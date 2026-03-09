Microsoft warns of evolving ClickFix campaign

Attackers now abuse Windows Terminal instead of Run

Victims tricked into installing Lumma Stealer malware

ClickFix attacks keep evolving, with one particular new malware strain ditching the Windows Run program altogether, experts have warned.

Microsoft's Threat Intelligence team said it saw a “widespread” social engineering campaign starting in February 2026 where the general premise is the same - victims end up on compromised, or otherwise malicious websites, where they’re shown a fake security warning asking them to fix a random problem they apparently have.

In “classic” ClickFix campaigns, that problem is “solved” by bringing up the Windows Run program (Win + R) and pasting a command that results in the installation of malware. But security solutions have gotten better at spotting malware installations coming from the Windows Run environment, which is why crooks have now replaced it with the Windows Terminal.

The evolution of ClickFix

Terminal is a modern command-line Windows application that lets users run different command-line tools in one window using tabs, much like a web browser.

It can be brought up with a shortcut, similar to how the Run program is accessed in these attacks, by using the combination Win + X → I. Depending on the command being given to the victims, pasting it can trigger one of two observed attack chains. The end result, however, is the same - the installation of the Lumma Stealer.

This is a popular malware variant usually sold as a service on cybercrime forums. It is designed to exfiltrate sensitive data from target Windows computers, such as browser credentials, session cookies, cryptocurrency wallet information, and other secrets the victim might have stored.

ClickFix is one of the oldest-running malware scams around, dating back to the earliest days of the internet. It starts with a popup, informing the victim about a problem they have on their computer, and offering a solution in the same message.

Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

Decades ago, that problem was a fake virus infection but today, it’s mostly about fake CAPTCHAs or “locked” documents.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.