Resurgence of Windows infostealers using stealth packaging and social-engineering lures
Threat researchers reported renewed activity from Windows credential-stealing malware that is designed to evade detection and rapidly scale infections. CYFIRMA described LTX Stealer as being delivered via a heavily obfuscated installer that abuses trusted developer and packaging tools—using Inno Setup to masquerade as legitimate software, embedding a full Node.js runtime, and compiling malicious JavaScript into bytecode to hinder reverse engineering. The installer reportedly contains an unusually large encrypted archive (hundreds of MB) intended to frustrate static scanning, and drops a payload (e.g., updater.exe) that functions as the bundled Node.js runtime used to execute the stealer logic.
Separately, reporting citing Bitdefender said Lumma Stealer has returned “back at scale” after prior law-enforcement disruption of its infrastructure, rebuilding domains and command-and-control capacity to resume widespread credential and data theft. Lumma’s malware-as-a-service ecosystem continues to rely on high-conversion distribution methods, including lure sites offering pirated/cracked content and the ClickFix social-engineering technique that tricks users into infecting their own systems, underscoring how infostealer operators are combining resilient infrastructure with user-driven execution to maintain volume despite takedowns.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
LTX Stealer is assessed as a low-cost stealer-as-a-service
The LTX operation was assessed as a stealer-as-a-service offering backed by Supabase infrastructure fronted by Cloudflare and advertised with inexpensive subscription tiers. The pricing and infrastructure suggested the malware was intended for broad criminal distribution.
CYFIRMA reports Node.js-based LTX Stealer campaign
CYFIRMA disclosed a Windows credential-theft campaign involving LTX Stealer, which uses a heavily obfuscated Inno Setup installer and a bundled Node.js runtime to evade antivirus detection. The malware steals browser credentials, cookies, session tokens, and cryptocurrency wallet data.
Renewed Lumma campaigns use ClickFix fake CAPTCHA lures
Current Lumma campaigns heavily rely on ClickFix social engineering, including fake CAPTCHA pages that trick users into pasting malicious commands into Windows Terminal. The infection chain then deploys loader malware followed by Lumma Stealer.
Microsoft identifies Lumma as a go-to tool for crime groups
Microsoft described Lumma as a preferred tool used by multiple cybercrime groups, including Scattered Spider. This attribution highlighted the malware's broad adoption in criminal operations.
Lumma operators rebuild and resume global distribution
Following the May law-enforcement action, researchers said Lumma's operators rapidly rebuilt their infrastructure and returned to widespread activity. The renewed campaigns again targeted users globally.
Lumma infects nearly 395,000 Windows systems in two months
At an unspecified point before the 2026 reporting, Lumma Stealer infected almost 395,000 Windows systems over a two-month period. The scale established it as a major infostealer threat used by multiple criminal groups.
International law enforcement disrupts Lumma infrastructure
Authorities carried out a takedown of Lumma infrastructure, seizing thousands of domains and related systems in an international disruption operation. The action temporarily hobbled the malware operation.
Lumma Stealer is advertised on Russian-speaking crime forums
Lumma Stealer was first promoted in Russian-speaking cybercrime forums as a malware-as-a-service offering. It later developed into a cloud-based infostealer operation with extensive lure and command-and-control infrastructure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Infostealer and Loader Malware Activity Targeting Windows Users
Multiple reports highlight active **Windows-focused malware** operations centered on credential theft and payload delivery. **Socelars** is described as a stealthy infostealer that prioritizes harvesting browser-stored session cookies and authentication artifacts (notably targeting *Facebook Ads Manager* sessions) to enable account takeover and fraud; it is reportedly distributed via fake websites posing as legitimate software (e.g., a PDF reader) and uses staged execution including system reconnaissance and a **UAC bypass via COM auto-elevation** before extracting browser session data for exfiltration. Separately, research details how established malware delivery ecosystems are evolving. Zscaler ThreatLabz reports **GuLoader (CloudEye)** increasingly abuses legitimate cloud services (e.g., *Google Drive* and *OneDrive*) to blend malicious downloads into normal traffic, while using polymorphism and control-flow obfuscation plus layered decryption to hinder analysis and deliver follow-on payloads such as RATs and stealers. Bitdefender reports a resurgence of **LummaStealer** despite prior law-enforcement disruption, attributing continued scale to social-engineering-heavy distribution (fake cracks/downloads and **fake CAPTCHA/“ClickFix”** lures) and the use of **CastleLoader** for modular, in-memory execution and obfuscated delivery; the report notes infrastructure overlap suggesting coordination or shared providers. A separate Unit 42 incident-response writeup on **Muddled Libra (Scattered Spider/UNC3944)** describes a distinct intrusion tradecraft involving unauthorized access to a *VMware vSphere* environment and a rogue VM used for reconnaissance, persistence, and interaction with enterprise infrastructure, and is not part of the infostealer/loader activity described in the other items.
Mar 21, 2026
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
Mar 21, 2026
Infostealer Malware Resurgence Targeting Browser Credentials, Crypto Wallets, and Cloud-Synced Data
Threat researchers reported continued growth in the **infostealer** ecosystem, with new families emphasizing theft of browser credentials, session cookies, and cryptocurrency wallet data. Zscaler ThreatLabz detailed **Marco Stealer**, first observed in June 2025, which profiles infected hosts (e.g., OS version, hardware ID, IP/geolocation) and targets browser data plus cryptocurrency wallet information from browser extensions; it also searches for sensitive files in local and **cloud-synced** locations, including folders associated with *Dropbox* and *Google Drive*, and uses anti-analysis measures such as runtime string decryption. Separately, Cyfirma described **LTX Stealer**, a Windows-focused infostealer built around a bundled **Node.js runtime** and delivered via an Inno Setup installer (`Negro.exe`) that drops an unusually large (~271 MB) payload—reportedly to evade scanning heuristics. LTX Stealer targets Chromium-based browsers by extracting keys from `Local State` to decrypt saved passwords and cookies, collects screenshots, and stages data for exfiltration while using services such as *Supabase* (authentication) and *Cloudflare* (infrastructure masking). Flare’s research contextualized these developments as part of an “infostealer arms race,” observing multiple variants being marketed/updated across dark web forums and highlighting the downstream impact: analysis of **18.7M** infostealer logs (2025) found enterprise SSO/IdP credentials in more than 10% of infections, and Verizon DBIR data cited by Flare linked infostealer credential exposure to a significant share of ransomware victimization; Flare also noted stealer developers rapidly adapting to Chrome’s evolving credential protections (e.g., post-`v127` application-bound encryption and newer Chrome releases).
Mar 21, 2026