In September 2025, Trend Micro researchers noted a striking decline in new command and control infrastructure activity associated with Lummastealer (which Trend Micro tracks as Water Kurita), as well as a significant reduction in the number of endpoints targeted by this notorious malware.
This sudden drop appears to align with a targeted underground exposure campaign that has put the spotlight on individuals allegedly linked to the Lummastealer operation. Allegedly driven by competitors, this campaign has unveiled personal and operational details of several supposed core members, leading to significant changes in Lummastealer’s infrastructure and communications.
Read more…
Source: Trend Micro
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Crypto exchange Bybit says it fully replenished reserves after record $1.5 billion hack
February 24, 2025
Bybit said it replenished its reserves following a $1.5 billion hack last week, the largest in the history of the crypto industry. In less than 72 hours, Bybit pieced together hundreds of thousands of ether tokens through a mix of emergency loans and large deposits. While the rapid recovery restored the exchange’s balance and kept customer ...
- Medixant Releases Security Update for RadiAnt DICOM Viewer
February 24, 2025
Medixant has released a security update to address an improper certificate validation vulnerability in RadiAnt DICOM Viewer. CVE-2025-1001 has a CvSSv4 score of 5.7 and could allow an attacker with privileged network access to impersonate RadiAnt’s update server. An attacker could modify the server’s response to deliver a malicious update to the user, performing a machine-in-the-middle ...
- South African Weather Service systems restored amid increasing cyber attacks
February 24, 2025
The SAWS Information and Communication Technology (ICT) systems went down on January 26 following a security breach by criminals. Aspects of critical services including aviation and marine were all interrupted. The SAWS email system and website, which is the hub of critical weather information, were also affected. The attack was the second in the space of ...
- Angry Likho: Old beasts in a new forest
February 21, 2025
Angry Likho (referred to as Sticky Werewolf by some vendors) is an APT group we’ve been monitoring since 2023. It bears a strong resemblance to Awaken Likho, which we’ve analyzed before, so we classified it within the Likho malicious activity cluster. However, Angry Likho’s attacks tend to be targeted, with a more compact infrastructure, a limited ...
- North Korean Hackers Were Behind Crypto’s Largest ‘Theft of All Time’
February 21, 2025
Blockchain analytics firm Arkham Intelligence said North Korea’s Lazarus Group was behind Bybit’s $1.46 billion hack. In an earlier post on social media platform X, Arkham offered a bounty of 50,000 ARKM tokens for anyone who could identify the attackers for Friday’s hack. Later, the platform said onchain sleuth ZachXBT submitted “definitive proof” that the attackers ...
- Google Docs used by infostealer ACRStealer as part of attack
February 20, 2025
An infostealer known as ACRStealer is using legitimate platforms like Google Docs and Steam as part of an attack, according to researchers. ACRStealer is often distributed via the tried and tested method of download as cracks and keygens, which are used in software piracy. The infostealer has been around since mid-2024 (as a beta test), but ...