Overview
- Bitdefender reports LummaStealer activity spiked in December 2025 and January 2026, with operations described as back at scale.
- Recent campaigns frequently use CastleLoader, a heavily obfuscated AutoIt or Python script that runs payloads entirely in memory after sandbox checks.
- ClickFix lure pages place malicious commands on the clipboard and instruct users to paste them into Windows Terminal, installing the loader that fetches Lumma.
- Researchers highlight a detection clue in CastleLoader’s behavior: an intentional failed DNS lookup for a random, non-existent domain.
- Distribution flows through trojanized and pirated downloads and lures on platforms such as Steam or Discord, despite a May 2025 seizure of about 2,300 Lumma domains.