- Microsoft warns of a ClickFix campaign in development
- Attackers now abuse Windows Terminal instead of Run
- Victims tricked into installing Lumma Stealer malware
ClickFix attacks continue to evolve, with a particular new strain of malware ditching the Windows Run program entirely, experts have warned.
Microsoft’s Threat Intelligence team said it saw a “widespread” social engineering campaign starting in February 2026, where the general premise is the same – victims end up on compromised or otherwise malicious websites, where they are presented with a fake security alert asking them to fix a random problem they apparently have.
In “classic” ClickFix campaigns, that problem is “solved” by downloading the Windows Run program (Win + R) and inserting a command that results in the installation of malware. But security solutions have gotten better at spotting malware installations that come from the Windows Run environment, which is why crooks have now replaced it with the Windows Terminal.
The development of ClickFix
Terminal is a modern Windows command line application that lets users run various command line tools in one window using tabs, just like a web browser.
It can be brought up with a shortcut, similar to how the Run program is accessed in these attacks, by using the combination Win + X → I. Depending on the command given to the victims, its insertion can trigger one of two observed attack chains. However, the end result is the same – the installation of Lumma Stealer.
This is a popular malware variant that is usually sold as a service on cybercrime forums. It is designed to exfiltrate sensitive data from target Windows computers, such as browser credentials, session cookies, cryptocurrency wallet information, and other secrets that the victim may have stored.
ClickFix is one of the oldest malware scams, dating back to the earliest days of the Internet. It starts with a pop-up that informs the victim about a problem they are having on their computer and offers a solution in the same message.
Decades ago that problem was a fake virus infection, but today it’s mostly about fake CAPTCHAs or “locked” documents.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
