Threats

ClickFix Evolves to Windows Terminal Execution, Bypassing Run Dialog Defenses to Deploy Lumma Stealer

Zero Day Wire

09 Mar 2026 — 2 min read

Microsoft has warned of a new ClickFix variant observed in the wild since February that evades existing defenses by shifting the execution environment from the Windows Run dialog to Windows Terminal — blending malicious command execution into legitimate administrative workflows.

This marks a significant evolution in the ClickFix technique, which ZDW previously covered in the MIMICRAT campaign where compromised legitimate sites delivered fake Cloudflare verification pages. The core social engineering remains the same — fake CAPTCHAs, troubleshooting prompts, and verification lures — but the execution path has been redesigned to defeat the defenses that security teams deployed in response.

What Changed

Traditional ClickFix: Victims press Win + R to open the Run dialog, paste a malicious command, and execute it.

New variant: Victims are instructed to press Win + X → I to launch Windows Terminal (wt.exe) directly, pasting commands into a privileged command execution environment that appears more trustworthy and blends into normal administrative activity.

This shift bypasses protections specifically designed to detect and prevent Run dialog abuse, while placing the victim in an environment where PowerShell execution looks routine.

Attack Chain: Lumma Stealer

The primary variant executes a malicious command in Windows Terminal that spawns a PowerShell process decoding embedded hex commands, triggering a multi-stage infection chain:

Persistence via scheduled tasks
Anti-malware evasion routines to avoid detection
Browser data exfiltration targeting saved credentials and sensitive information
Final payload: Lumma Stealer

Second Variant: Blockchain-Based Evasion

A parallel variant uses Windows Terminal to execute a batch script via command prompt and MSBuild.exe that connects to Crypto Blockchain RPC endpoints — an etherhiding technique that stores malicious payloads or configuration data on blockchain infrastructure to resist takedowns.

This variant performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest Web Data and Login Data directly from running browser instances.

InstallFix: Cloned AI Tool Variant

Microsoft also flagged a related campaign dubbed InstallFix that uses cloned AI tool websites to trick victims into executing malicious commands, similarly leading to information-stealer infections. The proliferation of AI tool installation pages provides a fresh social engineering surface that users are more likely to trust.

Defender Recommendations

Monitor Windows Terminal launches — flag wt.exe execution preceded by Win+X keyboard shortcuts, particularly when followed by PowerShell spawning with hex-encoded commands
Detect MSBuild.exe abuse — alert on MSBuild.exe executing batch scripts or making outbound network connections
Block blockchain RPC connections — monitor for connections to Ethereum or other blockchain RPC endpoints from non-cryptocurrency workloads
Watch for QueueUserAPC injection — flag code injection into chrome.exe and msedge.exe processes, particularly accessing Web Data and Login Data files
Update ClickFix detection rules — existing rules targeting Run dialog abuse (Win+R) must now extend to Windows Terminal (wt.exe) execution patterns
User awareness — reinforce that legitimate websites and CAPTCHAs never ask users to open Terminal, PowerShell, or any command-line tool

Google Attributes Axios npm Supply Chain Attack to North Korean UNC1069, Links Backdoor to WAVESHAPER Evolution

Google has formally attributed the Axios npm supply chain attack to UNC1069, a North Korean threat cluster tracked by Mandiant and Google's Threat Intelligence Group since 2018. The attribution, confirmed by GTIG chief analyst John Hultquist, links the compromise of the JavaScript ecosystem's most popular HTTP

CISA Orders Emergency Patch for Actively Exploited Citrix NetScaler Flaw Resembling CitrixBleed (CVE-2026-3055)

CISA has issued an emergency patching directive for a critical Citrix NetScaler vulnerability that is already being exploited in the wild to hijack administrator sessions on exposed appliances. The agency added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog on Monday and ordered all Federal Civilian Executive Branch agencies to secure

Axios Supply Chain Attack Delivers Cross-Platform RAT to Millions After npm Maintainer Account Hijacked

A coordinated supply chain attack targeting the Axios npm package has delivered a cross-platform remote access trojan to developer workstations and CI/CD environments worldwide, after an attacker hijacked the lead maintainer's npm credentials and published two backdoored releases to the official registry. The attack, executed in the

RedLine Infostealer Administrator Extradited to US, Faces Up to 20 Years for Running MaaS Infrastructure

Armenian national Hambardzum Minasyan has been extradited to the United States for his alleged role in maintaining RedLine's command-and-control infrastructure, managing affiliate payments, and distributing the infostealer — one of the most prolific credential-stealing operations since 2020.