Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

LummaStealer infection surge via CastleLoader

Malware Activity
First reported
Last updated
Happening score
H score 33
2 unique sources, 3 articles

Summary

Hide ▲

The LummaStealer infostealer operation now includes a widespread ClickFix campaign observed in February 2026 that abuses Windows Terminal (wt.exe) instead of the Run dialog to execute malicious commands and deploy Lumma Stealer. The chain uses PowerShell, cmd.exe, and MSBuild.exe, sets persistence and Microsoft Defender exclusions, and injects the stealer into chrome.exe and msedge.exe with QueueUserAPC() to harvest browser credentials and exfiltrate data. The update broadens the operation’s delivery tradecraft by showing another way attackers can blend abuse into legitimate admin workflows while bypassing Run-dialog-specific detections.

Related Happenings

REMUS infostealer browser-session and password-manager collection expansion

Malware Activity
First: 15.05.2026 17:02 Last: 15.05.2026 17:02 Sources 1

About this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....

Open Happening

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

Open Happening

ClickFix attacks with PySoxy scheduled-task persistence

Malware Activity
First: 12.05.2026 15:00 Last: 12.05.2026 15:00 Sources 1

About this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...

Open Happening

Filemanager backdoor delivered on compromised cPanel environments

Malware Activity
First: 11.05.2026 20:54 Last: 11.05.2026 20:54 Sources 1

About this happening: The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...

Open Happening

Open-OSS/privacy-filter Hugging Face infostealer activity

Malware Activity
First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...

Open Happening

Timeline

  1. 06.03.2026 08:44 1 articles · 2mo ago

    Microsoft discloses Windows Terminal ClickFix campaign deploying Lumma Stealer

    Technical Analysis Update

    Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

    Show sources
    Open in new tab
  2. 11.02.2026 19:02 2 articles · 3mo ago

    LummaStealer infection surge via CastleLoader

    Initial Disclosure

    After a **May 2025** disruption that seized **2,300 domains**, the LummaStealer service began to resume in **July 2025** and rebuilt its delivery infrastructure before the later surge. That recovery set up the later expansion in loader-based infections.

    Show sources
    Open in new tab