Malware News Bitdefender says LummaStealer Is Getting a Second Life Alongside CastleLoader

Khushal

Khushal

Level 13
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
601
3,614
1,169
Content source
https://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader
1770828461989.png


www.bitdefender.com

LummaStealer Is Getting a Second Life Alongside CastleLoader

Bitdefender researchers have discovered a surge in LummaStealer activity, showing how one of the world's most prolific information-stealing malware operations managed to survive despite being almost brought down by law enforcement less than a year ago.
www.bitdefender.com www.bitdefender.com

Bitdefender researchers have discovered a surge in LummaStealer activity, showing how one of the world's most prolific information-stealing malware operations managed to survive despite being almost brought down by law enforcement less than a year ago.

LummaStealer is a highly scalable information-stealing threat with a long history, having operated under a malware-as-a-service model since it appeared on the scene in late 2022.

The threat quickly evolved into one of the most widely deployed infostealers worldwide, supported by a large affiliate ecosystem and a constantly adapting delivery infrastructure.

Despite significant law-enforcement disruption efforts in 2025, LummaStealer operations continued, demonstrating resilience by rapidly migrating to new hosting providers and adapting alternative loaders and delivery techniques.
Click to expand...
 
Last edited:
  • Like
Reactions: rashmi, Miravi, Jonny Quest and 5 others
What Bitdefender is describing (and what your diagram shows) is a fairly common modern “cracked-software installer” infection chain: the user thinks they’re running a normal setup program, but it’s really a loader chain whose job is to run script-based stages and then pull/launch the real payload (here, CastleLoader leading to LummaStealer).

What the diagram is showing (step-by-step)
  • A user visits a “cracked software” download site and gets a “Setup.exe” (often a legitimate-looking NSIS installer wrapper).
  • That installer drops a .js file to disk, using a path/filename that resembles the “cracked” app to reduce suspicion.
  • The installer launches Windows Script Host (wscript.exe) to execute the dropped JavaScript.
  • That script then runs an AutoIt interpreter with a CastleLoader script (AutoIt is legitimate software, but commonly abused to run obfuscated logic).
  • In parallel, it uses schtasks.exe to create persistence (a scheduled task so the loader can survive reboots and re-run).

Why this is effective for attackers
  • It blends into normal Windows components (wscript.exe, schtasks.exe) and common installer tech (NSIS).
  • Script stages are easy to change quickly, which helps operations “survive” takedowns and disruption.
  • Scheduled tasks are a simple, reliable persistence method that many users won’t notice.

Practical defenses (high value, low risk)
  • Avoid cracks/keygens entirely (this is the dominant initial access vector in many infostealer cases).
  • If you manage multiple PCs: consider blocking or restricting Windows Script Host (wscript.exe/cscript.exe) where it’s not needed (via policy), because many environments do not legitimately require it.
  • Enable strong endpoint protections and hardening features where available (e.g., Microsoft Defender ASR rules / controlled folder access / SmartScreen; enterprise users can use AppLocker/WDAC to restrict script interpreters and “living-off-the-land” binaries).
  • Use MFA on important accounts and prefer passkeys/authenticator apps; infostealers primarily target browser-stored credentials/session tokens.

If someone already ran a “Setup.exe” like this
  • Disconnect the PC from the network (limits additional data theft and lateral movement).
  • From a clean device, change passwords for email, banking, and any account that was logged into on that PC; revoke sessions where possible and enable MFA.
  • Run full scans with reputable security software (at minimum: Microsoft Defender Offline scan + one well-known second-opinion scanner).
  • Check for persistence: review Scheduled Tasks (Task Scheduler) and suspicious startup entries. If you’re not comfortable doing this safely, it’s better to request guided help.
  • For a thorough cleanup on MalwareTips: post in the malware removal section with the requested logs (commonly FRST logs are used there), and wait for an expert member to walk you through it.

Key takeaway: this isn’t just “a bad installer” — it’s a loader-to-infostealer pipeline designed for credential theft and persistence. The safest next step, if execution happened, is containment + credential hygiene + guided cleanup with proper logs.
 
Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1204.002 (User Execution: Malicious File)
User tricked into running "Setup.exe" or pasting code.

