A brief look at all things infostealers for the week 11, 2025 (10.03.2025–16.03.2025). This week observed updates from LummaC2, Xerph, Prysmax infostealers and emergence of a stealer targeting macOS. Grabbed some numbers from marketplaces and have some interesting reports/articles about infostealers.
If you have questions/suggestions/feedback/whatever feel free to contact me.
Infostealer Updates
LummaC2
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
Update 11.03
- Fixed a bug where uploading from the password search page could be incomplete
- Fixed collection on Windows 7
- Cleaned WD 10/11 + Cloud
Screenshot taken from user’s post on XSS forum
Xerph
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
Xerph 1.1.8 Loader + Stealer (Update)
Changes:
Resolved crashes in the browser recoverer (Passwords and CCs)
Added +3 recoverable wallets:
Franko
Freicoin
Yacoin
Screenshot taken from user’s post on XSS forum
Prysmax
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
Prysmax v1.0.8
- Now the password shortener is much more efficient and faster
It also shows how many results it found, how many processes are running, and you can export your search as ULP or in general. - The country chart has been replaced with a world map chart.
- A new feature has been added to the Builder: “Pumper”
You can now add weight to the file to your own liking. - The Discord sorter has been updated
Now it only allows exporting tokens for 24 hours, 7 days, and historical data.
Screenshot taken from Prysmax’s Telegram channel
mac.c
Refer to my earlier post: mac.c macOS Stealer
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, and the victim numbers in the countries of the Nordic region.
RussianMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 7,986,936 |
| RisePro | 1,429,732 |
| Vidar | 1,293,736 |
| StealC | 1,005,195 |
| RedLine | 790,044 |
| Raccoon | 330,191 |
| Acreed | 14,011 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,300,845 |
| Brazil | 1,015,624 |
| Indonesia | 699,396 |
| Egypt | 640,509 |
| Pakistan | 627,604 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 21,020 |
| Denmark | 11,293 |
| Norway | 8,787 |
| Finland | 7,426 |
| Iceland | 1,089 |
| Faroe | 104 |
| Åland | 17 |
ExodusMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| RedLine | 142,243 |
| Lumma | 111,336 |
| Vidar | 56 |
| Unknown | 10 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| Peru | 7,306 |
| Turkey | 7,176 |
| India | 6,307 |
| Pakistan | 6,285 |
| Vietnam | 5,822 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Norway | 143 |
| Sweden | 96 |
| Denmark | 47 |
| Finland | 44 |
| Iceland | 10 |
Articles/News
AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution
- https://www.trendmicro.com/en_us/research/25/c/ai-assisted-fake-github-repositories.html