LummaStealer infection surge via CastleLoader
Malware Activity
Summary
Hide ▲
Show ▼
The LummaStealer infostealer operation now includes a widespread ClickFix campaign observed in February 2026 that abuses Windows Terminal (wt.exe) instead of the Run dialog to execute malicious commands and deploy Lumma Stealer. The chain uses PowerShell, cmd.exe, and MSBuild.exe, sets persistence and Microsoft Defender exclusions, and injects the stealer into chrome.exe and msedge.exe with QueueUserAPC() to harvest browser credentials and exfiltrate data. The update broadens the operation’s delivery tradecraft by showing another way attackers can blend abuse into legitimate admin workflows while bypassing Run-dialog-specific detections.
Related Happenings
Veil#Drop PureLog Stealer in-memory delivery operation
Malware Activity
H score30
First: 01.07.2026 17:30
Last: 01.07.2026 17:30
Sources 1
About this happening:
**Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
Veil#Drop PureLog Stealer in-memory delivery operation
Malware ActivityAbout this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical Analysis
H score74
First: 01.07.2026 08:32
Last: 01.07.2026 08:32
Sources 1
About this happening:
Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical AnalysisAbout this happening: Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...
ClickFix mitigation guidance for Windows and macOS
Defensive Guidance
H score34
First: 30.06.2026 15:00
Last: 30.06.2026 15:00
Sources 1
About this happening:
Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
ClickFix mitigation guidance for Windows and macOS
Defensive GuidanceAbout this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware Activity
H score22
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
About this happening:
The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware ActivityAbout this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
SharkLoader loader activity deploying Cobalt Strike Beacon
Malware Activity
H score30
First: 26.06.2026 21:17
Last: 26.06.2026 21:17
Sources 1
About this happening:
A newly observed **SharkLoader** malware operation is staging **Cobalt Strike Beacon** on compromised Windows hosts, expanding post-compromise control and persistence risk. The lo...
SharkLoader loader activity deploying Cobalt Strike Beacon
Malware ActivityAbout this happening: A newly observed **SharkLoader** malware operation is staging **Cobalt Strike Beacon** on compromised Windows hosts, expanding post-compromise control and persistence risk. The lo...
Timeline
-
06.03.2026 08:44 1 articles · 4mo ago
Microsoft discloses Windows Terminal ClickFix campaign deploying Lumma Stealer
Technical Analysis UpdateMicrosoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Show sources
- Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer — thehackernews.com — 06.03.2026 08:44
-
11.02.2026 19:02 2 articles · 4mo ago
LummaStealer infection surge via CastleLoader
Initial DisclosureAfter a **May 2025** disruption that seized **2,300 domains**, the LummaStealer service began to resume in **July 2025** and rebuilt its delivery infrastructure before the later surge. That recovery set up the later expansion in loader-based infections.
Show sources
- LummaStealer infections surge after CastleLoader malware campaigns — www.bleepingcomputer.com — 11.02.2026 19:02
- Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging — thehackernews.com — 15.02.2026 16:10