Lumma Stealer, a malware that once infected 395,000 Windows computers, has reemerged after law enforcement disrupted its operations. Using deceptive tactics like fake CAPTCHAs, it tricks users into installing the malware themselves. The infrastructure has quickly rebuilt, posing a renewed threat worldwide.

A malware campaign is using fake guides for OpenAI's Atlas browser to lure macOS users into downloading an infostealer named AMOS. Victims are tricked into executing a malicious command that harvests sensitive data and installs a backdoor for remote access. Basic cybersecurity practices can help prevent these attacks.

Valkyrie Stealer is a sophisticated malware that targets Windows systems to harvest sensitive information, including credentials and browser data. It employs advanced evasion techniques to avoid detection in virtualized environments and features a modular architecture for flexible data theft. The developer, known as Lawxsz, actively promotes the malware through various online platforms.

Over 149 million stolen usernames and passwords were discovered online, affecting platforms like TikTok, Netflix, and several financial services. The data leak, found by cybersecurity researcher Jeremiah Fowler, highlights the risks of infostealer malware and the importance of password security. It took a month to take the exposed database offline, raising concerns about the potential for automated attacks.

Two harmful extensions on the Visual Studio Code Marketplace, Bitcoin Black and Codo AI, steal sensitive information from developers' machines. They can capture screenshots, credentials, and hijack browser sessions, and were published under the name 'BigBlack.' Microsoft has since removed both extensions from the marketplace.

A new campaign exploits Google search ads to direct macOS users to malicious ChatGPT and Grok conversations. These chats contain instructions that, when executed, install the AMOS infostealer malware, compromising sensitive information. Users are advised to be cautious and avoid running unknown commands.

A new infostealer called SantaStealer has been launched, promoting itself on Telegram and underground forums. This malware collects sensitive data and aims to evade detection by operating in-memory, though initial samples reveal weaknesses in its design and execution.

Threat actors are distributing a fraudulent PDF editing application named AppSuite PDF Editor, which delivers the TamperedChef info-stealer malware. This campaign, supported by Google ads and utilizing fraudulent certificates, has been orchestrated to maximize downloads before activating the malicious components that collect sensitive data and turn systems into residential proxies. Researchers warn that the operation involves multiple apps, some potentially yet to be weaponized, posing ongoing risks to users.

Trellix's Advanced Research Center has uncovered a previously undetected infostealer malware named Myth Stealer, written in Rust and marketed on Telegram since late December 2024. This malware specifically targets video games, raising concerns about the security of the gaming community.

Over 4,000 victims in 62 countries have been targeted by the PXA Stealer malware, which has stolen hundreds of credit card numbers, 200,000 passwords, and over 4 million browser cookies. This Python-based infostealer uses sophisticated phishing techniques and has evolved to evade detection, exfiltrating sensitive data through Telegram-based marketplaces.

A hacker known as EncryptHub has compromised the early access game Chemia on Steam by injecting info-stealing malware into its files, specifically the HijackLoader and Fickle Stealer. The malware operates in the background, allowing it to harvest sensitive data from users while remaining undetected during gameplay. Users are advised to avoid downloading the game until further notice from the developer or Steam, as it remains unclear if the current version is safe.

A malware campaign targeting Minecraft players has been uncovered, where malicious mods and cheats are used to infect Windows devices with infostealers that steal credentials, authentication tokens, and cryptocurrency wallets. Conducted by the Stargazers Ghost Network, the operation utilizes GitHub to distribute fake mods, reaching thousands of potential victims while evading detection by antivirus software. To protect themselves, players are advised to download mods only from reputable sources and maintain caution when using GitHub links.

A malicious campaign is targeting macOS developers through fake Homebrew, LogMeIn, and TradingView platforms that distribute infostealing malware such as AMOS and Odyssey. The campaign uses deceptive tactics to trick users into executing harmful commands in Terminal, leading to the theft of sensitive information from their systems. Researchers identified over 85 domains involved in this scheme, which are promoted via Google Ads to appear in search results.

Jamf Threat Labs has identified a new technique where attackers use PyInstaller to bundle Python-based infostealers into Mach-O executables on macOS. This method allows malware to run without requiring a native Python installation, while employing various obfuscation tactics to evade detection. The analysis includes dynamic and static examination of these malicious binaries, revealing behaviors consistent with infostealer activity.

A recent incident involving the LUMMA infostealer malware highlighted a new attack method where users were directed to a fake CAPTCHA page, leading to the execution of PowerShell commands that targeted sensitive browser data from Microsoft Edge and Google Chrome. The NCC Group's DFIR team documented the timeline of events, including initial access methods and various tactics employed by the malware to steal credentials.

More than 31,000 banking passwords from Australian customers of major banks have been stolen and are being traded online, primarily due to malware infections on users' devices. Cybersecurity experts warn that these stolen credentials pose a significant risk of financial theft, as infostealer malware can capture a wide range of sensitive information. The rise in infostealer infections highlights the ongoing threat to personal security and the need for effective protective measures.

Elastic Security Labs reports on the misuse of SHELLTER, a commercial evasion framework, by threat groups for infostealer campaigns since April 2025. The framework's advanced capabilities allow malicious actors to evade detection by anti-malware solutions, prompting the release of a dynamic unpacker by Elastic Security Labs to analyze SHELLTER-protected binaries. Key features include polymorphic obfuscation, payload encryption, and mechanisms to bypass detection systems.

Hackers have exploited a leaked copy of Shellter Elite, a commercial AV/EDR evasion tool, to deploy infostealer malware, marking the first misuse incident since the vendor's strict licensing model was introduced. Despite ongoing malicious activity since April, Shellter was not notified by security researchers at Elastic Security Labs, who later confirmed the misuse and developed detections for the affected version. Shellter has since released an updated version for vetted customers, excluding the one responsible for the leak.

Hackers are exploiting the RedTiger open-source tool to create an infostealer that targets Discord accounts, collecting sensitive data such as credentials, payment information, and personal files. The malware operates by injecting JavaScript into Discord and harvesting information from both the application and the victim's web browser. Users are advised to be cautious and take protective measures against this threat.