⚠️ Security Warning

ClickFix lures can lead to malware and computer viruses. If you see text like this online, it's likely a scam.

Back to Techniques

wt.exe

wt.exe is Windows Terminal, a modern terminal application for Windows. In February/March 2026, attackers began instructing victims to use the Win+X then I keyboard shortcut to launch Windows Terminal directly, bypassing detections focused on the Win+R Run dialog. Victims paste hex-encoded, XOR-compressed commands that spawn additional PowerShell instances to decode and execute payloads. The technique targets the more privileged terminal environment and delivers Lumma Stealer.

windows cli CLI

Windows Terminal Lumma Stealer

Try Example
CLI

To fix this issue, please open Windows Terminal and paste the verification code.

  1. Press Win+X on your keyboard

  2. Press I to open Terminal

  3. Press Ctrl-V to paste the code

  4. Press Enter to execute

References:

Mitigations:

  • Monitor for wt.exe spawning PowerShell with suspicious arguments

  • Alert on hex-encoded commands pasted into terminal applications

  • Restrict Windows Terminal access via AppLocker or WDAC where not needed

  • Monitor for renamed 7-Zip binaries used for payload extraction

Contributor: Michael Haag (2026-03-14)