Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault LevelBlue documents a multi-stage, fileless ClickFix campaign that compromises legitimate websites to present fake CAPTCHA prompts which coerce users into executing clipboard-pasted PowerShell commands, enabling in-memory payload delivery via Donut shellcode. The infrastructure is payload-agnostic and rotates multiple commodity stealers and a cryptocurrency clipboard hijacker across numerous C2 servers and fake crypto-exchange sites. #ClickFix #LummaStealer

A multi-stage stealer attack uses compromised legitimate sites to show fake CAPTCHA prompts, tricking users into running clipboard-pasted PowerShell commands delivering in-memory payloads via Donut shellcode. #ClickFix #CryptoHijack #LummaStealer

Microsoft uncovers a new ClickFix campaign exploiting Windows Terminal to deploy Lumma Stealer malware. Stay vigilant and avoid executing unsolicited commands. #CyberSecurity #ClickFix #LummaStealer Link: thedailytechfeed.com/microsoft-un...

Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer validity to deceive gullible users read more about Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer

Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer reconbee.com/microsoft-re...

#microsoft #clickfixcampaign #clickfix #windows #lummastealer #malware #cyberattacks

Cybercriminals are using fake CAPTCHA prompts to deploy LummaStealer malware. Stay alert and follow best practices to protect your data. #CyberSecurity #MalwareAlert #LummaStealer Link: thedailytechfeed.com/cybercrimina...

📰 Infeksi LummaStealer Melonjak, Didistribusikan Lewat CastleLoader dan Teknik ClickFix

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/02/13/lummastealer-...

#castleloader #clickfix #infostealer #keamanan #siber #lummastealer #malware #phishing

Once-hobbled #LummaStealer is back with lures that are hard to resist

arstechnica.com/security/2026/02/once-ho...

#malware #Castleloader #Lumma #cybersecurity

Lumma Stealer 가짜 캡차 구별하고 정보 유출 막는 5가지 방법 - 기술 덕후 한가닥 지난해 국제 수사 기관의 공조로 소탕된 줄 알았던 루마 스틸러(Lumma Stealer)가 다시 기승을 부리고 있습니다. 이번에는 클릭픽스라는 아주 교묘한 사회공학적 기법을 들고 나왔는데요. 사용자가 직접 자기 컴퓨터에 악성코드를 설치하도록 유도하기 때문에 백신조차 무용지물이 되는

Lumma Stealer 가짜 캡차 구별하고 정보 유출 막는 5가지 방법

https://bit.ly/3Mr7eOS

#LummaStealer #루마스틸러 #클릭픽스 #해킹예방 #정보보안 #악성코드제거 #개인정보보호

Informationsdiebstahl mit Lumma-Stealer wieder aktiv

@Bitdefender_DE #BitdefenderLabs #Cybersecurity #Cybersicherheit #Informationsdiebstahl #LummaStealer #Malware #MalwareasaService @Bitdefender

netzpalaver.de/2026/...

Screenshot showing Google search results for a cracked version of ArcGIS where I specify site:drive.google.com. The results shown here all lead to PDF files hosted on Google Drive, and these PDF files contains links that lead to malware.

Here's an example of one of these PDF files hosted on Google Drive with a link that leads to malware.

Here's the page that pushes a password-protected 7-zip archive that contains an inflated EXE padded with null bytes. This EXE is for Lumma Stealer malware.

Lumma Stealer traffic generated by the extracted malware. This is filtered in Wireshark to focus on the Lumma Stealer C2 traffic.

2026-02-01 (Sunday): It's easy enough to find #LummaStealer malware samples.

Just do a Google search for cracked versions of popular software and specify site:drive.google.com.

Details on today's haul at github.com/malware-traf...

Dutch Police Arrest AVCheck Operator
Read More: buff.ly/VFU27iT

#OperationEndgame #AVCheck #MalwareAsAService #CybercrimeInfrastructure #Infostealers #LawEnforcement #ThreatDisruption #LummaStealer #CybercrimeOps

A screenshot of my blog post for the Lumma Stealer infection

Traffic from the Lumma Stealer infection filtered in Wireshark.

2026-01-01 (Thursday): #LummaStealer infection with follow-up malware. A #pcap of the infection traffic, the #Lumma #Stealer files, and a list of IOCs are available at www.malware-traffic-analysis.net/2026/01/01/i...

Screenshot of my blog post to share information on this Lumma Stealer infection with follow-up malware.

