Last May, a coordinated effort by law enforcement agencies disrupted Lumma, a notorious infostealer that had infected nearly 395,000 Windows computers in just two months. However, recent reports indicate that Lumma has made a significant comeback, launching hard-to-detect attacks aimed at stealing user credentials and sensitive files. Originally surfacing in Russian-speaking cybercrime forums in 2022, Lumma operates on a cloud-based malware-as-a-service model. By 2023, its premium versions were fetching up to $2,500 on the dark web, and the FBI noted over 21,000 listings for it on crime forums. Despite a substantial takedown in May 2025, where authorities seized 2,300 domains and other infrastructures supporting Lumma, the malware quickly rebuilt its operations. Researchers from Bitdefender confirmed that Lumma is now back “at scale,” with its infrastructure restored and spreading globally once again. A key tactic in its resurgence is the use of “ClickFix,” a social engineering lure that tricks users into infecting their own machines. This method typically involves fake CAPTCHAs that prompt users to copy and paste malicious commands into the Windows terminal, leading to the installation of loader malware that ultimately delivers Lumma. The resurgence of Lumma highlights ongoing challenges in combating cybercrime, where takedowns often only provide temporary relief. The ease of use for attackers and the effectiveness of social engineering tactics make it difficult for users to remain vigilant. As Lumma continues to evolve and adapt, the threat it poses to individuals and organizations remains significant.