A brief look at all things infostealers for the week 17, 2025 (21.04.2025–27.04.2025). This week observed updates from LummaC2 and StealC infostealers. Grabbed some numbers from marketplaces and some interesting news/articles.
Infostealer Updates
LummaC2
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
Update 23.04
- Added new method of collecting Chromium browsers, new collection of cookies, passwords, CVC/CVV codes, restor-tokens, etc. not requiring execution from the administrator
- Maximum price per log in the marketplace is now 100$
- Added rate translation on the marketplace page
- Fixed return of logs from the marketplace to the panel in case of large volume
- Added option to hide the statistics page
- Added NordVPN, OpenVPN to search by applications
- Fixed sending logs to Telegram when the archive may not match the description (not a full archive was sent).
- Fixed Chrome Beta build
- Cleaned WD 10/11 + Cloud
Screenshot taken from XSS forum
Update 25.04
- Reworked LNK-builder, added support for PDF/TXT/MKV/MP3/PNG/DOCX/PPTX/XLSX icons
- Cleaned LNK-builder
Screenshot taken from XSS forum
Update 26.04
- Cleaned WD 10/11 + Cloud
StealC V2
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
Update stealc v2.3.0
Admin panel:
- added Brute.txt file to the root of the log – contains a list of unique passwords in the log
- added cookie_list.txt file to the root of the log – contains a list of unique domains in cookies in the log.
- improved tokens functionality – now correctly highlights specified domains in both passwords and cookies
- improved search by tokens – now search correctly processes a large number of domains
- fixed tg-bot, now tokens are correctly listed in the message
- fixed tg-bot, now the list of wallets is correctly listed in the message
- fixed creation of administrators (now when creating a user with admin rights he is automatically assigned access to all builds)
- improved mass-upload of logs from the panel, added possibility to upload all logs on request (Download button next to Search button)
- Download now responds to download/no download items
- decrypted MetaMask seed now also displays the password that matches the wallet.
Screenshot taken from XSS forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, and the victim numbers in the countries of the Nordic region.
RussianMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 8,598,392 |
| RisePro | 1,429,464 |
| Vidar | 1,310,089 |
| StealC | 1,005,600 |
| RedLine | 789,787 |
| Raccoon | 329,889 |
| Rhadamanthys | 24,521 |
| Acreed | 19,161 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,384,890 |
| Brazil | 1,060,117 |
| Indonesia | 732,430 |
| Egypt | 669,348 |
| Pakistan | 661,181 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 22,474 |
| Denmark | 11,915 |
| Norway | 9,365 |
| Finland | 7,907 |
| Iceland | 1,146 |
| Greenland | 172 |
| Faroe | 114 |
| Åland | 18 |
ExodusMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 321,762 |
| RedLine | 118,422 |
| Vidar | 54 |
| Unknown | 6,199 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 42,710 |
| Brazil | 27,598 |
| Indonesia | 24,609 |
| Philippines | 19,053 |
| Turkey | 17,763 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 904 |
| Denmark | 526 |
| Norway | 496 |
| Finland | 338 |
| Iceland | 56 |
Articles/News
Lumma Stealer – Tracking distribution channels
- https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/
Infostealer Malware FormBook Spread via Phishing Campaign – Part I
- https://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i
Unmasking the Evolving Threat: A Deep Dive into the Latest Version of Lumma InfoStealer with Code Flow Obfuscation
- https://www.trellix.com/blogs/research/a-deep-dive-into-the-latest-version-of-lumma-infostealer/
LummaStealer: The Invisible Thief in Your Network
- https://istrosec.com/blog/lumma-stealer-en/
From GitHub to Your Clipboard — Lumma Stealer Threat Hunting and Infrastructure Analysis
- https://medium.com/@cyb3r-hawk/lumma-stealer-threat-hunting-and-infrastructure-analysis-6e62a0e44c71
From Shadow to Spotlight: The Evolution of LummaStealer and Its Hidden Secrets
- https://www.cybereason.com/blog/threat-analysis-lummastealer-2.0
Malware Source Code Released (Sryxen Paid)