Tag:

malware

Caution sign data unlocking hackers. Malicious software, virus and cybercrime, System warning hacked alert, cyberattack on online network, data breach, risk of website
Gaming Gear

A popular WordPress theme has been hijacked by malware – here’s what we know

by admin



  • ‘Motors’ WordPress theme vulnerability leaves accounts open to takeover attacks
  • Widespread attacks were observed from June 7 onwards
  • A patch is available in version 5.6.68, so update now

A popular premium WordPress theme, has been exploited by hackers thanks to a critical privilege escalation flaw tracked as CVE-2025-4322.

Attackers are able to exploit the vulnerability in the ‘Motors’ theme to hijack administrator accounts, taking full control of sites to change details, inject false details and spread malicious payloads.

Developed by StylemixThemes and a popular pick among automotive websites, nearly 22,500 sales of the theme have been logged on EnvatoMarket.


You may like

‘Motors’ WordPress theme has been hijacked

The vulnerability had first been discovered on May 2, 2025, with a patch later released with version 5.6.68 on May 14, meaning that up-to-date accounts should be protected from potential account takeovers. Versions up to 5.6.67 are affected by the CVE, with Wordfence reporting on the details on May 19.

“This is due to the theme not properly validating a user’s identity prior to updating their password,” Wordfence explained.

“This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.”

Although the patch has already been released, accounts that are still running older versions are at risk of takeover, with attacks seen to have started on May 20. By June 7, researchers were observing wide-scale attacks – Wordfence has now blocked more than 23,000 attack attempts.

Wordfence also disclosed a number of key IP addresses seen to be attacking sites – many making thousands of attempts each.

“One obvious sign of infection is if a site’s administrator is unable to log in with the correct password as it may have been changed as a result of this vulnerability,” the researchers explained.

The biggest change users of the ‘Motors’ theme can do is to update to version 5.6.68, closing the vulnerability to attackers and securing their accounts from takeovers.

Via BleepingComputer

You might also like



Source link

0 comments
0 FacebookTwitterPinterestEmail
Expired Discord link
Gaming Gear

Malicious Discord invites are targeting gamers with fake servers, stolen wallets, and malware disguised as game hacks

by admin



  • Cybercriminals are recycling expired Discord links to launch silent, devastating multi-stage malware attacks
  • A fake Discord bot tricks users into running PowerShell commands disguised as CAPTCHA fixes
  • Old community invite links now lead to malware servers stealing your data and digital assets

Cybercriminals are increasingly exploiting a lesser-known flaw in Discord’s invitation system to target unsuspecting users, particularly gamers, new research has claimed.

A report from researchers from Check Point found attackers manage to register previously valid invite links with custom vanity URLs.

The tactic involves hijacking once legitimate and trusted expired or deleted Discord invite links and redirecting them to malicious servers hosting multi-stage malware campaigns.


You may like

These hijacked links, often embedded in old forum posts, community pages, or social media, are being used to silently funnel users to Discord servers operated by threat actors.

Once on these fake servers, users are greeted with what appears to be a standard verification process.

A bot named “Safeguard” prompts visitors to click a “Verify” button, which initiates an OAuth2 process and redirects them to a phishing site.

The site employs a social engineering method called “ClickFix,” where users are tricked into copying and running a PowerShell command under the guise of fixing a broken CAPTCHA.

This action silently launches the malware installation chain, with the attackers using cloud services such as Pastebin, GitHub, and Bitbucket to deliver the payloads in multiple stages, allowing them to blend into normal network traffic.

Initial scripts download executables that retrieve further encrypted payloads, which include AsyncRAT, a tool that gives attackers remote control over infected systems, and a tailored variant of the Skuld Stealer designed to extract credentials and cryptocurrency wallet data.

Gamers have become a prime target, with campaigns even disguising malware as tools like The Sims 4 DLC unlockers – one archive named Sims4-Unlocker.zip was downloaded over 350 times, highlighting the campaign’s reach.

Through clever evasion techniques such as delayed execution and command-line argument checks, the malware often bypasses detection from even the best antivirus software.

