Comeback of Lumma and NoName057(16): Cybercrime bust failed

Contents

If law enforcement agencies manage to strike a major blow against cybercrime actors and infrastructures, the decline in criminal activity is rarely permanent: after a few internal reorganizations, they often continue their attacks as if (almost) nothing had happened.

This is also the case with two groups that recently became the target of international operations: security researchers have observed new activities by the notorious infostealer Lumma, and the politically motivated Russian dDoS (distributed denial-of-service) group NoName057(16) was also happily attacking German websites again after just a few days of radio silence.

At the same time, a new threat is apparently growing: US authorities have published a joint warning about a ransomware called Interlock. Although it has been active for some time, it is now said to have expanded its activities.

Lumma: back in full swing

It was only at the end of May this year that a collective of cloud and security companies, led by Europol and Microsoft, struck a major blow against Lumma. After Microsoft had registered around 400,000 infected Windows computers between mid-March and mid-May alone, the company struck: It redirected the communication between the malicious program and the attackers' command-and-control (C2) servers to its servers (sinkholing), thus disrupting the criminal activities. According to Microsoft, attacker domains identified in cooperation with Europol were also identified and confiscated.

However, this was not enough to “smash” the Lumma Stealer, which accesses browser data, crypto wallets, VPN configurations, and documents in PDF or Word format on infected computers, among other things. Security researchers from Trend Micro have discovered through targeted monitoring of Lumma activities that information theft is now back in full swing.

An expert from Trend Micro confirmed to heise security that the Infostealer observed was probably Lumma:"We are sure that this resurgence is Lumma because we have our own automated process of sourcing (through internal rules) and validation of Lumma Stealer samples and Command and Control URLs.”

Statistics from Trend Micro's blog entry on the Lumma resurgence show an almost complete halt in malware activity following Microsoft's sinkholing campaign published on May 21, 2025. However, the gangsters gradually returned to “business as usual” from the beginning of June and returned to their previous level of activity in the course of July.

The accompanying changes to the C2 structure were striking: while Lumma had previously relied heavily on hosting at Cloudflare, the criminals had now diversified their infrastructure to a greater extent. The new mix of alternative providers increasingly includes legitimate data centers and cloud infrastructure providers based in Russia.

NoName057(16): Calls for retaliation via Telegram

The masterminds behind “NoName057(16)” were heard from again even faster than the Lumma gang – just a few days after international law enforcement agencies launched “Operation Eastwood” last week. According to the Federal Criminal Police Office (BKA), the group's botnet was shut down during this operation. In addition, three properties were searched and six international arrest warrants were issued; the manhunt is ongoing.

The investigation, which has been ongoing since November 2023 and led to the operation, was prompted by numerous waves of dDos attacks that paralyzed German company and government websites. However, other countries, such as Switzerland, were also targeted by the attacks, which the group used to send out a pro-Russian political message.

In their propaganda channel on the messaging service Telegram, the Russians appeared unimpressed by the law enforcement measures. They described “Operation Eastwood” as worthless and called on their supporters to retaliate. According to their statement, they disabled the website of the Federal Ministry for Digital and State Modernization, various police authorities, and the website of the Federal President yesterday, Wednesday.

However, the attacks are likely to have gone largely unnoticed outside the hacktivists' Telegram echo chamber – all the websites mentioned were accessible again without any problems after a short time. Further attacks on websites of German cities and authorities have already been announced on Telegram.

Interlock: The next big (ransomware) player?

The existing threats have been joined by another one that IT defenders should keep an eye on: the US authority CISA (Cybersecurity and Infrastructure Security Agency), together with the FBI and other parties involved, has published a security advisory on the Interlock ransomware. It has been active since September 2024 and, according to CISA, is intended to target companies and organizations as well as critical infrastructure – in both North America and Europe.

Interlock's strategy of double extortion with encryption, but also exfiltration of sensitive data, is now standard in the ransomware scene. It is noteworthy that, according to CISA, Interlock versions exist for both Windows and Linux systems. In each case, they primarily target the encryption of installed virtual machines (VMs).

According to CISA, a popular gateway includes compromised legitimate websites where a drive-by download lurks –, a rather unusual infection method for ransomware, according to the security advisory. The gang behind Interlock (like Lumma) also relies on social engineering in the form of fake captchas with user interaction (“ClickFix”). Further information and Indicators of Compromise (IoC) can be found in the security notice.

Incidentally, CISA analysts have observed that Lumma has also been smuggled onto systems from time to time in the course of interlock infections. An uneasy alliance that could now continue. Until the next cybercrime bust – and the (highly probable) subsequent “resurrection”.

(ovw)