#BREAKING #ESETresearch can confirm the news of #Lumma Stealer's revival. ESET telemetry and botnet tracking show that operators are rebuilding their infrastructure, with their renewed activity reaching similar levels to those before the #disruption in May 2025.
Lumma Stealer operators are registering dozens of new domains weekly, resolving them primarily at nameservers located in RU. As seen with other threats in the past, this can complicate future attempts to disrupt its malicious operations.
In partnership with #Microsoft and other allies, ESET is tracking Lumma Stealer activity and continues to partially disrupt its operations, specifically by targeting its #Steam dead drop resolvers.
While ESET telemetry shows new Lumma Stealer builds weekly, their codebase hasn’t changed much since the takedown attempt. This suggests that the attackers had to focus on operational recovery instead of innovation.
C&C data show reduced activity around the disruption (marked in turquoise) but the number of new samples detected per day has seen only minimal changes, highlighting the continual risk.
For more info on Lumma Stealer and the disruption, read our blogpost from a few weeks back https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-lumma-stealer/

#ClickFix went from virtually non-existent to the second most common attack vector blocked by #ESET, surpassed only by #phishing. This novel social engineering technique accounted for nearly 8% of all detections in H1 2025. #ESETresearch
ClickFix lures users by displaying bogus error messages followed by quick fix instructions, including copy-pasting malicious code. Running the code in the victim’s command line interpreter delivers malware such as #RATs, infostealers, and cryptominers.
Between H2 2024 and H1 2025, ESET’s detection for ClickFix, HTML/FakeCaptcha, skyrocketed by 517%. Most detections in ESET telemetry were reported from Japan (23%), Peru (6%), and Poland, Spain, and Slovakia (>5% each).
What makes #ClickFix so effective? The fake error message looks convincing; instructions are simple, yet the copied command is too technical for most users to understand. Pasting it into cmd leads to compromise with final payloads, including #DarkGate or #LummaStealer.
While #ClickFix was introduced by cybercriminals, it’s since been adopted by APT groups: Kimsuky, Lazarus; Callisto, Sednit; MuddyWater; APT36. NK-aligned actors used it to target developers, steal crypto and passwords from Metamask and #macOS Keychain.
#ClickFix uses psychological manipulation by presenting fake issues and offering quick solutions, which makes it dangerously efficient. It appears in many forms – error popups, email attachments, fake reCAPTCHAs – highlighting the need for greater vigilance online.
Read more in the #ESETThreatReport:
🔗 https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

#ClickFix went from virtually non-existent to the second most common attack vector blocked by #ESET, surpassed only by #phishing. This novel social engineering technique accounted for nearly 8% of all detections in H1 2025. #ESETresearch
ClickFix lures users by displaying bogus error messages followed by quick fix instructions, including copy-pasting malicious code. Running the code in the victim’s command line interpreter delivers malware such as #RATs, infostealers, and cryptominers.
Between H2 2024 and H1 2025, ESET’s detection for ClickFix, HTML/FakeCaptcha, skyrocketed by 517%. Most detections in ESET telemetry were reported from Japan (23%), Peru (6%), and Poland, Spain, and Slovakia (>5% each).
What makes #ClickFix so effective? The fake error message looks convincing; instructions are simple, yet the copied command is too technical for most users to understand. Pasting it into cmd leads to compromise with final payloads, including #DarkGate or #LummaStealer.
While #ClickFix was introduced by cybercriminals, it’s since been adopted by APT groups: Kimsuky, Lazarus; Callisto, Sednit; MuddyWater; APT36. NK-aligned actors used it to target developers, steal crypto and passwords from Metamask and #macOS Keychain.
#ClickFix uses psychological manipulation by presenting fake issues and offering quick solutions, which makes it dangerously efficient. It appears in many forms – error popups, email attachments, fake reCAPTCHAs – highlighting the need for greater vigilance online.
Read more in the #ESETThreatReport:
🔗 https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

#ESETresearch has mapped the labyrinth of #AsyncRAT forks, identifying the most prevalent versions of this open-source malware. While some variants are mere curiosities, others pose a more tenacious threat. https://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/
AsyncRAT comes with the typical RAT functionalities, including keylogging, screen capturing, and credential theft. Other threat actors have developed a multitude of variants based on its source code.
Our analysis revealed the most widely used and deployed forks of AsyncRAT, with the most prevalent among them being #DcRat.
Although DcRat holds a smaller share compared to AsyncRAT, it offers notable improvements. These include advanced evasion techniques, and the use of an open-source library for more efficient binary data serialization.
AsyncRAT forks often include prank-style plugins, such as for opening and closing the CD tray and turning off the monitor. Spoof versions dubbed SantaRAT and BoratRAT have also emerged – mostly intended as jokes.
AsyncRAT and its variants demonstrate how quickly and creatively threat actors can adapt open-source code – especially with the assistance of #LLMs. This underscores the importance of proactive detection and effective analysis of emerging threats.
IoCs available on our GitHub: https://github.com/eset/malware-ioc/tree/master/