The threats extend beyond typical malware infections. The Skuld Stealer used in these attacks can extract crypto wallet seed phrases and passwords, effectively granting full control over victims’ digital assets.

Considering the focus on cryptocurrency theft and credential harvesting, individuals should reinforce their defenses with robust identity theft protection services.

These tools can monitor for unauthorized use of personal information, alert users to breaches, and assist in recovering compromised digital identities.

While some might assume that endpoint protection tools would shield them from these tactics, the multi-layered, modular structure of the attack often flies under the radar.

To stay safe, users must be wary of Discord invite links, especially those embedded in old content. Also, avoid running unexpected scripts or following suspicious verification steps.

You might also like



Source link

0 comments
0 FacebookTwitterPinterestEmail
Decrypt logo
NFT Gaming

North Korea Targets Crypto Professionals With New Malware in Hiring Scams

by admin



In brief

  • North Korean hackers are targeting crypto professionals with fake job interviews to deploy new Python-based malware, PylangGhost.
  • The malware steals credentials from 80+ browser extensions, including Metamask and 1Password, and enables persistent remote access.
  • Attackers pose as recruiters from firms like Coinbase and Uniswap, tricking victims into running malicious commands disguised as video driver installs.

North Korean hackers are luring crypto professionals into elaborate fake job interviews designed to steal their data and deploy sophisticated malware on their devices.

A new Python-based remote access trojan called “PylangGhost,” links malware to a North Korean-affiliated hacking collective called “Famous Chollima,” also known as “Wagemole,” threat intelligence research firm Cisco Talos reported on Wednesday.

“Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies,” the firm wrote.

The campaign primarily targets crypto and blockchain professionals in India, using fraudulent job sites that impersonate legitimate companies, including Coinbase, Robinhood, and Uniswap.

The scheme begins with fake recruiters directing job seekers to skill-testing websites where victims enter personal details and answer technical questions. 

After completing the assessments, candidates are instructed to enable camera access for a video interview and then prompted to copy and execute malicious commands disguised as video driver installations.

Dileep Kumar H V, director at Digital South Trust, told Decrypt that to counter these scams, “India must mandate cybersecurity audits for blockchain firms and monitor fake job portals.”

A vital need for awareness

“CERT-In should issue red alerts, while MEITY and NCIIPC must strengthen global coordination on cross-border cybercrime,” he said, calling for “stronger legal provisions” under the IT Act and “digital awareness campaigns.”

The newly discovered PylangGhost malware can steal credentials and session cookies from over 80 browser extensions, including popular password managers and crypto wallets such as Metamask, 1Password, NordPass, and Phantom. 

The Trojan establishes persistent access to infected systems and executes remote commands from command-and-control servers.



This latest operation aligns with North Korea’s broader pattern of crypto-focused cybercrime, which includes the notorious Lazarus Group, responsible for some of the industry’s largest heists.

Apart from stealing funds directly from exchanges, the regime is now targeting individual professionals to gather intelligence and potentially infiltrate crypto companies from within. 

The group has been conducting hiring-based attacks since at least 2023 through campaigns like “Contagious Interview” and “DeceptiveDevelopment,” which have targeted crypto developers on platforms including GitHub, Upwork, and CryptoJobsList. 

Mounting cases

Earlier this year, North Korean hackers established fake U.S. companies—BlockNovas LLC and SoftGlide LLC—to distribute malware through fraudulent job interviews before the FBI seized the BlockNovas domain.

The PylangGhost malware is functionally equivalent to the previously documented GolangGhost RAT, sharing many of the same capabilities. 

The Python-based variant specifically targets Windows systems, while the Golang version continues to target macOS users. Linux systems are notably excluded from these latest campaigns.

The attackers maintain dozens of fake job sites and download servers, with domains designed to appear legitimate, such as “quickcamfix.online” and “autodriverfix online,” according to the report. 

A joint statement from Japan, South Korea, and the U.S. confirmed that North Korean-backed groups, including Lazarus, stole at least $659 million through multiple cryptocurrency heists in 2024.

