A brief look at all things infostealers for the week 16, 2025 (14.04.2025–20.04.2025). This week observed updates from LummaC2 and StealC infostealers. Grabbed some numbers from marketplaces and some interesting news/articles.
Infostealer Updates
LummaC2
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
Update 13.04
- Added bot functionality for teams in the Corporate plan
- The following functionality is available when creating Telegram bot: enable sending logs to a worker in a private message, choose whether to send a file to him or not, automatically create a worker link when a request is approved, create a single chat for sending all logs and choose whether to send a file there or not
- Added the ability to format the message as you wish, all variables from Telegram knock are supported
- Available start message (when entering the command /start), as well as 9 buttons in the keyboard, it will be sent after approval of the application and when entering the command /start
- Added “Change” button at the block of participants allows you to select default settings for team members: set delay and allow loading. The same settings will be taken into account in the worker link
Screenshot taken from XSS forum
Update 13.04
- Fixed error when defining HWID
- Clean WD 10/11 + Cloud
Screenshot taken from XSS forum
Update 14.04
- Added processing of restrictions on sending a message when knocking in Telegram
- Added subscription relevance check in API
- Improved indexing of log requests in the market when placing for sale
- Improved Sticky Notes collection and processing
Screenshot taken from XSS forum
Update 15.04
- Fixed “TigerVNC” collection
- Cleaned WD 10/11 + Cloud
Screenshot taken from XSS forum
Update 16.04
- Cleaning WD 10/11 + Cloud + Run-Time
Screenshot taken from XSS forum
Update 18.04
- Added /id command to get chat id in the bot for “Teams”
- Removed the limit on uploading logs. It is important to take into account the more logs when uploading, the longer it takes
- Fixed a problem when a delay in Telegram could affect the panel’s functionality.
- Cleaning WD 10/11 + Cloud + Run-Time
Screenshot taken from XSS forum
StealC
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
Update stealc v2.1.0
Build:
- reworked sending heavy files (last metamask update)
- now files are transferred in chunks of 256kb
- rewrote networking on wininet
Admin panel:
- changed logic for detecting duplicates for last 24 hours
- fixed ignoring duplicates by HWID
- changed calculation of log weight on logs page
- fixed link in telegram bot to download logs
- added statistics page
Screenshot taken from XSS forum
Update stealc v2.2.0
Build:
- continue to improve the delivery of files from builds to the server, added control of missing blocks with several attempts to resend
- returned rc4 encryption between build and server
- old builds will NOT work with the new admin panel
admin panel:
- !!!! added Google Chrome v135 password decryption
- added (or rather, returned from v1) to the log information display to display build start path, system language, keyboard layout list, Windows version, CPU model (also cores/threads), amount of RAM, video card model
- improved built-in update functionality
- fixed bug, which could incorrectly install gate updates through the admin panel interface
- cookies inside the log are now duplicated in json in addition to netscape
- removed the fake error page, by which reservers could detect the host
- fixed log upload mass in admin panel
- fixed wallet counting, now counts not the number of files, but the number of wallets
- fixed %WALLETS_LIST% enumeration in telegram-bot
- fixed duplicate messages about incoming logs in telegram-bot
Screenshot taken from XSS forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, and the victim numbers in the countries of the Nordic region.
RussianMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 8,498,052 |
| RisePro | 1,429,493 |
| Vidar | 1,310,230 |
| StealC | 1,005,675 |
| RedLine | 789,826 |
| Raccoon | 329,953 |
| Rhadamanthys | 24,550 |
| Acreed | 18,768 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,372,681 |
| Brazil | 1,052,438 |
| Indonesia | 726,698 |
| Egypt | 665,172 |
| Pakistan | 656,510 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 22,253 |
| Denmark | 11,803 |
| Norway | 9,282 |
| Finland | 7,838 |
| Iceland | 1,141 |
| Greenland | 171 |
| Faroe | 111 |
| Åland | 18 |
ExodusMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 271,855 |
| RedLine | 118,426 |
| Vidar | 55 |
| Unknown | 2,922 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 39,190 |
| Brazil | 23,427 |
| Indonesia | 21,712 |
| Philippines | 16,585 |
| Turkey | 16,290 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 713 |
| Norway | 438 |
| Denmark | 429 |
| Finland | 281 |
| Iceland | 47 |
Articles/News
Deep Dive into Infostealer Payloads and Evasion – Part 2
- https://erdalozkaya.com/deep-dive-into-infostealer-payloads/
Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents
- https://www.cloudsek.com/blog/byte-bandits-how-fake-pdf-converters-are-stealing-more-than-just-your-documents