability
H score47
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
**Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...
Windows Shell spoofing flaw actively exploited (CVE-2026-32202)
VulnerabilityAbout this happening: **Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...
Timeline
-
06.03.2026 08:44 2 articles · 4mo ago
Microsoft discloses Windows Terminal ClickFix campaign
Initial DisclosureMicrosoft disclosed a widespread ClickFix campaign observed in February 2026 that abused Windows Terminal (wt.exe) instead of the Windows Run dialog to activate a multi-stage chain and deploy Lumma Stealer. The campaign used the Windows + X → I shortcut, bogus CAPTCHA pages, troubleshooting prompts, and other verification-style lures to push targets into a privileged command-execution environment, then used PowerShell, cmd.exe, MSBuild.exe, scheduled tasks, Microsoft Defender exclusions, and QueueUserAPC() injection into chrome.exe and msedge.exe to steal Web Data and Login Data.
Show sources
- Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer — thehackernews.com — 06.03.2026 08:44
- Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer — thehackernews.com — 06.03.2026 08:44