In December 2024, the $50 million Radiant Capital hack began when North Korean operatives posed as former contractors and sent malware-laden PDFs to engineers. 

Similarly, crypto exchange Kraken revealed in May that it successfully identified and thwarted a North Korean operative who applied for an IT position, catching the applicant when they failed basic identity verification tests during interviews.

Edited by Sebastian Sinclair

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.



Source link

0 comments
0 FacebookTwitterPinterestEmail
Decrypt logo
Crypto Trends

Interpol Infostealer Malware Crackdown Leads to 32 Arrests

by admin



In brief

  • Global police organization Interpol has led a crackdown on infostealers codenamed Operation Secure.
  • Police forces around the world arrested 32 as part of the operation, which took down over suspicious 20,000 IPs and domains.
  • Infostealer malware is used to steal data such as browser credentials, passwords and cryptocurrency wallet contents.

Police forces around the world have made 32 arrests as part of a major operation cracking down on infostealer malware led by Interpol.

Operation Secure saw law enforcement agencies from 26 countries work to locate the servers, map physical networks and ultimately execute the targeted takedowns, according to a statement released by Interpol.

20,000 malicious IPs and domains taken down in #INTERPOL infostealer crackdown

During Operation Secure law police from 26 countries worked to locate servers, map physical networks and execute targeted takedowns arresting 32 suspects linked to illegal cyber activities.

— INTERPOL (@INTERPOL_HQ) June 11, 2025

More than 20,000 IPs and domains were taken down as part of the operation, and over 100GB of data seized across 41 servers. The takedown reportedly neutralized 79% of the suspicious IP addresses identified by Interpol, with assistance from private sector partners including Kaspersky, Trend Micro and Group-IB.

The sweep saw 18 suspects arrested in Vietnam, 12 in Sri Lanka and a further two in Nauru. In the Vietnam arrests the group leader was found with over VND 300 million ($11,500) in cash.

In a statement, Neal Jetton, Interpol’s Director of Cybercrime, said that the operation “has once again shown the power of intelligence sharing in disrupting malicious infrastructure and preventing large-scale harm to both individuals and businesses.”

What are infostealers?

Infostealer malware is typically used to infiltrate organizational networks in order to steal browser credentials, cookies, passwords, credit card details and cryptocurrency wallet data.

Logs harvested by infostealers are increasingly being traded on the cybercriminal underground to enable further attacks. These include ransomware, data breaches, fraud schemes and more.

Following Operation Secure, the authorities notified over 216,000 victims and potential victims to take immediate action to secure themselves. This includes changing passwords, freezing accounts and removing unauthorized access.

Speaking to Decrypt, Dmytro Yasmanovych, Compliance Services Lead at blockchain security auditor Hacken praised the operation but warned that infostealer networks are “highly resilient—reconstituting infrastructure via bullet-proof hosting and fast-rotating domains.”

Yasmanovych noted that for Web3 organizations, compliance alone isn’t enough. “Effective defense requires a fusion of robust endpoint hardening, continuous on-chain and off-chain monitoring, and real-time threat‐intelligence sharing,” he said. “Only through this multilayered, proactive posture can the industry stay ahead of rapidly evolving infostealer campaigns targeting crypto wallets and private keys.”

Hacken’s Senior Blockchain Protocol Security Auditor Ali Ashar added that, “To convert this win into lasting disruption, momentum needs to continue,” pointing to the importance of “timely victim alerts, ongoing public-private intel sharing, and follow‑up enforcement.”

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.





Source link

0 comments
0 FacebookTwitterPinterestEmail
An abstract image of digital security.
Gaming Gear

A worrying Windows SecureBoot issue could let hackers install malware – here’s what we know, and whether you need to update

by admin



  • Binarly spotted a legitimate utility, trusted on most modern systems utilizing UEFI firmware, carrying a flaw
  • The flaw allowed threat actors to deploy bootkit malware
  • Microsoft patched it the June 2025 Patch Tuesday cumulative update

Microsoft has fixed a Secure Boot vulnerability that allowed threat actors to turn off security solutions and install bootkit malware on most PCs.

