Bitdefender reports a surge in LummaStealer activity, showing the MaaS infostealer rebounded after 2025 law enforcement disruption.
Bitdefender observed renewed LummaStealer activity, proving the MaaS infostealer recovered after 2025 takedowns. Active since 2022, it relies on affiliates, social engineering, fake cracked software, and fake CAPTCHA “ClickFix” lures. CastleLoader plays a key role in spreading it. Shared infrastructure suggests coordination between the two operations.
In May 2025, a US court order, with Europol and Japan’s JC3 dismantled the Lumma Stealer malware operation, seizing 2,300 domains used for command-and-control and blocking dark web markets offering the infostealer.
A US court order, with Europol and Japan’s JC3, dismantled Lumma Stealer’s infrastructure, seizing domains and control panels. Microsoft’s Digital Crimes Unit sinkholed over 1,300 domains to reroute victims to safe servers for analysis and cleanup.
Lumma Stealer is a Malware-as-a-Service (MaaS) infostealer designed to steal sensitive data like passwords, credit card info, and crypto wallet keys. It infiltrates systems via phishing, malvertising, and malicious downloads. It can also deploy additional malware and evade detection.
The malware had infected over 394,000 Windows systems, including those of global manufacturers.
Microsoft observed Lumma Stealer’s rapid growth and sophistication as a MaaS used by financially motivated threat actors. Distributed via phishing, malvertising, and abuse of trusted platforms, Lumma targets browsers, wallets, and apps. Lumma’s flexibility and resilience highlight the evolving cybercrime landscape and the need for layered, collaborative defense efforts.
Microsoft tracks the developer of Lumma Stealer and its C2 infrastructure as threat actor Storm-2477. Ransomware groups like Octo Tempest, Storm-1607, Storm-1113, and Storm-1674 have used Lumma in their campaigns.
Now Bitdefender researchers report a sharp rise in LummaStealer infections driven by evolving social engineering tricks, including fake CAPTCHAs and bogus Steam update alerts. Attackers frequently change loaders, recently favoring CastleLoader, a stealthy, in-memory tool with modular design and large C2 infrastructure. Analysts found infrastructure overlap between CastleLoader and Lumma operations, suggesting coordination or shared services. The research details delivery methods, indicators of compromise, and ways to detect recent CastleLoader activity.
“Recently, we have observed a considerable increase in LummaStealer activity in our insights. Loaders are typically delivered through evolving social-engineering lures, ranging from fake CAPTCHA challenges to bogus update notifications on Steam pages and game development websites.” reads the report published by Bitdefender. “The loaders themselves change frequently; we’ve seen LummaStealer using Rugmi, DonutLoader, and, more recently, CastleLoader for initial execution.”
CastleLoader is a script-based loader, often compiled with AutoIt, that decrypts and runs payloads directly in memory. Authors of the loader hide its logic with heavy obfuscation, renamed variables, and junk code. The loader checks for sandboxes and security tools, adjusts behavior to evade detection, and creates persistence by copying itself and the AutoIt interpreter, then adding a startup shortcut. A failed ping to a fake random domain leaves a detectable DNS trace. Finally, it uses layered XOR decryption and decompression to load and execute LummaStealer or another payload in memory.
Bitdefender reported that the campaigns rely on social engineering, not exploits. Victims download fake cracked software, game installers, movies, or adult content, often packaged as self-extracting archives or NSIS installers. When run, these files unpack and launch CastleLoader, which then delivers LummaStealer. Attackers abuse trusted platforms like Steam and Discord to boost credibility. ClickFix pages trick users into pasting malicious PowerShell commands. Some chains observed by the researchers add obfuscated VBA scripts and scheduled tasks for persistence.
LummaStealer is active worldwide, especially in India, the US, and Europe.
The distribution shifts based on customer targets because it steals credentials, browser sessions, financial info, crypto wallets, personal documents, and images, enabling account takeovers, fraud, identity theft, and blackmail.
Mitigations include avoiding untrusted downloads, never running manual commands, changing passwords, using multi-factor authentication, and monitoring for suspicious behavior and loader activity.
“LummaStealer remains a significant and evolving threat due to its combination of effective social engineering, flexible loader infrastructure, and a well-established MaaS ecosystem.” concludes the report. “The continued use of loaders such as CastleLoader, along with techniques like ClickFix, demonstrates a strategic shift toward delivery mechanisms that are difficult to disrupt through traditional technical defenses alone.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, LummaStealer)
