In May 2025, a coordinated international law enforcement operation dealt a significant blow to Lumma Stealer, seizing 2,300 domains and disrupting its command-and-control infrastructure. This malware-as-a-service tool had infected nearly 395,000 Windows computers in just two months prior to the takedown. By early 2026, however, researchers report that Lumma is once again operating at scale, leveraging hard-to-detect attacks to steal credentials and sensitive files.
First emerging on Russian-speaking cybercrime forums in 2022, Lumma Stealer quickly gained traction through its cloud-based model. It provided a comprehensive infrastructure for hosting lure sites offering free cracked software, games, and pirated movies, along with command-and-control channels. Within a year, premium versions of the infostealer were selling for as much as $2,500. By spring 2024, the FBI documented over 21,000 listings for Lumma on crime forums. Microsoft later identified it as the “go-to tool” for multiple crime groups, including the prolific Scattered Spider.
Despite the 2025 takedown efforts by the FBI and an international coalition, Lumma has made a rapid comeback. Security firm Bitdefender noted in a recent report: “LummaStealer is back at scale, despite a major 2025 law-enforcement takedown that disrupted thousands of its command-and-control domains. The operation has rapidly rebuilt its infrastructure and continues to spread worldwide.” This resurgence highlights the challenges in permanently dismantling such malware networks.
The current wave of attacks relies heavily on a social engineering technique called “ClickFix.” This lure has proven highly effective in convincing end users to infect their own machines. Typically, these baits appear as fake CAPTCHAs that deviate from standard verification methods. Instead of clicking boxes or identifying objects, users are instructed to copy text and paste it into an interface. The text contains malicious commands, and the interface is the Windows terminal. Compliance results in the installation of loader malware, which then deploys Lumma Stealer onto the system.
This method allows infections to occur within seconds, bypassing traditional detection mechanisms. The use of ClickFix lures demonstrates how threat actors continuously adapt their tactics to exploit human vulnerabilities, making technical defenses alone insufficient. As Lumma Stealer regains its foothold, security teams must prioritize user education and multi-layered protection strategies to mitigate these evolving threats.
