Find notable cyber news and cases, enriched with sources, timelines, and signals.

LummaStealer infection surge via CastleLoader

Malware Activity
First reported
Last updated
Happening score
H score 30
2 unique sources, 3 articles

Summary

Hide ▲

The LummaStealer infostealer operation now includes a widespread ClickFix campaign observed in February 2026 that abuses Windows Terminal (wt.exe) instead of the Run dialog to execute malicious commands and deploy Lumma Stealer. The chain uses PowerShell, cmd.exe, and MSBuild.exe, sets persistence and Microsoft Defender exclusions, and injects the stealer into chrome.exe and msedge.exe with QueueUserAPC() to harvest browser credentials and exfiltrate data. The update broadens the operation’s delivery tradecraft by showing another way attackers can blend abuse into legitimate admin workflows while bypassing Run-dialog-specific detections.

Related Happenings

Veil#Drop PureLog Stealer in-memory delivery operation

Malware Activity
H score30 First: 01.07.2026 17:30 Last: 01.07.2026 17:30 Sources 1

About this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...

ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion

Technical Analysis
H score74 First: 01.07.2026 08:32 Last: 01.07.2026 08:32 Sources 1

About this happening: Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...

ClickFix mitigation guidance for Windows and macOS

Defensive Guidance
H score34 First: 30.06.2026 15:00 Last: 30.06.2026 15:00 Sources 1

About this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...

TONResolver RAT delivered via ZIP, LNK, and PowerShell

Malware Activity
H score22 First: 30.06.2026 13:30 Last: 30.06.2026 13:30 Sources 1

About this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...

SharkLoader loader activity deploying Cobalt Strike Beacon

Malware Activity
H score30 First: 26.06.2026 21:17 Last: 26.06.2026 21:17 Sources 1

About this happening: A newly observed **SharkLoader** malware operation is staging **Cobalt Strike Beacon** on compromised Windows hosts, expanding post-compromise control and persistence risk. The lo...

Timeline

  1. 06.03.2026 08:44 1 articles · 4mo ago

    Microsoft discloses Windows Terminal ClickFix campaign deploying Lumma Stealer

    Technical Analysis Update

    Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

    Show sources
  2. 11.02.2026 19:02 2 articles · 4mo ago

    LummaStealer infection surge via CastleLoader

    Initial Disclosure

    After a **May 2025** disruption that seized **2,300 domains**, the LummaStealer service began to resume in **July 2025** and rebuilt its delivery infrastructure before the later surge. That recovery set up the later expansion in loader-based infections.

    Show sources