Update: LummaStealer Rebuilds at Scale Using CastleLoader and Social-Engineering-Driven Delivery Chains
Security researchers have observed a renewed surge in LummaStealer activity, demonstrating how the infostealer operation has rapidly recovered despite a major law-enforcement disruption in 2025 that dismantled thousands of command-and-control domains. LummaStealer, a malware-as-a-service platform active since late 2022, is now being widely distributed via CastleLoader, a modular, heavily obfuscated loader designed for in-memory execution and flexible payload delivery. Current campaigns rely primarily on social-engineering lures rather than technical exploits, including fake cracked software, fraudulent game or media downloads, and deceptive CAPTCHA-style “ClickFix” pages that trick victims into executing malicious commands themselves. In many cases, victims are instructed to run command-line or PowerShell instructions disguised as verification steps, effectively turning normal browsing behavior into manual code execution. Once deployed, LummaStealer harvests browser credentials, session cookies, cryptocurrency wallets, personal documents, and authentication tokens, enabling account takeovers, financial fraud, extortion, and long-term identity-theft operations. The resurgence highlights the resilience of the MaaS ecosystem, where operators can quickly migrate infrastructure and rebuild campaigns using new loaders and hosting providers after enforcement actions. CastleLoader’s obfuscated scripts, sandbox-evasion logic, staged payload decryption, and distinctive failed DNS request patterns make it difficult to detect while still creating identifiable telemetry for defenders. Researchers also observed infrastructure overlap between CastleLoader and LummaStealer operations, suggesting shared services or coordination across a broader criminal affiliate network. Organizations should prioritize user awareness around suspicious downloads and fake verification prompts, enforce multi-factor authentication across critical services, restrict execution of untrusted scripts, and monitor endpoints for anomalous process chains, living-off-the-land activity, and DNS patterns associated with loader-based infections.
State and Criminal Groups Leverage AI for Productivity Gains Across the Attack Lifecycle
Security researchers at the Google Threat Intelligence Group (GTIG) observed a measurable increase in threat actor use of artificial intelligence during late 2025, primarily to accelerate reconnaissance, social engineering, and malware development workflows. Rather than creating fundamentally new attack techniques, state-sponsored actors from China, Iran, North Korea, and Russia are using large language models as productivity tools for target research, phishing content generation, and technical scripting. GTIG also identified a rise in attempts to extract models, or “distillation,” proprietary AI capabilities, as organizations and researchers systematically probed models through legitimate API access. In one campaign, more than 100,000 prompts were used to replicate reasoning behaviors across languages, highlighting how intellectual property theft is emerging as a primary AI-related threat to model providers. Researchers also observed threat actors integrating AI into real-world operations, including reconnaissance against defense organizations, persona development for phishing, and automated vulnerability research. Groups including APT42, APT31, and UNC795 used AI tools to generate targeting intelligence, translate communications, develop malware components, and test exploitation scenarios. GTIG additionally identified experimental malware, such as HONESTCUE, which used a generative AI API to dynamically create and execute second-stage payloads, as well as phishing kits, such as COINBAIT, which were likely built using AI-assisted development tools. Despite these experiments, most observed activity reflects incremental efficiency gains rather than disruptive new attack classes. Organizations should monitor AI API usage for signs of model extraction, protect API keys and training data, and treat AI-enabled tooling as an extension of existing phishing, malware, and reconnaissance risks rather than an entirely new threat category.
Dual RMM Abuse: Net Monitor and SimpleHelp Used for Persistent Access and Ransomware Deployment
Huntress observed two enterprise intrusions in which threat actors abused legitimate remote management software to establish persistent access and prepare for financially motivated attacks. The actor deployed Net Monitor for Employees Professional, a commercial workforce monitoring tool, as the primary access channel, leveraging its built-in pseudo-terminal to execute commands, enumerate users, manipulate accounts, and stage additional tooling. From this foothold, the attacker installed the SimpleHelp remote monitoring and management platform as a secondary persistence layer, creating a redundant access path that survives partial remediation. Shared command-and-control infrastructure, consistent file names such as vhost[.]exe, and overlapping tactics across both incidents strongly suggest a single operator or threat group. In one environment, the activity progressed to the attempted deployment of multiple Crazy ransomware binaries, while in the other, the actor configured monitoring triggers to watch for cryptocurrency wallets, exchanges, and payment platforms, indicating dual motives of ransomware extortion and direct financial theft. The attacker also used service name masquerading, renaming processes to resemble legitimate Windows and OneDrive components, to reduce suspicion during post-compromise activity. In the second intrusion, initial access was achieved through a compromised vendor SSL VPN account, followed by remote desktop access to a domain controller and hands-on keyboard activity via PowerShell. The actor installed both tools using silent installation methods and configured them to communicate with attacker-controlled domains and IP infrastructure, including dronemaker[.]org and multiple fallback gateways for resilience. Through these tools, the attacker performed internal reconnaissance, disabled or modified security controls, and attempted to deploy ransomware payloads. Organizations should prioritize strong identity controls, enforce multi-factor authentication across all remote access services, restrict installation of unauthorized remote management tools, and monitor for abnormal process chains or unexpected RMM activity to reduce the risk of similar intrusions.
Rogue VM Operations Reveal Muddled Libra’s Living-off-the-Land Intrusion Playbook
Security researchers at Unit 42 observed an intrusion attributed with high confidence to Muddled Libra, also known as Scattered Spider or UNC3944, after attackers created a rogue virtual machine inside a compromised VMware vSphere environment. The group used social engineering to gain initial access, then pivoted into the virtual infrastructure where they created a new VM to serve as a stealthy operational beachhead. From this system, the attackers downloaded stolen certificates, established an SSH tunnel using the Chisel tool, and began reconnaissance across the domain. Within minutes, they powered down domain controllers, mounted virtual disks, and extracted NTDS[.]dit and SYSTEM files to obtain password hashes for all users. They then executed Active Directory reconnaissance tools and packaged the results for exfiltration, focusing on critical services such as database servers, email platforms, and virtualization infrastructure. The attackers also accessed the victim’s Snowflake environment, interacted with sensitive data, and began preparing it for external transfer. Over the next several hours, the threat actors conducted lateral movement using compromised accounts and common administrative tools, including RDP, PsExec, and SSH tunneling. They searched for ways to exfiltrate large datasets, attempted to upload files to multiple public file-sharing platforms, and eventually used an S3 browser utility to move stolen Outlook mailbox data. Throughout the intrusion, the group relied heavily on legitimate tools and built-in administrative capabilities rather than deploying custom malware, enabling them to blend into normal enterprise activity. Using a rogue VM as a staging environment also helped the attackers evade endpoint monitoring while conducting reconnaissance and data theft. Organizations should prioritize strong identity protections, enforce multi-factor authentication, monitor for unauthorized VM creation or the use of administrative tools, and apply least-privilege access controls to reduce exposure to similar intrusions.
