By Sead Fadilpašić
Publication Date: 2026-03-09 12:35:00
- Microsoft warns of evolving ClickFix campaign
- Attackers now abuse Windows Terminal instead of Run
- Victims tricked into installing Lumma Stealer malware
ClickFix attacks keep evolving, with one particular new malware strain ditching the Windows Run program altogether, experts have warned.
Microsoft‘s Threat Intelligence team said it saw a “widespread” social engineering campaign starting in February 2026 where the general premise is the same – victims end up on compromised, or otherwise malicious websites, where they’re shown a fake security warning asking them to fix a random problem they apparently have.
In “classic” ClickFix campaigns, that problem is “solved” by bringing up the Windows Run program (Win + R) and pasting a command that results in the installation of malware. But security solutions have gotten better at spotting malware installations coming from the Windows Run environment, which is why crooks have now replaced it with the Windows Terminal.
