LummaStealer resurges with CastleLoader a MaaS that steals sensitive data

In recent months, a worrying rebound of LummaStealer-related infections has been detected, an information theft platform that works as malware-as-a-service (MaaS). Although it was partially disarticulated in a coordinated operation in May 2025 that toppled thousands of domains and its control infrastructure, the activity did not disappear: the operators started operations again from July and from the end of 2025 to January 2025 the campaign has escalated significantly.

LummaStealer is not a simple isolated virus, but a criminal service that facilitates access to highly sensitive data. What you are looking for include user names and passwords saved in browsers, session cookies, authentication tokens, VPN configurations, cryptomoneda portfolio details and documents stored on the computer. This wide range of objectives makes it a particularly dangerous threat to users and companies alike.

What has changed in this wave is the role of CastleLoader, a malware charger that has emerged as a central element in many infection chains. Bitdefender researchers have described how CastleLoader acts as a "distribution platform": disnumbers and loads the malicious code completely in memory, uses multiple layers of ofuscation and can communicate flexibly with command and control servers, making it ideal to spread varied info-stealers and remote access Trojans families. For a full analysis of Bitdefender's findings, see your technical report: Bitdefender Labs: LummaStealer and CastleLoader.

In technical terms, CastleLoader usually appears as obfuscated scripts written in AutoIt or Python that decrypt and execute the malicious load in memory. It uses renowned dictionaries, coded chains that are decoded in running time, lots of useless code and arithmetic operations that only serve to confuse analysts and automatic tools. In addition, before launching the information theft, it does environmental checks to see if it is being analyzed in a safety laboratory and adapts its installation routes according to the safety products detected in the victim machine.

Persistence is achieved by a simple but effective recipe: the malicious script is copied to an established route, the interpreter (e.g. AutoIt) is placed in another location and a direct Internet access is created in the start folder to run the interpreter with the script as an argument, so that the load is activated after rebeginning. Among the behavioural indicators that researchers have identified is a striking behavior: CastleLoader deliberately causes a DNS consultation to a non-existent domain, forcing a failure that leaves detectable network artifacts - a point that defence teams can use to identify suspicious activity on the network.

The spread of LummaStealer is not limited to a single method. Operators use stranded or "troyanized" installers, pirate versions of software distributed on fake sites or torrents, and misleading games or multimedia files. A social engineering vector that has been particularly effective is known as ClickFix: the victim sees a page that mimics a CAPTCHA or a verification, receives detailed instructions to paste and run a command on PowerShell and that command has already been placed on its clipboard. By hitting it, the machine downloads and runs a remote script; often the first component that enters is CastleLoader, which in turn recovers LummaStealer. Bitdefender documents this modus operandi in his report and qualifies it as one of the most powerful vectors of the campaign.

The relationship between CastleLoader and LummaStealer had already been noted before by other intelligence teams. For example, the Insikt Group of Recorded Future documented how one of the parts of the infrastructure used by CastleLoader had acted as a command and control server for LummaStealer, confirming the operational connection between the two malicious projects. In order to further this research, the Recorded Future analysis is available: Recorded Future - Insikt Group.

In the face of this scenario, prevention and early detection are key. On the personal level it is appropriate to avoid downloading executable from unverified sources and to escape from pirated software or "cracketed" tools, which are common breeding ground for this type of infection. If a web asks to run a command on PowerShell or in a console as part of a "verification," that should be taken as an alarm signal: you should never paste and run clipboard code if you don't understand exactly what you do. For companies and administrators, in addition to user education, endpoint solutions and behavior detection are essential to observe memory executions, DNS anomalies and unusual persistencies, as well as to apply discharge filtering controls and network segmentation.

The broader lesson is that the ecosystem of cybercrime is resilient. Disruptions by law enforcement and industry can slow down or disarticulate infrastructure, but malware developers and illicit service vendors are adapted with new pieces and techniques - such as CastleLoader and ClickFix - to relaunch the machinery. That is why the answer has to be equally multifaceted: a combination of intelligence about shared threats, advanced detection tools and, not least, continuous training for users to recognize deception and not execute commands that compromise their team.

If you want to read the technical analyses and get indicators for the defense, the Bitdefender and Recorded Future reports cited above are a good starting point. Keeping the software up-to-date, applying multifactor authentication in critical accounts, using password managers and reviewing network records for atypical patterns (e.g., failed DNS queries to non-existing domains) are concrete measures that greatly reduce the risk to these campaigns.