Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader.

UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware

A sprawling operation undertaken by global law enforcement agencies and a consortium of private sector firms has disrupted the online infrastructure associated with a commodity information stealer known as Lumma (aka LummaC or LummaC2), seizing 2,300 domains that acted as the command-and-control (C2) backbone to commandeer infected Windows systems.
"Malware like LummaC2 is deployed to steal

FBI and Europol Disrupt Lumma Stealer Malware Network Linked to 10 Million Infections

Microsoft disrupts Lumma Stealer network, seizing 2,000 domains linked to 394,000 infections in global cybercrime crackdown with law enforcement partners.

Microsoft, in a global takedown with support from international law enforcement agencies, has disrupted a major malware distribution network responsible for widespread credential theft, financial fraud, and ransomware attacks. The operation targeted Lumma Stealer, an infostealer malware used by hundreds of threat actors to steal sensitive information from nearly 400,000 infected Windows devices.

This coordinated effort involved Microsoft’s Digital Crimes Unit (DCU), the US Department of Justice, Europol, and cybersecurity partners across the private sector. Together, they seized more than 2,300 domains and dismantled Lumma’s infrastructure, severing the connection between attackers and their victims.

****A Malware-as-a-Service Operation with Global Reach****

Lumma Stealer has been marketed through underground forums since at least 2022 as a plug-and-play solution for cybercriminals looking to steal everything from passwords and credit card numbers to crypto wallets and banking credentials. Its ease of use and adaptability helped it gain traction among threat actors, including high-profile ransomware groups like Octo Tempest.

The tool is often spread through phishing campaigns, malvertising, and malware loaders. In one campaign earlier this year, attackers impersonated Booking.com to lure victims into downloading malware-laced files, a tactic that continues to fool even experienced users.

Microsoft’s Threat Intelligence team has tracked Lumma’s activities closely, identifying widespread infection patterns from March through May 2025. Heat maps shared by the company illustrate the global footprint of this malware, with heavy concentrations of infected devices in North America, Europe, and parts of Asia.

****Legal Action and Infrastructure Seizure****

According to Microsoft’s blog post, on May 13, Microsoft filed legal action in the US District Court for the Northern District of Georgia, securing a court order to block and seize the malicious domains linked to Lumma’s command structure. Simultaneously, the DOJ took control of the central infrastructure, and law enforcement agencies in Europe and Japan shut down local servers supporting the operation.

More than 1,300 domains have already been redirected to Microsoft-controlled servers, known as sinkholes, which now gather intelligence to help protect users and support ongoing investigations. This move cuts off the malware’s ability to transmit stolen data or receive instructions from attackers.

****The Business Behind the Malware****

Lumma wasn’t just malware, it was a business. Sold under a tiered subscription model, it offered services ranging from basic credential theft tools for $250 to full source code access for $20,000. Its creator, known online as “Shamel,” ran the operation like a startup, promoting Lumma with a distinctive bird logo and slogans that downplayed its malicious intent.

In a 2023 interview with a security researcher, Shamel claimed to have 400 active customers. His public presence, despite his involvement in widespread fraud, reflects a broader issue: cybercriminals operating with impunity in jurisdictions that don’t prioritize enforcement or international cooperation.

****Industry Response and Moving Forward****

The effort to dismantle Lumma drew support from a wide range of companies, including ESET, Cloudflare, Lumen, CleanDNS, BitSight, and GMO Registry. Each played a role in identifying infrastructure, sharing threat intelligence, or executing takedowns quickly and efficiently.

Notice on the sites seized by authorities (Via Microsoft)

“This shows how powerful the combination of law enforcement and industry can be,” said Thomas Richards, Infrastructure Security Practice Director at Black Duck, a Massachusetts-based cybersecurity firm. “Dismantling this operation will protect hundreds of thousands of people. But just as important is the follow-up, making sure victims are alerted and supported.”

Richards added that the growth of the Malware-as-a-Service market in recent years requires consistent collaboration across sectors to limit the damage from such tools.

