LummaStealer Infects Thousands Through Pirated Games
TL;DR
A new campaign involving LummaStealer, a personal information theft malware, has been revealed by Bitdefender researchers. This attack intensified after a police operation in May 2025, which resulted in the takedown of over 2,300 domains used by criminals.
Researchers Discover New LummaStealer Campaign
A new campaign involving LummaStealer, a personal information theft malware, has been revealed by researchers at Bitdefender. This attack intensified after a police operation in May 2025, which resulted in the takedown of over 2,300 domains used by criminals.
Understanding LummaStealer
LummaStealer is a type of malicious software, known as an infostealer, that aims to steal sensitive data from computers. It operates under a malware-as-a-service model, where developers rent the software to criminals for prices ranging from $250 to $20,000.
The malware appeared on Russian forums in late 2022 and quickly became one of the most utilized infostealers in the world. After the police operation, many operators moved their infrastructure to hosting providers that do not cooperate with authorities.
Attack Mechanism
The attack begins with fake websites offering downloads of pirated software or cracked games. When a victim downloads an executable file, they install CastleLoader, a component that loads LummaStealer, sometimes disguised with names like "Need for Speed Hot Pursuit Setup.exe".
CastleLoader operates in the computer's memory, preventing suspicious files from being written to the hard drive, which makes detection by conventional antivirus software more difficult.
Deception Methods
Attackers use social engineering techniques, such as displaying messages that encourage victims to press keys that execute malicious commands on their system. This allows the malware to run without needing additional downloads.
Persistence and Evasion
After installation, LummaStealer creates files in specific folders and establishes shortcuts to ensure automatic execution when the computer starts. The malware adapts its methods based on the installed antivirus programs in order to avoid detection.
Once executed, it goes through a two-step decryption process to reveal its final malicious code.
System Vulnerability Exposes Infections
Researchers identified a vulnerability that allows monitoring of infections. LummaStealer attempts to connect to a non-existent domain, generating a DNS request that leaves a traceable breadcrumb for investigators.
Stolen Data
Once installed, the malware searches for valuable information, such as passwords and personal documents. It can steal credentials from browsers, password managers, cryptocurrency wallets, and even take screenshots of the victim's device.
Impact and Global Distribution
India is the most affected country, followed by the United States and Europe. LummaStealer can target any region, depending on the criminals leveraging it.
Consequences for Privacy
Data theft can result in account hijacking and financial fraud, as well as enable extortion in cases of sensitive information exposure.
How to Protect Yourself
- Avoid downloading software from unofficial sources.
- Be wary of websites that request manual commands in PowerShell.
- Change passwords immediately if infection is suspected.
- If infection is confirmed, reinstalling the operating system may be necessary.
- Companies should invest in education about social engineering and implement multi-factor authentication.
Stay tuned to TecMundo for more news on cybersecurity and technology.
Content selected and edited with AI assistance. Original sources referenced above.
