Overview
- Microsoft says the February 2026 activity guides targets to press Windows + X → I to open Windows Terminal, sidestepping Run‑dialog focused detections.
- Victims are lured by fake CAPTCHA or troubleshooting pages to paste a hex‑encoded, XOR‑compressed command that expands through PowerShell into a multi‑stage chain.
- The chain downloads a ZIP payload and a legitimately signed but renamed 7‑Zip utility, then sets scheduled‑task persistence, adds Defender exclusions, and exfiltrates system data.
- The final payload installs Lumma Stealer, which uses QueueUserAPC‑based injection into chrome.exe and msedge.exe to harvest browser credential stores, with artifacts noted at C:\ProgramData\app_config\ctjb.
- Microsoft also observed a second path that drops a batch file and VBScript executed via cmd.exe and MSBuild.exe for LOLBin abuse, with traffic to crypto RPC endpoints consistent with EtherHiding, and it has published mitigation guidance.