2025-12-30 (Tuesday): #LummaStealer infection with follow-up malware. A #pcap of the infection traffic, the associated #Lumma with follow-up #malware samples, and some IOCs are available at www.malware-traffic-analysis.net/2025/12/30/i...

Malicious Software Compromises 26000 Devices Across New Zealand Thousands of devices have been infected with malware through New Zealand's National Cyber Security Center, showing the persistent risk posed by credential-stealing cybercrime, which has been causing New Zealand's National Cyber Security Center to notify individuals after an exposure.  About 26,000 people have been notified by the agency that it is sending an email advising them to visit the Own Your Online portal for instructions on how to remove malicious software from their accounts and strengthen their account security.  As NCSC Chief Operating Officer Michael Jagusch informed me, the alerts were related to Lumma Stealer, which is a highly regarded strain of malware targeting Windows-based devices. There is a danger that this malware can be used to facilitate identity theft or fraud by covertly harvesting sensitive data like email addresses and passwords.  Officials noted that Lumma Stealer and other information-stealing tools are still part of an international cybercrime ecosystem that continues to grow, and so users should be vigilant and take proactive security measures in order to protect themselves. It has been reported that the National Cyber Security Centre of the Government Communications Security Bureau has conducted an assessment and found that it is possible that the malicious activity may have affected approximately 26,000 email addresses countrywide.  As detailed in its statement published on Wednesday, the U.S. Department of Homeland Security has warned that the malware involved in the incident, dubbed Lumma Stealer, is specifically designed to be able to steal sensitive data, including login credentials and other personally identifiable information, from targeted systems. As noted by the NCSC, this threat primarily targets Windows-based devices, and cybercriminals use this threat to facilitate the fraud of personal information and financial fraud. Thus, it highlights the continued exposure of everyday users to sophisticated campaigns aimed at stealing personal data.  The issue was discovered by the National Cyber Security Centre's cyber intelligence partnerships, after the agency first worked with government bodies and financial institutions in order to alert a segment of those affected before expanding the effort to notify the entire public. Introducing the NCSC Chief Operating Officer, Michael Jagusch, he said the center has now moved to a broader direct-contact approach and this is its first time undertaking a public outreach of this sort on such a large scale.  A step he pointed out was that the notifications are genuine and come from the official email address no-reply@comms.ncsc.govt.nz, which helps recipients distinguish between the legitimate and fraudulent ones. It is noteworthy that a recent BNZ survey indicates similar exposure across small and medium businesses, which is in line with the current campaign, which is targeted at households and individuals.  The research reveals that 65% of small and medium-sized businesses believe scam activity targeting their businesses has increased over the past year; however, 45% of these businesses do not place a high priority on scam awareness or cyber education, despite the fact that their employees routinely handle emails, payment information and customer information.  There were approximately half of surveyed SMEs who reported that they had been scammed in the last 12 months and many of them had been scammed by clicking links, opening attachments, or responding to misleading messages. According to BNZ fraud operations head Margaret Miller, criminals are increasingly exploiting human behavior as a means of committing fraud rather than exploiting technical flaws, targeting business owners and employees who are working on a daily basis.  A substantial number of small business owners reported business financial losses following breaches, with 21% reporting business financial losses, 26% a personal financial loss and 30% experiencing data compromise, all of which had consequences beyond business accounts. According to Miller, the average loss was over $5,000, demonstrating that scammers do not only attempt to steal company funds, but also to steal personal information and sensitive business data in the form of financial fraud.  It is the country's primary authority for helping individuals and companies reduce their cyber risk, and it is housed within the Government Communications Security Bureau. The National Cyber Security Centre offers help to individuals and organisations and is a chief authority on cyber security. It has three core functions that form the basis of its work: helping New Zealanders make informed decisions about their digital security, ensuring strong cyber hygiene is embedded within essential services and in the wider cyber ecosystem in collaboration with key stakeholders, and using its statutory mandate to combat the most serious and harmful cyber threats through the deployment of its specialist capability.  Own Your Online, a central part of this initiative, provides practical tools, guidance and resources designed to make cybersecurity accessible for householders, small businesses, and nonprofit organizations, as well as clear advice on prevention and what to do when an incident occurs. In particular, the NCSC owns the Own Your Online platform, which provides practical tools, guidance, and resources.  There is no doubt that the incident serves as a timely reminder of the increasing sophistication and reach of modern cybercrime, as well as the shared responsibility that must be taken to limit its effects on society. Many experts continue to emphasize the importance of maintaining a safe system, including the use of strong, unique passwords, and the use of multi-factor authentication whenever possible. They advise maintaining your operating system and software up to date as well as using the proper passwords.  Furthermore, users are advised to remain cautious of any unexpected emails or messages they receive, even if they appear to have come from trusted sources. Likewise, users should exclusively communicate through official channels to avoid any confusion.  The focus continues to remain on raising awareness and improving resilience among individuals and organisations with the aim of improving digital awareness and improving collaboration between the authorities and the business and financial sector.  A new approach has been adopted by agencies to encourage early detection, clear communication, and practical guidance that are aimed at reducing immediate harm while also fostering long-term confidence among New Zealanders in navigating an increasingly complex online world.