****What You Can Do****

While this operation disrupted one of the most widespread info-stealers online, Lumma is just one of many threats targeting users every day. Microsoft and security professionals advise the public to:

*   Be cautious with email links and attachments
*   Use reputable antivirus and anti-malware tools
*   Keep operating systems and software updated
*   Enable multi-factor authentication wherever possible

Lumma Stealer was a favourite among cybercriminals because it worked, and it worked at scale. By shutting down its infrastructure, Microsoft and its partners have disrupted the ability of malicious actors to operate efficiently. But as long as cybercrime remains profitable, the fight continues.

Microsoft Dismantles Lumma Stealer Network, Seizes 2,000+ Domains

Attackers can exploit a vulnerability present in the delegated Managed Service Account (dMSA) feature that fumbles permission handling and is present by default.

Unpatched Windows Server Flaw Threatens Active Directory Users

US, European, and Japanese authorities, along with tech companies including Microsoft and Cloudflare, say they’ve disrupted Lumma, an infostealer popular with criminal gangs.

A consortium of global law enforcement agencies and tech companies announced on Wednesday that they have disrupted the infostealer malware known as Lumma. One of the most popular infostealers worldwide, Lumma has been used by hundreds of what Microsoft calls “cyber threat actors” to steal passwords, credit card and banking information, and cryptocurrency wallet details. The tool, which officials say was developed in Russia, has provided cybercriminals with the information and credentials they needed to drain bank accounts, disrupt services, and carry out data extortion attacks against schools, among other things.

Microsoft’s Digital Crimes Unit (DCU) obtained an order from a United States district court last week to seize and take down about 2,300 domains underpinning Lumma’s infrastructure. At the same time, the US Department of Justice seized Lumma’s command-and-control infrastructure and disrupted cybercriminal marketplaces that sold the Lumma malware. All of this was coordinated, too, with disruption of regional Lumma infrastructure by Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center.

Microsoft lawyers wrote on Wednesday that Lumma, which is also known as LummaC2, has spread so broadly because it is “easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses.” Steven Masada, assistant general counsel at Microsoft’s DCU, says in a blog post that Lumma is a “go-to tool,” including for the notorious Scattered Spider cybercriminal gang. Attackers distribute the malware using targeted phishing attacks that typically impersonate established companies and services, like Microsoft itself, to trick victims.

“In 2025, probably following Redline’s disruption and Lumma’s own development, it has ranked as the most active module, indicating its growing popularity and widespread adoption among cybercriminals,” says Victoria Kivilevich, director of threat research at security firm Kela.

Microsoft says that more than 394,000 Windows computers were infected with the Lumma malware between March 16 and May 16 this year. And Lumma was mentioned in more than 21,000 listings on cybercrime forums in the spring of 2024, according to figures cited in a notice published today by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). The malware has been spotted bundled in fake AI video generators and fake “deepfake” generation websites, and distributed by fake captcha pages.

Law enforcement’s collaboration with Microsoft’s DCU and other tech companies like Cloudflare focused on disrupting Lumma’s infrastructure in multiple ways, so its developers could not simply hire new providers or create parallel systems to rebuild.

“Cloudflare’s role in the disruption included blocking the command-and-control server domains, Lumma’s Marketplace domains, and banning the accounts that were used to configure the domains,” the company wrote in a blog post on Wednesday. “Microsoft coordinated the takedown of Lumma’s domains with multiple relevant registries in order to ensure that the criminals could not simply change the name servers and recover their control.”

While infostealing malware has been around for years, its use by cybercriminals and nation-state hackers has surged since 2020. Typically, infostealers find their way onto people’s computers through downloads of pirated software or through targeted phishing attacks that impersonate established companies and services, like Microsoft itself, to trick victims. Once on a computer it is able to grab sensitive information—such as usernames and passwords, financial information, browser extensions, multifactor authentication details, and more—and send it back to the malware’s operators.

Some infostealer operators bundle and sell this stolen data. But increasingly the compromised details have acted as a gateway for hackers to launch further attacks, providing them with the details needed to access online accounts and the networks of multibillion-dollar corporations.

