A surge in LummaStealer infections has been observed, driven by social engineering campaigns leveraging the ClickFix technique to deliver the CastleLoader malware.
LummaStealer, also known as LummaC2, is an infostealer operation running as a malware-as-a-service (MaaS) platform that was disrupted in May 2025 when multiple tech firms and law enforcement authorities seized 2,300 domains and the central command structure supporting the malicious service.
Infostealing malware targets various sensitive data that can range from credentials and cookies stored in web browsers, cryptocurrency wallet details, and documents to session cookies, authentication tokens, VPN configurations, and account data.
Although the law enforcement operation severely disrupted the LummaStealer activity, the MaaS operation started to resume in July 2025.
A new report from cybersecurity company Bitdefender warns that LummaStealer operations have scaled significantly between December 2025 and January 2026, now being delivered through a malware loader called CastleLoader, and increasingly relying on ClickFix techniques.
"At the core of many of these campaigns is CastleLoader, which plays a central role in helping LummaStealer spread through delivery chains. Its modular, in-memory execution model, extensive obfuscation, and flexible command-and-control communication make it well-suited to malware distribution of this scale," Bitdefender researchers say.
CastleLoader emerged in early 2025 and has been distributing multiple families of infostealers and remote access trojans (Stealc, RedLine, Rhadamanthys, MonsterV2, CastleRAT, SectopRAT, NetSupport RAT, WarmCookie) through various methods, including ClickFix.
The malware loader is a heavily obfuscated script-based (AutoIT or Python) malware loader that decrypts, loads, and executes the LummaStealer payload entirely in memory.
It employs multiple obfuscation layers, including dictionary-based renaming of variables and functions, encoded strings decoded at runtime, large amounts of junk code and dead branches, and arithmetic and logic operations that resolve to trivial results.
Typical infection chain
... continue reading