Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ClickFix Windows Terminal Lumma Stealer campaign

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

A widespread ClickFix campaign is abusing Windows Terminal (wt.exe) to run malicious commands and deploy Lumma Stealer, expanding the risk of credential theft and browser-data exfiltration. The operation was observed in February 2026 and disclosed in March 2026. It stands out because it bypasses Run dialog detections by pushing victims into a more trusted command-execution path.

Related Happenings

ClickFix attacks with PySoxy scheduled-task persistence

Malware Activity
First: 12.05.2026 15:00 Last: 12.05.2026 15:00 Sources 1

About this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...

Open Happening

Windows Shell spoofing flaw actively exploited (CVE-2026-32202)

Vulnerability
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: **Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...

Open Happening

Claude Code deny-rule bypass fix (version 2.1.90)

Security Patch Release
First: 08.04.2026 12:16 Last: 08.04.2026 12:16 Sources 1

About this happening: **Anthropic** released **Claude Code version 2.1.90** last week to fix a command-parsing flaw that could let **user-configured deny rules** silently stop applying when a command e...

Open Happening

MacSync macOS infostealer with dynamic AppleScript and in-memory execution

Malware Activity
First: 16.03.2026 13:41 Last: 16.03.2026 13:41 Sources 1

About this happening: The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...

Latest development: 10.05.2026 20:52

A MacSync macOS infostealer campaign is abusing Google Ads and legitimate Claude.ai shared chats to lure users searching for "Claude mac download" into following Terminal instructions that download and run malware on their Mac. One observed variant uses polymorphic delivery, checks for Russian or CIS-region keyboard input sources and sends a cis_blocked ping before exiting, then profiles the victim with external IP address, hostname, OS version, and keyboard locale before using osascript to run a second-stage payload; another variant skips profiling and exfiltrates browser credentials, cookies, and macOS Keychain contents.

Open Happening

Russia-linked DRILLAPP campaign targeting Ukrainian entities

Campaign
First: 16.03.2026 11:07 Last: 16.03.2026 11:07 Sources 1

About this happening: A **Russia-linked** campaign is targeting **Ukrainian entities** with the **DRILLAPP** browser backdoor, expanding a covert operation that uses **judicial** and **charity-themed l...

Open Happening

Timeline

  1. 06.03.2026 08:44 2 articles · 2mo ago

    Microsoft discloses Windows Terminal ClickFix campaign

    Initial Disclosure

    Microsoft disclosed a widespread ClickFix campaign observed in February 2026 that abused Windows Terminal (wt.exe) instead of the Windows Run dialog to activate a multi-stage chain and deploy Lumma Stealer. The campaign used the Windows + X → I shortcut, bogus CAPTCHA pages, troubleshooting prompts, and other verification-style lures to push targets into a privileged command-execution environment, then used PowerShell, cmd.exe, MSBuild.exe, scheduled tasks, Microsoft Defender exclusions, and QueueUserAPC() injection into chrome.exe and msedge.exe to steal Web Data and Login Data.

    Show sources
    Open in new tab