“It’s clear that infostealers have become more than just grab-and-go malware,” says Patrick Wardle, CEO of the Apple device-focused security firm DoubleYou. “In many campaigns they really act as the first stage, collecting credentials, access tokens, and other foothold-enabling data, which is then used to launch more traditional, high-impact attacks such as lateral movement, espionage, or ransomware.”

The Lumma infostealer first emerged on Russian-language cybercrime forums in 2022, according to the FBI and CISA. Since then its developers have upgraded its capabilities and released multiple different versions of the software.

Since 2023, for example, they have been working to integrate AI into the malware platform, according to findings from the security firm Trellix. Attackers want to add these capabilities to automate some of the work involved in cleaning up the massive amounts of raw data collected by infostealers, including identifying and separating “bot” accounts that are less valuable for most attackers.

One administrator of Lumma told 404Media and WIRED last year that they encouraged both seasoned hackers and new cybercriminals to use their software. “This brings us good income,” the administrator said, referring to the resale of stolen login data.

Microsoft says that the main developer behind Lumma goes by the online handle “Shamel” and is based in Russia.

“Shamel markets different tiers of service for Lumma via Telegram and other Russian-language chat forums,” Microsoft’s Masada wrote on Wednesday. “Depending on what service a cybercriminal purchases, they can create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal.”

Kela’s Kivilevich says that in the days leading up to the takedown, some cybercriminals started to complain on forums that there had been problems with Lumma. They even speculated that the malware platform had been targeted in a law enforcement operation.

“Based on what we see, there is a wide range of cybercriminals admitting they are using Lumma, such as actors involved in credit card fraud, initial access sales, cryptocurrency theft, and more,” Kivilevich says.

Among other tools, the Scattered Spider hacking group—which has attacked Caesars Entertainment, MGM Resorts International, and other victims—has been spotted using the Lumma stealer. Meanwhile, according to a report from TechCrunch, the Lumma malware was allegedly used in the buildup to the December 2024 hack of education tech firm PowerSchool, in which more than 70 million records were stolen.

“We're now seeing infostealers not just evolve technically, but also play a more central role operationally,” says DoubleYou’s Wardle. “Even nation-state actors are developing and deploying them.”

Ian Gray, director of analysis and research at the security firm Flashpoint, says that while infostealers are only one tool that cybercriminals will use, their prevalence may make it easier for cybercriminals to hide their tracks. “Even advanced threat actor groups are leveraging infostealer logs, or they risk burning sophisticated tactics, techniques, and procedures,” Gray says.

Lumma isn’t the first infostealer to be targeted by law enforcement. In October last year, the Dutch National Police, along with international partners, took down the infrastructure linked to the RedLine and MetaStealer malware, and the US Department of Justice unsealed charges against Maxim Rudometov, one of the alleged developers and administrators of the RedLine infostealer.

Despite the international crackdown, infostealers have proven too useful and effective for attackers to abandon. As Flashpoint’s Gray puts it, “Even if the landscape ultimately shifts due to the evolution of defenses, the growing prominence of infostealers over the past few years suggests they are likely here to stay for the foreseeable future. Usage of them has exploded.”

Authorities Carry Out Elaborate Global Takedown of Infostealer Heavily Used by Cybercriminals

May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework. A traditional monthly vulnerability roundup. 🙂 🗞 Post on Habr (rus)🗒 Digest on the PT website (rus) A total of 4 trending vulnerabilities: 🔻 Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824)🔻 Elevation of Privilege – Windows […]

**May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework.** A traditional monthly vulnerability roundup. 🙂

🗞 Post on Habr (rus)  
🗒 Digest on the PT website (rus)

A total of 4 trending vulnerabilities:

🔻 **Elevation of Privilege** – Windows Common Log File System Driver (CVE-2025-29824)  
🔻 **Elevation of Privilege** – Windows Process Activation (CVE-2025-21204)  
🔻 **Spoofing** – Windows NTLM (CVE-2025-24054)  
🔻 **Remote Code Execution** – Erlang/OTP (CVE-2025-32433)

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework

An arson attack in Colorado had detectives stumped. The way they solved the case could put everyone at risk.