Security researchers Binarly recently discovered a legitimate BIOS update utility, signed with Microsoft’s UEFI CA 2011 certificate. This root certificate, used in the Unified Extensible Firmware Interface (UEFI) Secure Boot process, plays a central role in verifying the authenticity and integrity of bootloaders, operating systems, and other low-level software before a system boots.

According to the researchers, the utility is trusted on most modern systems utilizing UEFI firmware – but the problem stems from the fact it reads a user-writable NVRAM variable without proper validation, meaning an attacker with admin access to an operating system can modify the variable and write arbitrary data to memory locations during the UEFI boot process.


You may like

Binarly managed to use this vulnerability to disable Secure Boot and allow any unsigned UEFI modules to run. In other words, they were able to disable security features and install bootkit malware that cannot be removed even if the hard drive is replaced.

The vulnerable module had been circulating in the wild since 2022, and was uploaded to VirusTotal in 2024 before being reported to Microsoft in late February 2025.

Microsoft recently released the June edition of Patch Tuesday, its cumulative update addressing different, recently-discovered, vulnerabilities – among which was the arbitrary write vulnerability in Microsoft signed UEFI firmware, which is now tracked as CVE-2025-3052. It was assigned a severity score of 8.2/10 (high).

The company also determined that the vulnerability affected 14 modules in total, now fixing all of them.

“During the triage process, Microsoft determined that the issue did not affect just a single module as initially believed, but actually 14 different modules,” Binarly said. “For this reason, the updated dbx released during the Patch Tuesday on June 10, 2025 contains 14 new hashes.”

Via BleepingComputer

You might also like



Source link

0 comments
0 FacebookTwitterPinterestEmail
Abstract image of cyber security in action.
Gaming Gear

Friendly fire: Hackers target their own with fake malware and gaming cheats

by admin



  • Sophos says it was tipped off to the existence of Sakura RAT
  • An in-depth investigation uncovered more than a hundred backdoored GitHub projects
  • They are all targeting wannabe hackers and game cheaters

It’s a ‘dog eat dog’ world out there, as Sophos’ security researchers uncovered a major hacking operation targeting – other hackers, with people cheating in computer games also targeted.

In an in-depth analysis posted recently, Sophos said a customer asked if its platform protected against a piece of malware found on GitHub, called Sakura RAT. They were apparently interested in the open source project after media claims of “sophisticated anti-detection capabilities.”

Sophos quickly realized that not only is Sakura RAT harmless to other people – it is only a risk to those compiling it and looking to distribute it to other people.


You may like

Down the rabbit hole

“In other words, Sakura RAT was backdoored,” Sophos explained.

The RAT itself wasn’t that peculiar, either. Most of the code was copied from the popular AsyncRAT, and many of the forms inside were left empty, which means it wouldn’t even operate properly on the target device.

But the RAT led the team “down a rabbit hole of obfuscation, convoluted infection chains, identifiers, and multiple backdoor variants.”

Apparently, the person(s) behind the RAT – alias ischhfd83 – actually created more than a hundred backdoored malware variants, all designed to target newbie threat actors and people looking for game cheats.

In total, Sophos found 141 repositories from the same threat actors, 133 being malwared in different ways. 111 contained Sakura.

The majority (58%) were advertised as game cheats, 24% as malware projects, 7% as bots, 5% as crypto tools, and 6% as other miscellaneous tools.

The campaign started in 2024, the researchers added, suggesting that it was targeting newbies because advanced threat actors would run such projects in a sandbox environment. Furthermore, they would analyze the project’s owner and the comments, and quickly realize most of the interaction is done by bots with almost identical names.

The campaign wasn’t attributed to any particular threat actor, but it was stated that it was rather successful.

