A brief look at all things infostealers for the week 8, 2025 (17.02.2025–23.02.2025). This week observed updates from the LummaC2 infostealer. Grabbed some numbers from marketplaces and have some interesting reports/articles about stealers.
Infostealer Updates
LummaC2
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English)
Update 17.02
- Added automatic leak prevention algorithms
- Added algorithms to counteract fraud from workers
- Added ability to freeze accounts if suspicious activity is detected
- Added ability to change password and unlog sessions as soon as possible
- Implemented a set of security measures
- Cleaning of LNK-builder
Screenshot from XSS forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, and the victim numbers in the countries of the Nordic region.
RussianMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 7,518,426 |
| RisePro | 1,429,984 |
| Vidar | 1,293,265 |
| StealC | 1,005,451 |
| RedLine | 790,228 |
| Raccoon | 330,477 |
| Acreed | 4,317 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,238,071 |
| Brazil | 981,798 |
| Indonesia | 673,467 |
| Egypt | 624,302 |
| Pakistan | 605,340 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 20,074 |
| Denmark | 10,740 |
| Norway | 8,286 |
| Finland | 7,087 |
| Iceland | 1,039 |
| Faroe | 97 |
| Åland | 16 |
ExodusMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 91,896 |
| RedLine | 100,515 |
| Vidar | 56 |
| Unknown | 10 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| Peru | 7,306 |
| Turkey | 7,177 |
| India | 6,308 |
| Pakistan | 6,285 |
| Vietnam | 5,822 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Norway | 143 |
| Sweden | 96 |
| Denmark | 47 |
| Finland | 44 |
| Iceland | 10 |
Articles/News
Lumma Stealer Chronicles: PDF-themed Campaign Using Compromised Educational Institutions’ Infrastructure
- https://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure
An Update on Fake Updates: Two New Actors, and New Mac Malware (FrigidStealer)
- https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware
ACRStealer Infostealer Exploiting Google Docs as C2
- https://asec.ahnlab.com/en/86390/
Rhadamanthys Infostealer Being Distributed Through MSC Extension
- https://asec.ahnlab.com/en/86391/
LummaC2 Malware Distributed Disguised as Total Commander Crack
- https://asec.ahnlab.com/en/86435/
Lumma Stealer Malware Thrives as Silent Push Uncovers Unique Patterns in the Infostealer’s Domain Clusters
- https://www.silentpush.com/blog/lumma-stealer/