3 Teens Almost Got Away With Murder. Then Police Found Their Google Searches

About Remote Code Execution – 7-Zip (BDU:2025-01793) vulnerability. It’s about the fact that files unpacked using 7-Zip don’t get the Mark-of-the-Web. As a result, Windows security mechanisms don’t block the execution of the unpacked malware. If you remember, there was a similar vulnerability in January – CVE-2025-0411. The problem was with running files from the […]

**About Remote Code Execution – 7-Zip (BDU:2025-01793) vulnerability.** It’s about the fact that files unpacked using 7-Zip don’t get the Mark-of-the-Web. As a result, Windows security mechanisms don’t block the execution of the unpacked malware. If you remember, there was a similar vulnerability in January – CVE-2025-0411. The problem was with running files from the 7-Zip UI, and a fix has been released. But in this case, the problem is with fully **unpacked** archives — and the developers **aren’t planning to fix it**! 🤷‍♂️

Igor Pavlov, the author of the utility, responded to our colleague Konstantin Dymov that not assigning the Mark-of-the-Web by default is intentional behavior. They don’t plan to change the default settings. To have the Mark-of-the-Web applied, you need to set “” to “”.

If 7-Zip is used in your organization, be aware of this insecure default behavior. Apply hardening measures or switch to a different tool.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Remote Code Execution – 7-Zip (BDU:2025-01793) vulnerability

You'd hope that spending $6,000 on a printer would give you a secure experience, free from viruses and other malware. However, in the case of Procolored printers, you'd be wrong.

 Malware-infected printer delivered something extra to Windows users 

Nitrogen, a ransomware strain, has emerged as a major threat to organizations worldwide, with a particular focus on…

Nitrogen, a ransomware strain, has emerged as a major threat to organizations worldwide, with a particular focus on the financial sector. First identified in September 2024, Nitrogen has rapidly gained notoriety for its sophisticated attack methods and devastating impact. 

This ransomware encrypts critical data and demands substantial payments for decryption. It has targeted industries such as finance, construction, manufacturing, and technology, primarily in the United States, Canada, and the United Kingdom. 

Cybersecurity experts warn that Nitrogen’s advanced tactics and evolving strategies pose a severe risk to organizations unprepared for its precision and persistence. The use of malware analysis and threat intelligence tools can mitigate these risks and prevent incidents. 

****Nitrogen’s Features and Tactics****

Nitrogen’s complex attack chain begins with malvertising campaigns on search engines like Google and Bing. The ads trick users into downloading trojanized installers disguised as legitimate software, such as AnyDesk, WinSCP, or Cisco AnyConnect.

Once installed, the ransomware uses tools like Cobalt Strike and Meterpreter shells to establish persistence, move laterally within networks, and execute its payload. Nitrogen modifies registry keys and schedules tasks to ensure they remain active even after the system reboots. It conducts thorough system reconnaissance, identifies high-value targets within networks to maximise the impact, and employs advanced evasion techniques. 

****Among Nitrogen’s most notable victims are:** **

*   **SRP Federal Credit Union (USA)**: in December 2024 this attack introduced Nitrogen to the wider world and exposed the financial sector’s vulnerability. 

*   **Red Barrels (Canada)**: the video game developer had 1.8 terabytes of sensitive data extorted, including game source codes and internal documents.

*   **Control Panels USA**: a custom control panel solutions provider was listed as a victim on Nitrogen’s dark web leak site in September 2024, indicating a successful breach and potential data exfiltration.

*   **Kilgore Industries**: In December 2024 the manufacturing company faced a ransomware attack attributed to the Nitrogen group.

