Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer
Summary
Microsoft has detailed a social engineering campaign called ClickFix that utilizes the Windows Terminal to deploy Lumma Stealer malware. This campaign, observed in February 2026, bypasses traditional methods like the Windows Run dialog for command execution. The attackers are leveraging a common Windows application to initiate their malicious payload delivery.
IFF Assessment
The discovery of a new sophisticated campaign leveraging legitimate tools to deploy malware poses a direct threat to users and organizations, indicating an increased risk.
Defender Context
Defenders should be aware of social engineering tactics that misuse legitimate applications like Windows Terminal for malware deployment. User education regarding suspicious commands or prompts, even those appearing within trusted applications, is crucial. Monitoring for unusual Windows Terminal activity and the exfiltration of credentials or sensitive data is also important.