LummaStealer Returns with CastleLoader, Mimics Legit User Activity to Slip Past Defenses

The LummaStealer infostealer has resurfaced, now bundled with the CastleLoader dropper. This refreshed version adopts user‑like patterns—such as launching from familiar directories, using standard Windows APIs, and timing its network calls to match typical user activity—making it blend in with legitimate processes and evade many behavioral detection rules.

By pairing with CastleLoader, the threat actor can deliver additional payloads, expand persistence mechanisms, and harvest credentials, browser data, and crypto wallets from a broader range of Windows endpoints. Defenders need to update detection signatures, monitor for anomalous file‑write and network‑connection sequences even when they appear benign, and enforce strict application whitelisting to prevent this hybrid chain from slipping through existing controls.

Categories: Malware & Ransomware, Threat Intelligence

Source: Read original article