A brief look at all things infostealers for the week 19, 2025 (05.05.2025–11.05.2025). This week observed updates from LummaC2 infostealer. Grabbed some numbers from marketplaces and some interesting news/articles.
Infostealer Updates
LummaC2
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
Update 5.05
- Added API token system, now you can manage issued tokens, share method permissions among services
Screenshot from XSS forum
Update 8.05
- Added ability to specify admin id in team settings to accept requests to join directly in Telegram
- Fixed LevelDB collection for Coinbase crypto extension
- Cleaned WD 10/11 + Cloud
Screenshot from XSS forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, and the victim numbers in the countries of the Nordic region.
RussianMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 8,796,399 |
| RisePro | 1,429,405 |
| Vidar | 1,332,728 |
| StealC | 1,005,459 |
| RedLine | 789,687 |
| Raccoon | 329,731 |
| Acreed | 46,823 |
| Rhadamanthys | 24,479 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,410,817 |
| Brazil | 1,075,442 |
| Indonesia | 742,733 |
| Egypt | 678,276 |
| Pakistan | 671,212 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 22,936 |
| Denmark | 12,194 |
| Norway | 9,587 |
| Finland | 8,059 |
| Iceland | 1,166 |
| Greenland | 174 |
| Faroe | 116 |
| Åland | 18 |
ExodusMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 307,159 |
| RedLine | 96,326 |
| Vidar | 43 |
| Unknown | 7,653 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 40,378 |
| Brazil | 27,425 |
| Indonesia | 23,063 |
| Philippines | 17,607 |
| Turkey | 16,842 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 869 |
| Denmark | 506 |
| Norway | 378 |
| Finland | 311 |
| Iceland | 53 |
Articles/News
Lumma Stealer, coming and going
- https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
InfoStealer: Investigating a Massive MacOS Watering Hole Campaign with ClickFix and EtherHiding
- https://badbyte.io/infostealer-macos-etherhiding/
New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms
- https://www.morphisec.com/blog/new-noodlophile-stealer-fake-ai-video-generation-platforms/
Lampion Is Back With ClickFix Lures
- https://unit42.paloaltonetworks.com/lampion-malware-clickfix-lures/
PupkinStealer : A .NET-Based Info-Stealer
- https://www.cyfirma.com/research/pupkinstealer-a-net-based-info-stealer/