Infostealer and Loader Malware Activity Targeting Windows Users
Multiple reports highlight active Windows-focused malware operations centered on credential theft and payload delivery. Socelars is described as a stealthy infostealer that prioritizes harvesting browser-stored session cookies and authentication artifacts (notably targeting Facebook Ads Manager sessions) to enable account takeover and fraud; it is reportedly distributed via fake websites posing as legitimate software (e.g., a PDF reader) and uses staged execution including system reconnaissance and a UAC bypass via COM auto-elevation before extracting browser session data for exfiltration.
Separately, research details how established malware delivery ecosystems are evolving. Zscaler ThreatLabz reports GuLoader (CloudEye) increasingly abuses legitimate cloud services (e.g., Google Drive and OneDrive) to blend malicious downloads into normal traffic, while using polymorphism and control-flow obfuscation plus layered decryption to hinder analysis and deliver follow-on payloads such as RATs and stealers. Bitdefender reports a resurgence of LummaStealer despite prior law-enforcement disruption, attributing continued scale to social-engineering-heavy distribution (fake cracks/downloads and fake CAPTCHA/“ClickFix” lures) and the use of CastleLoader for modular, in-memory execution and obfuscated delivery; the report notes infrastructure overlap suggesting coordination or shared providers. A separate Unit 42 incident-response writeup on Muddled Libra (Scattered Spider/UNC3944) describes a distinct intrusion tradecraft involving unauthorized access to a VMware vSphere environment and a rogue VM used for reconnaissance, persistence, and interaction with enterprise infrastructure, and is not part of the infostealer/loader activity described in the other items.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Zscaler publishes deep-dive on GuLoader's cloud abuse and obfuscation
Zscaler ThreatLabz published an analysis detailing GuLoader's evolution toward stronger obfuscation, including polymorphic code, exception-based control-flow tricks, and multi-stage decryption. The report also highlighted GuLoader's use of legitimate cloud services such as Google Drive and OneDrive to host or retrieve malicious content.
Socelars campaigns target Windows users via fake PDF software sites
Socelars was reported as actively targeting Windows systems through fake websites masquerading as legitimate PDF reader downloads. The malware steals browser cookies and authenticated sessions, especially Facebook Ads Manager sessions, to enable account takeover and financial fraud.
Bitdefender reports LummaStealer resurgence tied to ClickFix and CastleLoader
Bitdefender reported a sharp resurgence in LummaStealer activity, driven mainly by social-engineering lures such as fake CAPTCHA ClickFix pages and supported by CastleLoader as a key delivery mechanism. The report also noted infrastructure overlap between CastleLoader and LummaStealer and described detection opportunities such as CastleLoader's distinctive failed DNS lookups.
CastleLoader-driven LummaStealer delivery scales up
Between December 2025 and January 2026, LummaStealer infections increased significantly, with CastleLoader playing a central role in delivering payloads through modular in-memory execution and obfuscated communications.
LummaStealer activity resumes after takedown
By July 2025, LummaStealer activity had begun to recover following the May 2025 disruption, with operators rebuilding infrastructure and shifting to new hosting and delivery methods.
Law enforcement disrupts LummaStealer infrastructure
In May 2025, law enforcement and technology partners disrupted LummaStealer operations by seizing about 2,300 domains and targeting its central command infrastructure. The action involved a US court order and support from Europol, Japan's JC3, and Microsoft's Digital Crimes Unit, which sinkholed domains for analysis and victim assistance.
CastleLoader first observed in malware campaigns
CastleLoader was first seen in early 2025 as a modular, heavily obfuscated loader capable of in-memory execution and delivery of infostealers and RATs.
LummaStealer begins operating as a MaaS infostealer
LummaStealer became active in 2022 as a malware-as-a-service infostealer focused on stealing credentials, financial data, cryptocurrency assets, and other sensitive information.
GuLoader malware first observed in the wild
GuLoader, also known as CloudEye, was first observed in late 2019 as a malware loader used to deliver payloads such as remote access trojans and information stealers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
The Human Hack: LummaStealer Returns with Deceptive "ClickFix" Attacks
securityonline.info
Open sourceLummaStealer activity spikes post-law enforcement disruption
securityaffairs.com
Open sourceSocelars Malware Attacking Windows Systems to Steal Sensitive Business Data
cybersecuritynews.com
Open sourceHiding in the Cloud: GuLoader Malware Evolves to Evade Detection
securityonline.info
Open sourceLummaStealer infections surge after CastleLoader malware campaigns
bleepingcomputer.com
Open sourceLummaStealer Is Getting a Second Life Alongside CastleLoader
bitdefender.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
Mar 21, 2026
Resurgence of Windows infostealers using stealth packaging and social-engineering lures
Threat researchers reported renewed activity from **Windows credential-stealing malware** that is designed to evade detection and rapidly scale infections. CYFIRMA described **LTX Stealer** as being delivered via a heavily obfuscated installer that abuses trusted developer and packaging tools—using *Inno Setup* to masquerade as legitimate software, embedding a full **Node.js runtime**, and compiling malicious JavaScript into bytecode to hinder reverse engineering. The installer reportedly contains an unusually large encrypted archive (hundreds of MB) intended to frustrate static scanning, and drops a payload (e.g., `updater.exe`) that functions as the bundled Node.js runtime used to execute the stealer logic. Separately, reporting citing Bitdefender said **Lumma Stealer** has returned “back at scale” after prior law-enforcement disruption of its infrastructure, rebuilding domains and command-and-control capacity to resume widespread credential and data theft. Lumma’s malware-as-a-service ecosystem continues to rely on high-conversion distribution methods, including lure sites offering pirated/cracked content and the **ClickFix** social-engineering technique that tricks users into infecting their own systems, underscoring how infostealer operators are combining resilient infrastructure with user-driven execution to maintain volume despite takedowns.
Mar 21, 2026
Malware Campaigns Using Fake Installers and Multi-Stage Loaders to Steal Credentials and Enable Remote Control
Multiple active malware campaigns are using **trojanized installers** and social engineering—rather than software vulnerabilities—to gain initial access and then deploy credential theft or remote-control capabilities. Intel 471 reported a new Android banking trojan dubbed **FvncBot** targeting Polish mobile banking users by impersonating an *mBank* “security” app; the dropper prompts installation of an additional “Play” component and then abuses **Android Accessibility Services** for persistence and control, enabling **keylogging**, **screen capture**, and hidden **VNC-style remote interaction** to facilitate fraudulent transactions. Separately, Cyderes described an ongoing, large-scale piracy-channel campaign where cracked game installers hide behind a legitimate-looking **Ren’Py** launcher tracked as **RenEngine**, which decrypts and launches subsequent stages and introduces **HijackLoader** via techniques including **DLL side-loading** and module stomping; observed final payloads include **ACR Stealer** (and in some cases **Vidar**) to exfiltrate browser credentials, cookies, and crypto wallet data. Cybereason detailed a different installer-themed operation in Chinese-speaking communities delivering **ValleyRat/Winos 4.0** attributed to **Silver Fox APT**, notable for using the rare **“PoolParty Variant 7”** process injection (abusing Windows I/O completion ports and `ZwSetIoCompletion()` after duplicating a handle from `Explorer.exe`) plus a strengthened watchdog mechanism via injection into `Explorer.exe` and `UserAccountBroker.exe` to maintain persistence.
Mar 21, 2026