A brief look at all things infostealers for the week 10, 2025 (03.03.2025–09.03.2025). This week observed updates from LummaC2 infostealer. Grabbed some numbers from marketplaces and have some interesting reports/articles about stealers.
Infostealer Updates
LummaC2
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English)
Update 6.03
- Completely changed communication protocol between build and server
- Added packet encryption
- Added “in-the-moment” gasket rotation if the previous gasket became unavailable
- Added resend data if previous send failed
- Improved traversal for gaskets with warp from cloud
- Clean WD 10/11 + Cloud
Screenshot from XSS Forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, and the victim numbers in the countries of the Nordic region.
RussianMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 7,795,027 |
| RisePro | 1,429,817 |
| Vidar | 1,292,996 |
| StealC | 1,005,269 |
| RedLine | 790,106 |
| Raccoon | 330,308 |
| Acreed | 9,750 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,274,542 |
| Brazil | 1,001,728 |
| Indonesia | 688,806 |
| Egypt | 633,848 |
| Pakistan | 618,074 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 20,694 |
| Denmark | 11,153 |
| Norway | 8,615 |
| Finland | 7,314 |
| Iceland | 1,069 |
| Faroe | 101 |
| Åland | 16 |
ExodusMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| RedLine | 116,315 |
| Lumma | 101,859 |
| Vidar | 56 |
| Unknown | 10 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| Peru | 7,306 |
| Turkey | 7,176 |
| India | 6,307 |
| Pakistan | 6,285 |
| Vietnam | 5,822 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Norway | 143 |
| Sweden | 96 |
| Denmark | 47 |
| Finland | 44 |
| Iceland | 10 |
Articles/News
Exposing Russian EFF Impersonators: The Inside Story on Stealc & Pyramid C2
- https://hunt.io/blog/russian-speaking-actors-impersonate-etf-distribute-stealc-pyramid-c2
Prospering Lumma
- https://intelinsights.substack.com/p/prospering-lumma
Malvertising campaign leads to info stealers hosted on GitHub
- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
Kaspersky: stealer malware leaked over 2 million bank cards
- https://www.kaspersky.com/about/press-releases/kaspersky-stealer-malware-leaked-over-2-million-bank-cards
A Deep Dive into Strela Stealer and how it Targets European Countries
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-deep-dive-into-strela-stealer-and-how-it-targets-european-countries/