****Gathering Threat Intelligence on Nitrogen****

Not much is yet known about Nitrogen modus operandi due to limited public data. The main publicly available source of information is the report by StreamScan. It offers key indicators of compromise and some insights into the methods but is light on details. This is where ANY.RUN’s experts step in, offering deeper insights through dynamic analysis and threat intelligence enrichment. 

The StreamScan report details a few critical IOCs: 

*   **Ransomware File**: A malicious executable with the SHA-256 hash 55f3725ebe01ea19ca14ab14d747a6975f9a6064ca71345219a14c47c18c88be 

*   **Mutex**: A unique identifier, nvxkjcv7yxctvgsdfjhv6esdvsx, created by the ransomware before encryption. 

*   **Vulnerable Driver**: truesight.sys, a legitimate but exploitable driver used to disable antivirus and endpoint detection tools. 

*   **System Manipulation**: Use of bcdedit.exe to disable Windows Safe Boot, hindering system recovery.

These indicators can be researched via Threat Intelligence Lookup to find more IOCs, behavioural data, and technical details on Nitrogen attacks.  

****1\. Tracking the Mutex** **

Nitrogen creates a unique mutex to ensure only one instance of the ransomware runs at a time. Using the mutex’s name as a TI Lookup search request, one can discover over 20 related malware samples analyzed by the users of ANY.RUN’s Interactive Sandbox. 

syncObjectName:”nvxkjcv7yxctvgsdfjhv6esdvsx”

Mutex search results in TI Lookup

For each sample, an analysis session can be explored to enrich the understanding of the threat and gather additional indicators not featured in public research. These IOCs can be used for tuning monitoring, detection and response systems to ensure proactive protection against the malware.

All sandbox analyses contain a selection of linked IOCs

****2\. Exposing the Vulnerable Driver****

Nitrogen exploits truesight.sys, a legitimate driver from RogueKiller AntiRootkit, to kill AV/EDR processes and thus disable antivirus and endpoint detection tools. This driver is used by threat actors because it’s not inherently malicious, so it does not trigger standard defences. ANY.RUN’s TI Lookup reveals over 50 analyses linked to truesight.sys:

sha256:"Bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c"

Sandbox sessions featuring the abused driver

  
By parsing these analyses, teams see how the driver can be abused, from terminating security processes to evading detection. Searching by the driver’s name with the “CommandLine” parameter results in a selection of system events involving the driver:

  
commandLine: “\*truesight.sys”

System events observed via TI Lookup

Discovering such activity induces security teams to timely block the vulnerabilities of such types. 

****3\. Catching System Manipulation****

Nitrogen uses the Windows utility bcdedit.exe to disable Safe Boot, a recovery mechanism that helps restore an infected system. ANY.RUN allows analysts to use YARA rules to search for this behaviour, identifying malware that tampers with system settings. 

A YARA search in TI Lookup returns several files linked to this tactic, each with an associated analysis session that reveals additional IOCs.

YARA rule search in TI Lookup

By integrating these IOCs into SIEM or EDR systems, organizations can detect and block attempts to modify Windows boot settings before encryption begins, stopping Nitrogen in its tracks. 

  
To defend against threats like Nitrogen, security teams should: 

*   Block known malicious infrastructure and domains. 

*   Monitor for unusual use of PowerShell, WMI, and DLL sideloading. 

*   Educate employees about phishing and social engineering tactics.

*   Use threat intelligence services to proactively hunt for related IOCs and TTPs.

*   Use DMARC, DKIM, and SPF to prevent email spoofing, a tactic often used to deliver Nitrogen’s malicious payloads.

*   Regularly update software and apply patches to close vulnerabilities exploited by Nitrogen.

****Strengthen Your Defenses with ANY.RUN****

In the face of growing threats like Nitrogen ransomware, real-time analysis and threat intelligence are no longer optional, they’re essential. To mark its 9th anniversary, ANY.RUN is launching a limited-time promotion to help security professionals stay ahead of modern cyber threats with the Interactive Sandbox and Threat Intelligence Lookup solutions.

Grab the gift: extra Sandbox licenses for your team, or double TI Lookup quota.

_Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings._

Tag

#windows