You might also like



Source link

0 comments
0 FacebookTwitterPinterestEmail
Representational image of a cybercriminal
Gaming Gear

Hackers are hijacking forgotten subdomains to spread malware through trusted sites; this overlooked trick could hit you next

by admin



  • Outdated DNS records create invisible openings for criminals to spread malware through legitimate sites
  • Hazy Hawk turns misconfigured cloud links into silent redirection traps for fraud and infection
  • Victims think they’re visiting a real site, until popups and malware take over

A troubling new online threat is emerging in which criminals hijack subdomains of major organizations, such as Bose, Panasonic, and even the US CDC (Centers for Disease Control and Prevention), to spread malware and perpetrate online scams.

As flagged by security experts Infoblox, at the center of this campaign is a threat group known as Hazy Hawk, which has taken a relatively quiet but highly effective approach to compromise user trust and weaponize it against unsuspecting visitors.

These subdomain hijackings are not the result of direct hacking but rather of exploiting overlooked infrastructure vulnerabilities.


You may like

An exploit rooted in administrative oversight

Instead of breaching networks through brute force or phishing, Hazy Hawk exploits abandoned cloud resources linked to misconfigured DNS CNAME records.

These so-called “dangling” records occur when an organization decommissions a cloud service but forgets to update or delete the DNS entry pointing to it, leaving the subdomain vulnerable.

For example, a forgotten subdomain like something.bose.com might still point to an unused Azure or AWS resource, and if Hazy Hawk registers the corresponding cloud instance, the attacker suddenly controls a legitimate-looking Bose subdomain.

This method is dangerous because misconfigurations are not typically flagged by conventional security systems.

The repurposed subdomains become platforms for delivering scams, including fake antivirus warnings, tech support cons, and malware disguised as software updates.

Hazy Hawk doesn’t just stop at hijacking – the group uses traffic distribution systems (TDSs) to reroute users from hijacked subdomains to malicious destinations.

These TDSs, such as viralclipnow.xyz, assess a user’s device type, location, and browsing behavior to serve up tailored scams.

Often, redirection begins with seemingly innocuous developer or blog domains, like share.js.org, before shuffling users through a web of deception.

Once users accept push notifications, they continue to receive scam messages long after the initial infection, establishing a lasting vector for fraud.

The fallout from these campaigns is more than theoretical and has affected high-profile organizations and firms like the CDC, Panasonic and Deloitte.

Individuals can guard against these threats by refusing push notification requests from unfamiliar sites and exercising caution with links that seem too good to be true.

For organizations, the emphasis must be on DNS hygiene. Failing to remove DNS entries for decommissioned cloud services leaves subdomains vulnerable to takeover.

Automated DNS monitoring tools, especially those integrated with threat intelligence, can help detect signs of compromise.

Security teams should treat these misconfigurations as critical vulnerabilities, not minor oversights.

You might also like



Source link

0 comments
0 FacebookTwitterPinterestEmail
False positive
Gaming Gear

Microsoft’s Smart App Control blocks malware and has ‘lighter impact on your PC’s performance’

by admin



With Windows 11 22H2, Microsoft introduced a new component to its security suite, aiming to prevent malicious applications, dubbed Smart App Control (SAC). This feature complements Microsoft Defender, blocking untrusted or unknown code from executing on a proactive basis. Now, in an updated blog post pushing the feature, Microsoft claims a performance boost compared to traditional AV solutions, though small print indicates you will require a fresh Windows installation to use this feature.

Traditional antivirus software, such as Microsoft Defender, adopts an “Innocent until proven guilty” approach. These solutions are largely reactive, trusting programs until their behavior triggers an alert. Microsoft Defender employs signature-based detection, behavioral checks (heuristics), and cloud protection to prevent malicious software on your system. When faced with novel (zero-day) malware or polymorphic threats, which can bypass signature checks, Defender falls back to heuristics, observing the malware’s actions until it detects suspicious behavior.

Here’s where Smart App Control enters the fray, employing a proactive methodology, operating on the principle of “Guilty until proven innocent.” It assesses the application’s security by vetting it against Microsoft’s Intelligence Security Graph (a cloud-based reputation service). If this test is inconclusive, it attempts to validate the application’s digital signature, to ensure its origin from a trusted developer. The application is blocked by Windows Security if it is predicted to be malicious in the first check or unsigned in the second check.