Malicious Software Compromises 26000 Devices Across New Zealand #CredentialTheft #LummaStealer #malware

Beware of Lumma Stealer malware exploiting browser fingerprinting to steal sensitive data. Stay vigilant and protect your systems. #CyberSecurity #MalwareAlert #LummaStealer Link: thedailytechfeed.com/lumma-steale...

Lumma Stealer evolve con fingerprinting adattivo e injection browser per evasione e furto credenziali.

#browser #LummaStealer #TrendMicro
www.matricedigitale.it/2025/11/15/l...

Lumma Stealer Adds Browser Fingerprinting

~Trendmicro~
Lumma Stealer malware has resurged, adding browser fingerprinting to its C2 tactics for improved evasion and targeting.
-
IOCs: pabuloa. asia, jamelik. asia
-
#InfoStealer #LummaStealer #ThreatIntel

Original post on masto.es

Y en un giro de los acontecimientos, un grupo rival (de infostealer presumiblemente) ataca y expone a la luz las identidades y detalles de los miembros de #Lumma, con información tan sensible como datos bancarios o número de pasaporte. Esto se une al compromiso de las cuentas de Telegram del […]

Rival Hackers Dox Alleged Operators of Lumma Stealer Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Rival hackers have doxxed the alleged operators behind #LummaStealer, one of the biggest data-theft malware services. The leaks have caused internal chaos and slowed its growth.

Read: hackread.com/rival-hacker...

#CyberSecurity #Malware #InfoStealers #InfoSec #CyberCrime

Il doxxing di Water Kurita ha destabilizzato Lumma Stealer, riducendo le operazioni e trasformando il mercato malware underground.

#doxxing #INFOSTEALER #LummaStealer #malware #WaterKurita
www.matricedigitale.it/2025/10/16/w...

TA585 usa MonsterV2 per attacchi mirati contro aziende finanziarie, controllando l’intera catena d’infezione con RAT, stealer e loader avanzati.

#ClickFix #LummaStealer #MonsterV2 #Proofpoint #Rhadamanthys #TA585
www.matricedigitale.it/2025/10/14/t...

Screenshot of the page from my website with the post for this information.

Example of path to download the initial 7-zip archive for the malware.

Page with the download for the initial 7-zip archive.

Traffic from the possible Rhadamanthys malware, filtered in Wireshark.

2025-10-01 (Wed) I've posted #malware samples and a #pcap of the post-infection traffic from an infection by possible #Rhadamanthys malware at www.malware-traffic-analysis.net/2025/10/01/i...

This is from a file disguised as a cracked version of software, and I usually see #LummaStealer from this.

Screesnhot of the page from my blog with the traffic, malware files, and indicators of compromise for this Lumma Stealer infection.

Downloading the initial zip archive for this malware.

Extracting the malware EXE from the nested archive files.

Traffic from an infection filtered in Wireshark.

2025-09-24 (Wednesday): #LummaStealer infection with follow-up malware, possibly #Ghostsocks or #GoBackdoor. A #pcap of the infection traffic, malware samples, and list of indicators available at www.malware-traffic-analysis.net/2025/09/24/i...

Beyond Signatures: Detecting Lumma Stealer with an ML-Powered Sandbox Introduction In early 2025, LummaStealer was in widespread use by cybercriminals targeting victims throughout the world in multiple industry verticals,

'Beyond Signatures: Detecting Lumma Stealer with an ML-Powered Sandbox'

www.netskope.com/blog/beyond-...

