LUMMA Stealer has returned at scale after a 2025 law-enforcement takedown disrupted thousands of its command-and-control domains, according to Bitdefender. The malware, which infected nearly 395,000 Windows computers over a two-month span before the May 2025 action, now spreads again using ClickFix lures and a loader called CastleLoader that runs in memory to avoid detection.
ClickFix fakes CAPTCHAs that prompt users to copy text into a terminal, after which Lumma can access credentials, cookies, personal documents, financial data, crypto wallets, and other sensitive information. CastleLoader is installed first and can provide a flexible command-and-control channel, with Lumma then deployed as the second payload.
The resurgence, observed by researchers on 11 February 2026, shows the operators rebuilding infrastructure and continuing to target Windows users, leveraging trusted platforms and social engineering to coerce victims into compromising their own devices.