LummaStealer Resurgence via CastleLoader

Executive Summary

A significant surge in LummaStealer (aka LummaC2) infostealer infections has been detected between December 2025 and January 2026. This activity follows a major law enforcement disruption in May 2025 that seized 2,300 domains. The adversary has rebuilt and scaled operations, now leveraging a sophisticated, multi-stage loader, CastleLoader, for payload delivery. The primary initial access vector is social engineering, with threat actors heavily relying on ClickFix techniques and trojanized software lures to trick users into executing the initial payload. The impact is severe, targeting a wide range of sensitive data including credentials, cryptocurrency wallets, and session tokens.

Key Findings

Threat Resurgence & MaaS Model

Despite a law enforcement takedown in May 2025, the LummaStealer Malware-as-a-Service (MaaS) operation resumed by July 2025. The recent surge indicates a full-scale return, with affiliates using the platform to launch global campaigns. Infrastructure overlap suggests a close operational relationship between the developers of LummaStealer and CastleLoader, a threat actor tracked as GrayBravo.

Primary Vector: CastleLoader

CastleLoader is a script-based (AutoIT, Python) malware loader central to the current infection chain. It features a modular, in-memory execution model, extensive obfuscation, and flexible C2 communication. It is also used to distribute other malware families, including Stealc, RedLine, and Rhadamanthys.

Initial Access: Social Engineering

Infections are driven by user interaction rather than vulnerability exploitation. Key methods include:

• ClickFix Technique: Victims are served fake CAPTCHA or verification pages. The website copies a malicious PowerShell command to the user's clipboard and instructs them to execute it via the Run dialog (Win+R) to 'verify' themselves.
• Software Lures: Campaigns distribute pirated software, game cracks, and fake media via trojanized installers, torrents, and fake download sites.

Detection Evasion & Persistence

CastleLoader employs multiple evasion techniques. It performs sandbox checks and terminates if virtualization processes like vmtoolsd.exe or VboxTray.exe are found. The loader adjusts its file paths and persistence locations if specific security products are detected, such as AvastUI.exe, bdagent.exe, or SophosHealth.exe. Persistence is achieved by creating an internet shortcut file (.url) in the Startup folder that launches the malicious AutoIT script.

Technical Analysis

CastleLoader TTPs

CastleLoader is heavily obfuscated. Analysis of the AutoIT script reveals dictionary-based renaming of variables, encoded strings decoded at runtime, and large amounts of junk code to hinder analysis. The payload (LummaStealer) is decrypted and loaded into memory using multiple shellcode stages with XOR keys. The final buffer is an LZNT1-compressed stream which is decompressed to obtain the executable payload, which is then executed within the loader's process space.

Identification Anomaly: DNS Artifact

CastleLoader deliberately initiates a failed DNS lookup for a non-existent domain as part of its anti-analysis checks. The query follows a unique pattern of a random string repeated and joined by a dot (e.g., sfcphDaHojOHzEbBXPMIuBTaOH.sfcphDaHojOHzEbBXPMIuBTaOH). This anomalous network behavior is a high-fidelity indicator that can be used to detect CastleLoader activity.

LummaStealer Payload Capabilities

The LummaStealer payload exfiltrates a wide array of sensitive information, including:

• Credentials, cookies, and session data from web browsers.
• Cryptocurrency wallets and browser extensions (e.g., MetaMask, Binance, Electrum).
• Personal documents (.docx, .pdf) and sensitive files.
• Two-factor authentication (2FA) tokens and extensions.
• Data from remote access tools like AnyDesk and password managers like KeePass.
• VPN configuration files (.ovpn).
• Discord and Steam session data.

Impact

Credential & Session Compromise

The theft of credentials and active session cookies enables attackers to bypass multi-factor authentication and gain direct access to email, corporate, and financial accounts. This facilitates large-scale account takeovers and secondary attacks.

Financial & Cryptocurrency Theft

The malware directly targets cryptocurrency wallets and stored payment information. The exfiltrated data can be used for fraudulent transactions, financial theft, and is often sold on underground markets.

Identity Theft & Extortion

Exfiltration of personal documents, IDs, and private correspondence creates a severe risk of identity theft, fraud, and blackmail. Attackers may leverage this information for targeted social engineering or extortion attempts.

Mitigation

User & Endpoint Defense

• Enforce policies preventing the download and execution of software from untrusted sources, especially pirated applications or game cracks.
• Educate users on the dangers of social engineering, particularly the ClickFix technique. Instruct users to never execute commands provided by a website's verification process.
• Utilize ad blockers to hide malicious promoted results in search engines, which are a common delivery channel.

Network & System Monitoring

• Monitor for anomalous DNS requests matching the <string>.<string> pattern to identify potential CastleLoader infections.
• Hunt for suspicious process chains, such as cmd.exe launching PowerShell with encoded commands, or wscript.exe executing scripts that launch an AutoIT interpreter.
• Scrutinize the user Startup directory for newly created .url or .lnk files pointing to scripts or interpreters in unexpected locations (e.g., AppData).

Incident Response

• Upon detection of infection, immediately isolate the compromised host.
• Invalidate all active sessions and rotate all credentials for accounts accessed from the affected system, prioritizing email and financial services.
• A full operating system reinstallation is the recommended course of action to ensure complete threat removal and restore trust in the device.