#CyberSecurity #LummaStealer #InfoStealers #MachineLearning #ML #Malware

Cybercriminals Hide Malware in Trusted Tools and File Formats, HP Wolf Security Warns   Attackers are increasingly disguising malicious activity inside everyday business tools and file formats that employees and IT teams typically trust. According to the latest HP Wolf Security Threat Insights Report (Q2 2025), threat actors are refining their strategies to blend in with legitimate processes, making it more difficult for security defenses to keep up. One of the standout campaigns observed in Q2 2025 involved the XWorm remote access trojan (RAT). Instead of deploying custom malware directly, attackers chained together several built-in Windows utilities. These “living off the land” binaries were used to run commands, transfer files, and decode hidden malware, all while evading many security alerts. The final XWorm payload was concealed inside the pixels of a genuine image from a trusted website. Attackers then used PowerShell scripts to extract the hidden code, with MSBuild executing the malware. Once complete, attackers gained full remote access and data-stealing capabilities using only tools already present on the system. “Living off the land techniques are notoriously difficult for security teams because it’s hard to tell green flags from red – i.e. legitimate activity versus an attack… Even the best detection will miss some threats, so defense-in-depth with containment and isolation is essential to trap attacks before they can cause harm,” explained Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc. Phishing emails continue to dominate, accounting for 61% of threats reaching endpoints. Attackers are exploiting document formats to trick victims: * Invoice-themed campaigns used SVG attachments imitating Adobe Acrobat, complete with animations, before luring users into downloading malware. The attack installed a lightweight reverse shell, enabling remote execution and data theft. * PDF-based lures displayed blurred invoices and download prompts, ultimately dropping a malicious Visual Basic Encoded script hidden in a ZIP archive. This technique stored malware components in the Windows Registry, making detection harder. Victims were infected with MassLogger, a credential stealer, and in some French cases, a secondary RAT named ModiRAT Attackers are also reviving outdated file formats to bypass detection. Compiled HTML Help (.chm) files, once used for Windows manuals, are being weaponized with embedded scripts to deliver multi-stage infections, often leading to XWorm. Shortcut files (LNKs) disguised as PDFs inside phishing ZIPs were also spotted. Instead of opening documents, the shortcuts launched malicious code that installed the Remcos RAT. In some campaigns, attackers even embedded payloads inside obsolete Program Information File (PIF) formats to further reduce suspicion. Despite a major international takedown in May 2025, the Lumma Stealer malware resurfaced just a month later with fresh infrastructure. Attackers distributed it through IMG archives attached to phishing emails. When opened, these acted as virtual drives containing an HTML Application file disguised as an invoice. This eventually executed obfuscated PowerShell scripts, running Lumma Stealer in memory and bypassing disk-based security tools. The findings underline how cybercriminals exploit trusted tools, realistic lures, and legacy file formats to bypass security. Traditional detection methods based on file signatures are no longer enough. Defense strategies must instead focus on monitoring behavior, persistence techniques, and system tool abuse. “Attackers aren’t reinventing the wheel, but they are refining their techniques. Living-off-the-land, reverse shells and phishing have been around for decades, but today’s threat actors are sharpening these methods… You don’t have to drop a fully-fledged RAT when a simple, lightweight script will achieve the same effect. It’s simple, fast and often slips under the radar because it’s so basic,” said Alex Holland, Principal Threat Researcher, HP Security Lab.

Cybercriminals Hide Malware in Trusted Tools and File Formats, HP Wolf Security Warns #HPWolfSecurityreport2025 #Livingoffthelandattacks #LummaStealer

WhiteCobra infiltra 24 estensioni VSCode e Cursor con LummaStealer, rubando crypto e segreti. Campagna, caso zak.eth e difese tecniche.

#Cursor #Lumma #LummaStealer #OpenVSX #VSCode #WhiteCobra
www.matricedigitale.it/2025/09/15/w...

Settimana 6-12 settembre: in Italia Lumma Stealer domina, 532 IoC condivisi, truffa spoofing sventata a Cuneo. Focus finance e PA.

#CERTAgID #LummaStealer #phishing #PoliziadiStato #spoofing
www.matricedigitale.it/2025/09/13/l...

🚨 New #LummaStealer update (10.09) :
1️⃣ Bulk Google token recovery (Corporate plan)
2️⃣ Improved single Google token recovery (Professional plan)
3️⃣ Enhanced cleaning for Win10/11 + Cloud
#infosec #threatintel #DarkWeb

Check out the infrastructure movement of this #LummaStealer domain over the last 30 days... 👀

• 14 unique IP addresses
• 9 Unique ASN's
• Mix of bulletproof hosting providers and "regular" cloud providers
• IPs are typically linked to dozens of domains at a time

Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues. 🧵