You may like

(Image credit: Tom’s Hardware)

Essentially, SAC bypasses traditional behavioral checks by ensuring only verified applications can run on your system. Although Microsoft claims Smart App Control offers a performance boost over traditional antivirus solutions, it is designed to operate in parallel with Windows Defender. Unlike Windows Defender, if SAC deems a program malicious, it cannot be flagged as a false positive or whitelisted. As such, SAC is likely to be a poor fit for enthusiasts or developers, better serving enterprise systems or individuals who aren’t as tech-savvy.

To prevent such conflicts, Microsoft runs Smart App Control through an evaluation phase to determine if this feature would hinder your day-to-day activities. This is a one-way street: if SAC is deemed unsuitable for your system, it will be disabled and can only be re-enabled by reinstalling Windows. Likewise, if you decide to turn it off yourself, you won’t be able to simply switch it back on.

Follow Tom’s Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.



Source link

0 comments
0 FacebookTwitterPinterestEmail
FBI Takes Down $24 Million Crypto Cache from Russian Malware Mastermind
GameFi Guides

FBI Takes Down $24 Million Crypto Cache from Russian Malware Mastermind

by admin


Trusted Editorial content, reviewed by leading industry experts and seasoned editors. Ad Disclosure

The US Department of Justice (DOJ) has filed a civil forfeiture complaint to seize over $24 million in cryptocurrency assets tied to Rustam Rafailevich Gallyamov, a Russian national accused of leading the development and distribution of the Qakbot malware.

According to a press release issued on May 22, the DOJ alleges Gallyamov played a central role in deploying Qakbot as part of a broader cybercrime operation that infected computers globally and enabled ransomware attacks.

From Malware Deployment to Global Ransomware Attacks

Federal prosecutors claim that Gallyamov, who resides in Moscow, operated the botnet infrastructure behind Qakbot, a sophisticated piece of malware first deployed in 2008. The malware was used to compromise computers and then provide access to co-conspirators, who executed ransomware campaigns using variants such as REvil, Conti, Black Basta, and Cactus.

In return, Gallyamov reportedly received a share of the ransom proceeds. The DOJ emphasized that this seizure reflects a continued international effort involving law enforcement agencies from the US, Europe, and Canada to disrupt cybercriminal networks.

According to the DOJ’s indictment, Gallyamov’s cyber operations intensified from 2019 onwards, as Qakbot was used to infiltrate thousands of systems and build an expansive botnet. Once compromised, these systems were handed off to ransomware operators.

In August 2023, a US-led multinational task force successfully disrupted the Qakbot network and seized various crypto assets tied to the scheme, including 170 BTC and millions in stablecoins such as USDT and USDC. Despite that takedown, the DOJ alleges that Gallyamov and his partners continued targeting victims using alternative methods.

The latest DOJ complaint details how the accused shifted tactics following the 2023 disruption, including employing “spam bomb” techniques that tricked employees into opening access to internal systems. Prosecutors assert that this newer approach allowed ransomware deployment to continue well into 2025.

These attacks reportedly included the use of Black Basta and Cactus ransomware to target victims in the United States. As part of the ongoing investigation, the FBI executed another seizure on April 25, 2025, retrieving over 30 BTC and more than $700,000 in stablecoins.

DOJ’s International Coordination and Recovery Efforts

The DOJ’s civil forfeiture complaint aims to formalize the seizure of over $24 million in illicit crypto proceeds, with the intent of returning those funds to victims. This effort underscores a coordinated global campaign involving the FBI’s Los Angeles and Milwaukee field offices, Europol, and cybersecurity divisions from France, Germany, the Netherlands, and other countries.

The DOJ credited this collaboration for enabling swift identification and disruption of Gallyamov’s operations. Assistant US Attorneys from the Central District of California and officials from the DOJ’s Computer Crime and Intellectual Property Section are leading the prosecution.

In public remarks, DOJ and FBI officials reiterated their commitment to dismantling global cybercrime infrastructure and using all available legal tools including indictments, forfeiture actions, and international law enforcement cooperation to hold perpetrators accountable and compensate victims. US Attorney Bill Essayli for the Central District of California said:

The forfeiture action against more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims.

