Last May, law enforcement authorities around the world scored a key win when they hobbled the infrastructure of Lumma, an infostealer that infected nearly 395,000 Windows computers over just a two-month span leading up to the international operation. Researchers said Wednesday that Lumma is once again “back at scale” in hard-to-detect attacks that pilfer credentials and sensitive files.

Lumma, also known as Lumma Stealer, first appeared in Russian-speaking cybercrime forums in 2022. Its cloud-based malware-as-a-service model provided a sprawling infrastructure of domains for hosting lure sites offering free cracked software, games, and pirated movies, as well as command-and-control channels and everything else a threat actor needed to run their infostealing enterprise. Within a year, Lumma was selling for as much as $2,500 for premium versions. By the spring of 2024, the FBI counted more than 21,000 listings on crime forums. Last year, Microsoft said Lumma had become the “go-to tool” for multiple crime groups, including Scattered Spider, one of the most prolific groups.

Takedowns are hard

The FBI and an international coalition of its counterparts took action early last year. In May, they said they seized 2,300 domains, command-and-control infrastructure, and crime marketplaces that had enabled the infostealer to thrive. Recently, however, the malware has made a comeback, allowing it to infect a significant number of machines again.

Read full article

Comments

© Getty Images

Infostealer infections compounded by a lack of multi-factor authentication (MFA) have resulted in dozens of breaches at major global companies and calls for greater MFA use. The issue came to light in a Hudson Rock post that detailed the activity of a threat actor operating under the aliases “Zestix” and “Sentap.” The threat actor has auctioned data stolen from the corporate file-sharing portals of roughly 50 major global enterprises, targeting ShareFile, OwnCloud, and Nextcloud instances “belonging to critical entities across the aviation, robotics, housing, and government infrastructure sectors,” the report said, taking pains to note that lack of MFA was the primary cause. “... these catastrophic security failures were not the result of zero-day exploits in the platform architecture, but rather the downstream effect of malware infections on employee devices combined with a critical failure to enforce Multi-Factor Authentication (MFA),” the report said. Cyble’s threat intelligence database contains 56 dark web reports and client advisories on Zestix and Sentap going back to mid-2024, and the threat actor appears be connected to a significantly older X/Twitter account, according to a May 2025 Cyble profile. DarkSignal recently did an extensive profile of the threat actor.

Infostealers and No MFA Make Attacks Easy

The Hudson Rock report looked at 15 data breaches claimed by Zestix/Sentap and noted a common attack flow:

• Infection: “An employee inadvertently downloads a malicious file. The infostealer executes and harvests all saved credentials and browser history.”
• Aggregation: “These logs are aggregated in massive databases on the dark web. Zestix parses these logs specifically looking for corporate cloud URLs (ShareFile, Nextcloud).”
• Access: “Zestix simply uses the valid username and password extracted from the logs. Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door. No exploits, no cookies – just a password.”

“The era where brute-force attacks reigned supreme is waning,” the report said. “In its place, the Infostealer ecosystem has risen to become the primary engine of modern cybercrime. “Contrary to attacks involving sophisticated cookie hijacking or session bypasses, the Zestix campaign highlights a far more pedestrian – yet equally devastating – oversight: The absence of Multi-Factor Authentication (2FA).” Zestix relies on Infostealer malware such as RedLine, Lumma, or Vidar to infect personal or professional devices – and sometimes the gap between malware infection and exploitation is a long one, as old infostealer logs have led to new cyberattacks in some cases. “A critical finding in this investigation is the latency of the threat,” Hudson Rock said. “While some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them. This highlights a pervasive failure in credential hygiene; passwords were not rotated, and sessions were never invalidated, turning a years-old infection into a present-day catastrophe.”

ownCloud Calls for Greater MFA Use

ownCloud responded to the report with a call for greater MFA use by clients. In a security advisory, the company said, “The ownCloud platform was not hacked or breached. The Hudson Rock report explicitly confirms that no zero-day exploits or platform vulnerabilities were involved.” Stolen credentials from infostealer logs were "used to log in to ownCloud accounts that did not have Multi-Factor Authentication (MFA) enabled. As the report notes: ‘No exploits, no cookies—just a password.’” ownCloud said clients should immediately enable MFA on their ownCloud instances if they haven’t done so already. “MFA adds a critical second layer of verification that prevents unauthorized access even when credentials are compromised,” the company said. Recommended steps include:

• Enabling MFA on all user accounts using ownCloud’s two-factor authentication apps
• Resetting passwords for all users and requiring “strong, unique credentials”
• Reviewing access logs for suspicious activity
• Invalidating active sessions to force re-authentication with MFA

 

Cyble researchers have identified a sophisticated attack campaign that uses obfuscation, a unique User Account Control (UAC) bypass and other stealthy techniques to deliver a unified commodity loader and infect systems with Remote Access Trojans (RATs) and infostealers. The malware campaign targets the Manufacturing and Government sectors in Europe and the Middle East, with a specific focus on Italy, Finland, and Saudi Arabia, but shares common features with other attack campaigns, suggesting a shared malware delivery framework used by multiple “high-capability” threat actors. “The primary objective is the exfiltration of sensitive industrial data and the compromise of high-value administrative credentials,” Cyble Research and Intelligence Labs (CRIL) said in a blog post published today.

Sophisticated Attack Campaign Uses Loader Shared by ‘High-capability’ Threat Actors

The sophisticated commodity loader at the heart of the campaign is “utilized by multiple high-capability threat actors,” Cyble said. “Our research confirms that identical loader artifacts and execution patterns link this campaign to a broader infrastructure shared across multiple threat actors,” the researchers said. The CRIL researchers describe “a striking uniformity of tradecraft, uncovering a persistent architectural blueprint that serves as a common thread. Despite the deployment of diverse malware payloads, the delivery mechanism remains constant.” Standardized methodology includes the use of steganography to conceal payloads within image files, the use of string reversal and Base64 encoding for obfuscation, and delivering encoded payload URLs directly to the loader. The threat actors also “consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.” Cyble said researchers from Seqrite, Nextron Systems, and Zscaler, have documented similar findings in other campaigns, including “identical class naming conventions and execution patterns across a variety of malware families and operations.” The researchers shared code samples of the shared loader architecture and noted, “This consistency suggests that the loader might be part of a shared delivery framework used by multiple threat actors.” The loaders have been observed delivering a variety of RATs and infostealers, such as PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos. “This indicates the loader is likely shared or sold across different threat actor groups,” Cyble said. “The fact that multiple malware families leverage these class naming conventions as well as execution patterns ... is further testament to how potent this threat is to the target nations and sectors,” Cyble added.

Campaign Uses Obfuscation, UAC Bypass

The campaign documented by Cyble uses “a diverse array of infection vectors,” such as Office documents that weaponize CVE-2017-11882, malicious SVG files, ZIP archives containing LNK shortcuts, and a unique User Account Control (UAC) bypass. One sample used an LNK file and PowerShell to download a VBS loader, along with the UAC bypass method. The UAC bypass technique appears in later stages of the attack, where the malware monitors process creation events and triggers a UAC prompt when a new process is launched, “tricking the system or user into granting elevated privileges under the guise of a routine operation” and “enabling the execution of a PowerShell process with elevated privileges after user approval.” “The discovery of a novel UAC bypass confirms that this is not a static threat, but an evolving operation with a dedicated development cycle,” the researchers added. “Organizations, especially in the targeted regions, should treat ‘benign’ image files and email attachments with heightened scrutiny.” The campaign starts as a phishing campaign masquerading as standard Purchase Order communications. Image files are hosted on legitimate delivery platforms and contain steganographically embedded payloads, “allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic.” The threat actors use a sophisticated “hybrid assembly” technique to “trojanize” open-source libraries. “By appending malicious functions to trusted open-source libraries and recompiling them, the resulting files retain their authentic appearance and functionality, making signature-based detection extremely difficult,” the researchers said. The infection chain is also engineered “to minimize forensic footprint,” including script obfuscation, steganographic extraction, reflective loading to run code directly in memory, and process injection to hide malicious activity within legitimate system processes. The full Cyble blog takes an in-depth technical look at one sample and also includes recommendations, MITRE tactics, techniques and procedures (TTPs), and Indicators of Compromise (IoCs).