ClickFix bait, combined with advanced Castleloader malware, is installing Lumma "at scale."

Ars Technica is known for its  coverage of technology-related news and analysis, ranging from scientific breakthroughs to the latest gadgets and gaming developments. Readers can learn about emerging technologies, industry trends, and the societal impact of technological advancements through detailed articles and reviews.

Ars Technica

Lumma Stealer malware has resurged after law enforcement seized 2,300 domains in May 2025. The infostealer, which infected nearly 395,000 Windows computers before the takedown, is now spreading again using ClickFix social engineering lures—fake CAPTCHAs that trick users into pasting malicious commands into Windows terminal. The malware-as-a-service operation has rapidly rebuilt its infrastructure and continues spreading worldwide, with researchers confirming it's "back at scale."

Once-hobbled Lumma Stealer is back with lures that are hard to resist

How The Callisto Protocol's Team Designed Its Terrifying, Immersive Audio