T1059.001 (Command and Scripting Interpreter: PowerShell) "ClickFix" injects malicious PowerShell directly into the clipboard.

T1027.003 (Obfuscated Files or Information: Steganography) CastleLoader hides payloads inside PNG IDAT chunks.

T1568.002 (Dynamic Resolution: Domain Generation Algorithms) CastleLoader generates "failed" DNS lookups to signal C2s.

The "ClickFix" Vector (Initial Access)

Mechanism
Users are presented with a fake error (e.g., "Word Connect Error" or "Verification Failed") and instructed to click a button to "fix" it.

The Injection
Clicking copies a malicious script to the clipboard. The user is then socially engineered to press Win+R (Run), Ctrl+V (Paste), and Enter.

Telemetry (PowerShell)

PowerShell
Code: 
powershell.exe -w h -nop -c "..."

-w h
Hidden Window (invisible execution).

-nop
No Profile (bypasses profile logging).

Observed C2
hxxp[:]//185[.]102[.]115[.]69

The CastleLoader Pipeline (Execution & Persistence)

Loader Logic
If a file is downloaded instead (e.g., fake crack), Setup.exe drops a .js file executed by wscript.exe.

Evasion
It utilizes the AutoIt interpreter to run the loader in memory.

Network Signature
The malware generates noise by querying random, non-existent domains (resulting in NXDOMAIN responses) to mask its actual C2 traffic.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Policy & Risk

Command
Update the Incident Response Plan to include "Clipboard Injection" as a specific vector.

Command
Brief L1/L2 Support: "Users reporting 'I pasted code to fix an error' must be treated as a full compromise, not a software glitch."

DETECT (DE) – Monitoring & Hunting

Command (SIEM)
Alert on process creation where explorer.exe is the parent of powershell.exe with arguments containing -w h (Window Hidden) or EncodedCommand.

Command (Network)
Monitor for endpoints generating a high burst of NXDOMAIN (DNS failure) responses in a short window (CastleLoader beaconing).

Command (Endpoint)
Flag any wscript.exe or cscript.exe instance connecting to the internet.

RESPOND (RS) – Mitigation

Command
Isolate the host immediately. The "ClickFix" vector often grants immediate C2 access.

Command
Terminate active powershell.exe, wscript.exe, and any unknown AutoIt3.exe processes.

Command
Purge the user's %TEMP% folder (look for pfhq.ps1 or similar script artifacts).

RECOVER (RC) – Restoration

Command
Reset all session cookies and tokens (O365, Okta, VPN). LummaStealer exfiltrates these instantly.

Command
Re-image the device. The use of Scheduled Tasks (schtasks.exe) and registry keys makes manual cleanup risky.

IDENTIFY & PROTECT (PR) – Hardening

Command
Attack Surface Reduction (ASR) Rule: Block JavaScript or VBScript from launching downloaded executable content.

Command
Deploy a Group Policy Object (GPO) to associate .js, .vbs, and .wsf files with Notepad.exe instead of Windows Script Host.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety (Stop the Bleeding)

Command
Disconnect from the internet immediately. (Pull the Ethernet cable or toggle Wi-Fi off).

Command
Do not use this computer for banking, email, or shopping until it is wiped.

Priority 2: Identity (The Real Target)

Command
Using a different device (like your smartphone on 5G/LTE), change your passwords for:

Email (Gmail, Outlook) - Do this first.

Banking & Finance.

Steam/Discord/Epic Games (common targets).

Command
Force a "Log out of all devices" on your Google/Apple accounts to kill the stolen session cookies.

Priority 3: Cleanup & Persistence

Command
Check the "Startup" tab in Task Manager for suspicious entries (random names or "Program").

Command
Run a full scan with Microsoft Defender Offline (Settings > Privacy & Security > Windows Security > Virus & threat protection > Scan options > Microsoft Defender Antivirus (offline scan)).

Hardening & References

Baseline
CIS Benchmark for Windows 10/11 (Scripting Engine Restrictions).

Framework
NIST CSF 2.0 (PR.AT-01: User Training).

Sources

Bitdefender Labs
Click to expand...
 
Last edited:

You may also like...