LUMMASTEALER activity has surged again, with Bitdefender reporting a rebound in the MaaS infostealer after disruptions in 2025. The malware, active since 2022, uses affiliates, social engineering, fake cracked software and fake CAPTCHA “ClickFix” lures, with CastleLoader playing a key role in its distribution. In May 2025, a US court order with Europol and Japan’s JC3 dismantled Lumma Stealer’s infrastructure, seizing 2,300 domains used for command-and-control and blocking dark web markets offering the malware.
Microsoft’s Digital Crimes Unit sinkholed over 1,300 domains to reroute victims for analysis and cleanup, while Lumma Stealer had infected over 394,000 Windows systems worldwide. The campaigns rely on social engineering rather than exploits, with loaders like CastleLoader and various loaders such as Rugmi and DonutLoader observed before CastleLoader became more prevalent, and there is evidence of coordination or shared services across operations.
The threat actors target browsers, wallets and apps to steal credentials, financial data and crypto keys, enabling account takeovers and fraud, and defenders are urged to maintain layered, collaborative protections. according to Bitdefender.