Threat Research

After an initial drop in activity following the doxxing of its alleged members, Lumma Stealer has recently surged in activity. Researchers observed new adaptive browser-fingerprinting tactics, where the malware uses JavaScript-based data collection and stealthy HTTP communication to gather detailed system, network, hardware, and browser information....

A GLS-themed ClickFix social-engineering campaign in Italy delivered the Remcos RAT by tricking users into manually running malicious commands. ClickFix campaigns have risen over the past year because manual execution helps attackers evade AV, sandbox, and EDR detection....

A malicious campaign has been discovered using the fake domain ‘telegrampremium[.]app’ to impersonate the official Telegram Premium platform. The site delivers a file named ‘start.exe’ that contains a new variant of the Lumma Stealer malware. This sophisticated trojan can steal browser credentials, cryptocurrency wallet data, and system information....

After being taken down in May, Lumma Stealer quickly resurfaced. Between June and July, attacks surged again, now using stealthier delivery channels and evasion techniques. This malware can extract sensitive data like credentials and private files, and its availability as malware-as-a-service (MaaS) makes it accessible even to low-skilled attackers....

This article provides hunting tips and mitigation strategies for ClickFix campaigns, along with insights into major 2025 incidents. Notable cases include NetSupport RAT with a new loader, Latrodectus malware using ClickFix lures, and widespread Lumma Stealer activity....

A recent malware campaign hosted on GitHub abuses popular lures like “Free VPN for PC” and “Minecraft Skin Changer” to trick users into executing a malicious dropper named Launch.exe. The campaign uses techniques such as process injection, DLL side-loading, and stealthy execution to deploy Lumma Stealer, an information-stealing malware....

Cybercriminals are leveraging social media platforms to distribute malware by disguising it as cracked versions of popular software. Victims are lured to download ZIP files containing password-protected 7-Zip archives, with the passwords often displayed in the file names or download pages. These campaigns frequently use non-ASCII characters in file names to evade detection....

LummaC2 is an infostealer malware targeting critical U.S. infrastructure sectors, active from November 2023 to May 2025. It spreads via spearphishing emails containing fake CAPTCHAs that trick users into running PowerShell commands. The malware is often embedded in spoofed software and first emerged on Russian-speaking forums in 2022....

Lumma Stealer, active since mid-2022, is a Russian-origin infostealer sold via a Malware-as-a-Service model on Telegram. It targets credentials, session tokens, crypto wallets, and personal data from infected devices. The threat actor uses clever tactics like fake CAPTCHA challenges and social engineering during software downloads....

A new loader has been identified leveraging the Pascal scripting engine in Inno Setup. It is used to distribute infostealers such as LummaC2, DeerStealer, Rhadamanthys, and StealC. Typically spread via fake application websites, the loader features anti-VM capabilities, XOR-based string encryption, and retrieves payloads from TinyURL using an authentication token....