The global digital currency market cap valuation. | Source: TradingView.com

Featured image created with DALL-E, Chart from TradingView

Editorial Process for bitcoinist is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.



Source link

0 comments
0 FacebookTwitterPinterestEmail
Microsoft and DOJ dismantle Lumma Stealer malware network in global takedown
Gaming Gear

Microsoft and DOJ dismantle Lumma Stealer malware network in global takedown

by admin



Microsoft, in partnership with the U.S. Department of Justice (DOJ), took a major step in dismantling one of the most prolific cybercrime tools currently in circulation. Microsoft’s Digital Crimes Unit (DCU) collaborated with the DOJ, Europol, and several global cybersecurity firms to disrupt the Lumma Stealer malware network — a malware-as-a-service (MaaS) platform implicated in hundreds of thousands of digital breaches worldwide.

According to Microsoft, Lumma Stealer infected over 394,000 Windows machines between March and mid-May 2025. The malware has been a favored tool amongst cybercriminals for stealing login credentials and sensitive financial information including cryptocurrency wallets. It’s been used for extortion campaigns against schools, hospitals, and infrastructure providers. According to the DOJ website, “the FBI has identified at least 1.7 million instances where LummaC2 was used to steal this type of information.”

With a court order from the U.S. District Court for the Northern Districts of Georgia, Microsoft took down roughly 2,300 malicious domains associated with Lumma’s infrastructure. The DOJ simultaneously took down five critical LummaC2 domains, which acted as command-and-control centers for cybercriminals deploying the malware. These domains now redirect to a government seizure notice.

International assistance came from Europol’s European Cybercrime Centre (EC3) and Japan’s JC3, who coordinated efforts to block regional servers. Cybersecurity firms like Bitsight, Cloudflare, ESET, Lumen, CleanDNS, and GMO Registry assisted in identifying and dismantling web infrastructure.

Inside the Lumma operation

Lumma, also known as LummaC2, has been operating since 2022, possibly earlier, and makes its info-stealing malware available for sale through encrypted forums and Telegram channels. The malware is designed for ease of use and is often bundled with obfuscation tools to help it bypass antivirus software. Distribution techniques include spear-phishing emails, spoofed brand websites, and malicious online ads known as “malvertising.”

Cybersecurity researchers say Lumma is particularly dangerous because it allows criminals to rapidly scale attacks. Buyers can customize payloads, track stolen data, and even get customer support via a dedicated user panel. Microsoft Threat Intelligence previously linked Lumma to notorious Octo Tempest gang, also known as “Scattered Spider.”

In one phishing campaign earlier this year, hackers were able to spoof Booking.com and used Lumma to harvest financial credentials from unsuspecting victims.

Who’s behind it?

Authorities believe the developer of Lumma goes by the alias “Shamel” and operates out of Russia. In a 2023 interview, Shamel claimed to have 400 active clients and even bragged about branding Lumma with a dove logo and the slogan: “Making money with us is just as easy.”

Long-term disruption, not a knockout

Image used with permission by copyright holder

While the takedown is significant, experts warn that Lumma and tools like it are rarely eradicated for good. Still, Microsoft and the DOJ say these actions severely hinder and disrupt criminal operations by cutting off their infrastructure and revenue streams. Microsoft will use the seized domains as sinkholes to gather intelligence and further protect victims.

This situation highlights the need for international cooperation in cybercrime enforcement. DOJ officials emphasized the value of public-private partnerships, while the FBI noted that court-authorized disruptions remain a critical tool in the government’s cybersecurity playbook.

As Microsoft’s DCU continues its work, this Lumma crackdown sets a strong precedent for what can be accomplished when industry and government specialists collaborate to eliminate threats.

As more of these organizations are uncovered and disrupted, remember to protect yourself by changing your passwords frequently and avoid clicking links from unknown senders.





Source link

0 comments
0 FacebookTwitterPinterestEmail
Close