ESET Research is back with a frightening statistic — Detections of Lumma Stealer, an infostealer we previously reported as a threat to gamers , increased 369% between H1 and H2 2024. This is problematic, as infostealers like Lumma continue to plague both consumer and business systems, usually without the knowledge of their owners. While infostealers are a sneaky lot, they are not without their vulnerabilities — which ESET products can capitalize on, to your security benefit. Also known as LummaC2 Stealer , this malware-as-a-service mostly targets cryptocurrency wallets, user credentials and two-factor authentication browser extensions, but it also tries to exfiltrate various other data from compromised machines. What is malware-as-a-service (MaaS)? Not unlike modern software offers, malware-as-a-service is a business model that provides interested parties with ready-made and instantly deployable malware solutions. Typically offered on underground hacking forums found on the dark web, MaaS operators supply a variety of malware either as a one-time purchase or via a subscription. Ultimately, this easy access enables even those without advanced technical skills to launch cyberattacks, increasing their prevalence . Lumma Stealer first appeared in August 2022 and is available for sale through a tiered pricing structure on hacking forums and Telegram. The cost ranges from $250 to $20,000, with the most expensive tier letting buyers access the infostealer’s source code — enabling-would-be criminals to act as resellers. ESET telemetry shows a massive rise in detection of Lumma Stealer for H2 2024. (Source: ESET Threat Report H2 2024) Because Lumma is a ready-made malware solution, it is easier for novice threat actors to share around. Its ease of use and breadth of functions alone make it an attractive choice for would-be attackers — but the fact that it can be spread through multiple vectors, unnoticed, makes it even more useful. While Lumma Stealer can spread through a variety of distribution vectors, some methods are more clever than others. One particularly sophisticated campaign discovered in October 2024 delivered Lumma Stealer through fake CAPTCHA sites , which, after successful “verification,” delivered the infostealer onto the victim’s device. Other avenues enabling Lumma Stealer’s spread include cracked installations of popular open-source or paid apps such as ChatGPT or Vegas Pro . The infostealer can also spread via phishing emails or Discord messages, making it more likely to land in the inbox of even the youngest online users. Did you know? Message boards like Discord can play a major role in the spread of malicious software and scams. This is due to the way such places act as a kind of digital crossroads for online human activity, making them ripe for abuse. Moreover, threat actors can abuse the content delivery networks of such online/cloud platforms to distribute malware, as well. ESET also detected a campaign in which the Win/Rozena.ADZ injector delivered Lumma Stealer via compromised videos on online marketplaces and websites with adult content. Likewise, Lumma Stealer was detected in KMS activators for pirated copies of Windows. Last but not least, in June 2024, ESET Research reported that players of the popular Hamster Kombat mobile clicker game were being targeted , with cryptors containing Lumma Stealer hidden on GitHub repositories in the guise of helpful automation tools for the game. ESET telemetry for H2 2024 registered the highest number of Lumma Stealer attack attempts in Peru, Poland, Spain, Mexico and Slovakia. However, Lumma is not the only infostealer going around, and in general, the top five countries targeted by infostealer attacks in H2 2024 were Japan, Spain, Turkey, Poland and Italy. ESET's infostealer detections paint a global trend. (Source: ESET Threat Report H2 2024) These are the top 10 infostealers ESET detected in H2 2024. (Source: ESET Threat Report H2 2024) Among other notable infostealers is Formbook, first discovered in 2016 and mainly spread through email phishing. This infostealer collects clipboard data, keystrokes, screenshots and cached browser data, and uses sophisticated obfuscation techniques to prevent deeper analysis. Moreover, it’s been detected as part of large-scale ModiLoader and AceCryptor campaigns in Central and Eastern European states such as Poland, Romania, Czechia and Croatia. An example of a ModiLoader phishing email potentially containing the Formbook infostealer. (Source: ESET Threat Report H2 2024) Infostealers are so damaging because being compromised even for a short time can be quite disastrous for both individuals and businesses. Once an infostealer gathers sufficient data to steal someone’s credentials, funds, or identity, that individual can lose funds (crypto or cash), access to personal accounts, and more. Compromised businesses can experience such costly cyber incidents as network infiltration, data breaches, extortion and ransomwar