Anti-Malware Research 18 min read LummaStealer Is Getting a Second Life Alongside CastleLoader Bogdan Ionut Lazar Manuel Dragomir Janos Gergo SZELES February 11, 2026 Bitdefender researchers have discovered a surge in LummaStealer activity, showing how one of the world's most prolific information-stealing malware operations managed to survive despite being almost brought down by law enforcement less than a year ago. LummaStealer is a highly scalable information-stealing threat with a long history, having operated under a malware-as-a-service model since it appeared on the scene in late 2022. The threat quickly evolved into one of the most widely deployed infostealers worldwide, supported by a large affiliate ecosystem and a constantly adapting delivery infrastructure. Despite significant law-enforcement disruption efforts in 2025, LummaStealer operations continued, demonstrating resilience by rapidly migrating to new hosting providers and adapting alternative loaders and delivery techniques. Our analysis shows that LummaStealer infections are primarily driven by social engineering rather than by the exploitation of technical vulnerabilities. Malware campaigns consistently rely on users unwittingly running infected files, using simple lures such as fake cracked software, fake games or media downloads , and abuse of trusted platforms. Recent campaigns increasingly employ fake CAPTCHA (" ClickFix ") techniques, converting normal users' web interactions into direct command execution on victim systems. At the core of many of these campaigns is CastleLoader, which plays a central role in helping LummaStealer spread through delivery chains. Its modular, in-memory execution model, extensive obfuscation, and flexible command-and-control communication make it well-suited to malware distribution of this scale. We found some infrastructure overlap between CastleLoader and LummaStealer, which further suggests that both developer teams are coordinating on it or at least share service providers. Key Findings LummaStealer is back at scale, despite a major 2025 law-enforcement takedown that disrupted thousands of its command-and-control domains. The operation has rapidly rebuilt its infrastructure and continues to spread worldwide. Most infections start with social engineering, not hacking. Victims are tricked into running the malware themselves through fake cracked software, fake game or movie downloads, and deceptive "human verification" pages. Fake CAPTCHA ("ClickFix") attacks are becoming a preferred entry point, turning routine web interactions into manual command execution by the victim. CastleLoader has become a central delivery mechanism, using in-memory execution, heavy obfuscation, and flexible payload deployment to evade detection and distribute LummaStealer. A DNS artefact exposes CastleLoader activity. The loader deliberately triggers failed DNS lookups to nonexistent domains, creating a detectable pattern that can be used to identify related campaigns. Infrastructure overlap links CastleLoader and LummaStealer operations, suggesting shared services or coordination within a broader malware-as-a-service ecosystem. The privacy impact is severe and long-lasting. Stolen credentials, active sessions, personal documents and cryptocurrency data enable account takeovers, financial fraud, identity theft and extortion. Introduction LummaStealer emerged on Russian-language forums in late 2022 , and evolved into one of the most prolific infostealers by the mid-2020s. It targets Windows systems and can harvest a wide range of sensitive data, including browser credentials, session cookies, cryptocurrency wallets and even two-factor authentication (2FA) tokens. Under its MaaS model, Lumma's developers lease the malware to an extensive network of cybercriminal affiliates across the world. This has resulted in hundreds of thousands of infections across multiple industries, positioning Lumma as a significant enabler of secondary crimes such as account takeovers and fraudulent financial activity. In May 2025, Lumma's infrastructure was disrupted during a law-enforcement takedown that neutralized more than 2,300 command-and-control domains. However, the operation wasn't fully dismantled. Instead, the threat actors behind Lumma migrated to bulletproof hosting providers that are less cooperative with law enforcement. Recently, we have observed a considerable increase in LummaStealer activity in our insights. Loaders are typically delivered through evolving social-engineering lures, ranging from fake CAPTCHA challenges to bogus update notifications on Steam pages and game development websites. The loaders themselves change frequently; we've seen LummaStealer using Rugmi, DonutLoader , and, more recently, CastleLoader for initial execution. By itself, CastleLoader is a sophisticated loader that executes in stages, entirely in memory, obfuscates its code, dynamically resolves APIs, and communicates with a large C2 infrastructure using