ESET Research<p>In May 2025, <a href="https://infosec.exchange/tags/ESET" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESET</span></a> participated in operations that largely disrupted the infrastructure of two notorious infostealers: <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> and <a href="https://infosec.exchange/tags/Danabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Danabot</span></a>. <br>As part of the Lumma Stealer disruption effort, carried out in conjunction with Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, ESET supplied technical analysis and statistical information. <br>Danabot was targeted by the <a href="https://infosec.exchange/tags/FBI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FBI</span></a> and <a href="https://infosec.exchange/tags/DCIS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DCIS</span></a>, alongside <a href="https://infosec.exchange/tags/OperationEndgame" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OperationEndgame</span></a> led by <a href="https://infosec.exchange/tags/Europol" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Europol</span></a> and <a href="https://infosec.exchange/tags/Eurojust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Eurojust</span></a>. ESET participated together with several other companies. We provided the analysis of the malware’s backend infrastructure and identified its C&C servers. <br>Before these takedowns, both infostealers were on the rise: in H1 2025, Lumma Stealer detections grew by 21%, while Danabot’s numbers increased by more than 50%.<br> For a time, Lumma Stealer was the primary payload of HTML/FakeCaptcha trojan, used in the <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> social engineering attacks that we also cover in this issue of the <a href="https://infosec.exchange/tags/ESETThreatReport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETThreatReport</span></a>. In recent months, we have seen Danabot being delivered via ClickFix as well. <br>For more details on these two operations and on the ClickFix attacks, read the latest <a href="https://infosec.exchange/tags/ESETThreatReport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETThreatReport</span></a>: <a href="https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">welivesecurity.com/en/eset-res</span><span class="invisible">earch/eset-threat-report-h1-2025</span></a></p>