Last May, law enforcement authorities around the globe scored a key win once they hobbled the infrastructure of Lumma, an infostealer that infected nearly 395,000 Windows computers over only a two-month span leading as much as the international operation. Researchers said Wednesday that Lumma is once more “back at scale” in hard-to-detect attacks that pilfer credentials and sensitive files.
Lumma, also often called Lumma Stealer, first appeared in Russian-speaking cybercrime forums in 2022. Its cloud-based malware-as-a-service model provided a sprawling infrastructure of domains for hosting lure sites offering free cracked software, games, and pirated movies, in addition to command-and-control channels and all the pieces else a threat actor needed to run their infostealing enterprise. Inside a 12 months, Lumma was selling for as much as $2,500 for premium versions. By the spring of 2024, the FBI counted greater than 21,000 listings on crime forums. Last 12 months, Microsoft said Lumma had grow to be the “go-to tool” for multiple crime groups, including Scattered Spider, one of the vital prolific groups.
Takedowns are hard
The FBI and a global coalition of its counterparts took motion early last 12 months. In May, they said they seized 2,300 domains, command-and-control infrastructure, and crime marketplaces that had enabled the infostealer to thrive. Recently, nonetheless, the malware has made a comeback, allowing it to contaminate a big variety of machines again.
“LummaStealer is back at scale, despite a significant 2025 law-enforcement takedown that disrupted 1000’s of its command-and-control domains,” researchers from security firm Bitdefender wrote. “The operation has rapidly rebuilt its infrastructure and continues to spread worldwide.”
As with Lumma before, the recent surge leans heavily on “ClickFix,” a type of social engineering lure that’s proving to be vexingly effective in causing end users to contaminate their very own machines. Typically, these kind of bait are available the shape of faux CAPTCHAs that—fairly requiring users to click a box or discover objects or letters in a jumbled image—instruct them to repeat text and paste it into an interface, a process that takes just seconds. The text is available in the shape of malicious commands provided by the fake CAPTCHA. The interface is the Windows terminal. Targets who comply then install loader malware, which in turn installs Lumma.