- Microsoft warns about the evolution of the ClickFix campaign
- Attackers now abuse Windows Terminal instead of Run
- Victims tricked into installing Lumma Stealer malware
ClickFix attacks continue to evolve, with one new strain of malware in particular abandoning the Windows Run program entirely, experts warned.
Microsoft’s Threat Intelligence team said it saw a “widespread” social engineering campaign starting in February 2026, where the general premise is the same: victims end up on compromised or malicious websites, where they are shown a fake security warning asking them to fix a random issue they apparently have.
In “classic” ClickFix campaigns, that problem is “solved” by opening the Windows Run program (Win + R) and pasting a command that results in the installation of malware. But security solutions have gotten better at detecting malware installations coming from the Windows runtime, which is why criminals have now replaced it with the Windows Terminal.
The evolution of ClickFix
Terminal is a modern Windows command-line application that allows users to run different command-line tools in a window using tabs, much like a web browser.
It can be opened with a shortcut, similar to how the Run program is accessed in these attacks, using the combination Win + The end result, however, is the same: the installation of Lumma Stealer.
This is a popular malware variant that is typically sold as a service on cybercrime forums. It is designed to extract sensitive data from targeted Windows computers, such as browser credentials, session cookies, cryptocurrency wallet information, and other secrets that the victim may have stored.
ClickFix is one of the oldest malware scams out there, dating back to the early days of the Internet. It starts with a pop-up window that informs the victim about a problem they are having on their computer and offers a solution in the same message.
Decades ago, that problem was a fake virus infection, but today it’s mostly fake CAPTCHAs or “locked” documents.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
