- Microsoft warns about the evolution of the ClickFix campaign
- Attackers now abuse Windows Terminal instead of Run
- Victims were tricked into installing Lumma Stealer malware
ClickFix attacks continue to evolve, with a particular new malware strain abandoning the Windows Run program altogether, experts have warned.
Microsoft’s Threat Intelligence team said it saw a “widespread” social engineering campaign starting in February 2026, the general principle of which is the same: victims end up on compromised or malicious websites, where they are presented with a fake security warning asking them to fix a random problem they appear to have.
In “classic” ClickFix campaigns, this problem is “fixed” by launching the Windows Run program (Win + R) and pasting a command that results in the installation of malware. But security solutions have gotten better at detecting malware installations originating from the Windows Run environment, which is why crooks have now replaced it with Windows Terminal.
The evolution of ClickFix
Terminal is a modern Windows command line application that allows users to run different command line tools in a single window using tabs, much like a web browser.
It can be displayed with a shortcut, similar to how the Run program is accessed in these attacks, using the Win + X → I combination. Depending on the command given to victims, pasting it can trigger one of two attack chains observed. The end result, however, is the same: the installation of the Lumma Stealer.
This is a popular malware variant commonly sold as a service on cybercrime forums. It is designed to exfiltrate sensitive data from target Windows computers, such as browser credentials, session cookies, cryptocurrency wallet information, and other secrets that the victim might have stored.
ClickFix is one of the oldest malware scams, dating back to the early days of the Internet. It starts with a pop-up informing the victim of a problem they are experiencing on their computer and offering a solution in the same message.
Decades ago this problem was a fake virus infection, but today it is mostly fake CAPTCHAs or “locked” documents.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
