Microsoft has shared details of a social engineering campaign that uses the Windows Terminal application to initiate a complex malware attack chain that deploys the Lumma Stealer malware.
According to Microsoft’s Threat Intelligence team, the campaign, observed in February 2026, directs users to launch Windows Terminal using the Windows + X → I shortcut, which opens the terminal executable (wt.exe).
Researchers say the approach allows attackers to blend malicious actions with legitimate administrative workflows. Because Windows Terminal is commonly used for system management tasks, the technique may appear more trustworthy to users and can bypass detection mechanisms designed to flag suspicious activity in the Run dialog.
The attack begins when victims are tricked into copying a hex-encoded, XOR-compressed command from fake CAPTCHA pages, troubleshooting prompts, or other verification-style lures. Once pasted into a Windows Terminal session, the command launches additional Terminal and PowerShell instances, eventually triggering a PowerShell process that decodes and executes the hidden script.
The script then downloads a ZIP archive along with a legitimate but renamed 7-Zip binary saved under a randomized filename. The tool extracts the archive’s contents, starting a multi-stage infection chain that ultimately deploys the Lumma Stealer malware. The malware is injected into legitimate browser processes such as chrome.exe and msedge.exe using the QueueUserAPC() technique, enabling attackers to harvest sensitive browser data.
Microsoft also discovered a secondary attack path, in which the command pasted into Windows Terminal downloads a randomly named batch script into the AppDataLocal directory using cmd.exe. The script writes a Visual Basic Script to the system’s Temp folder and executes it through multiple mechanisms, including MSBuild.exe.
The script additionally connects to cryptocurrency blockchain RPC endpoints in what appears to be the EtherHiding technique for covert communications. The malware ultimately performs QueueUserAPC-based code injection into browser processes to steal stored credentials and web data.