Gen Q2/2025 Threat Report

Foreword

Welcome to our latest Gen Threat Report, this time focused on Q2/2025. April through June brought a complex mix of progress and peril across the cyber threat landscape. Some of the positive aspects included a slight decline in the overall threat risk ratio and several law enforcement operations aimed at disrupting cybercrime groups. At the same time, the threat landscape remained active, with a record volume data breaches, disruptive ransomware incidents and a steady stream of inventive scams. Navigating these signals requires careful interpretation, so let's explore the most significant developments together.

One of the busy areas this quarter was the continued targeting of personal data. Breach events increased by nearly 21% quarter-over-quarter, and the number of exposed email addresses rose by over 15%. Also, credit alerts remained the most common identity-related notification in our systems. We also continued to see fallout from the X (Twitter) leak, which went public in early April, with compromised records resurfacing in various contexts. Q2 also brought headlines about the takedown of Lumma Stealer, one of the most notorious infostealers in recent years. While parts of its infrastructure were disrupted, the story didn’t end there. Based on our telemetry, Lumma remains alive and kicking, despite the efforts to dismantle this group. Distribution channels continued to operate, and data exfiltration persisted throughout the quarter. As we’ve seen before, bringing down one part of an ecosystem doesn’t always stop the threat entirely. You can read more about Lumma and the aftermath of the takedown in the featured story below. Still, the effort reflects growing coordination between law enforcement and the security community. Other notable actions this quarter included the indictment of Qakbot’s leader, charges against DanaBot operators and Europol’s Operation Endgame targeting ransomware infrastructure.

On the financial-threats front, our research of an illegal pharmacy network revealed over 5,000 scam domains connected to a single cybercriminal group. The operation spans continents, hijacks legitimate websites and uses everything from fake blogs to chatbot-generated recommendations to lure victims. The goal is clear: harvest financial and personal data under the guise of discounted medicine. The full story is covered in our featured section on what we’ve dubbed “PharmaFraud”, which offers a closer look at how scalable and targeted this kind of fraud has become. 

Not all financial stories this quarter ended in loss. After tracking the FunkSec ransomware for several months, our team discovered a flaw in its encryption logic. This was another case of malware partially created using generative AI, and the first instance we’ve known for ransomware operators. According to the group itself, AI was used to assist with tooling, phishing templates and code snippets. Fortunately, it was still possible to identify a cryptographic weakness. Working quietly with law enforcement, we helped victims recover their data and later released a free decryption tool from the Avast brand. FunkSec has since gone quiet. While rare, this case shows that even AI-assisted threats can contain exploitable flaws when examined closely. You’ll find the full breakdown in the FunkSec featured story.

Scams, as usual, remained among the most persistent threats, especially on mobile. Technical Support Scams (TSS) rose by nearly 65% globally, spreading increasingly through social media platforms. On Facebook, they accounted for 14% of the threats we blocked. Geographically, activity expanded beyond the usual hotspot of Japan, doubling in countries like Germany, Austria and France. Sextortion scams also surged, showing over a 100% increase in risk ratio, while financial scams affected users across major economies and platforms. Some impersonated legal services; others relied on urgency and fear. The tactics remained familiar, but the delivery kept evolving. Even malvertising found new ways to stay relevant. While overall volumes dipped slightly, malicious push notifications jumped by over 300%. These deceptive browser alerts, once accepted, gave attackers a way to keep targeting users long after the initial visit, often with scam content or fake system warnings designed to trigger panic clicks.

In terms of malware threats, remote access threats saw a notable rise. The Wincir Remote Access Trojan (RAT) continued its resurgence, often delivered through so-called “Scam-Yourself” attacks, where users are tricked into launching the malware themselves. We also looked at how threat patterns differ between individuals and small businesses. On desktops, scams and malvertising led across both groups, though small businesses showed slightly lower risk exposure. The methods were familiar; the targets interchangeable. Finally, DealPly adware returned from near-obscurity in late Q2. Reactivated domains and Chrome extension infrastructure led to a fourfold increase in exposure between April and June. It was a timely reminder that even long-dormant threats can quickly regain traction.

Overall, Q2/2025 reflected the complexity of today’s threat landscape. Some threats faded, others adapted, and a few returned in force. Scam and malvertising campaigns continued to lead in volume. Ransomware saw both setbacks and reversals, with at least one case offering real hope for victims. Personal data remained a high-value target. And enforcement efforts, while encouraging, didn’t always stop threats from resurfacing. 

Thank you for reading. We hope the report brings clarity to a quarter shaped by complexity and contradiction.

Jakub Křoustek, Threat Research Director

Threat landscape highlights: Q2/2025

Although the most common types of threats tend to remain consistent over time, the threat landscape is in constant flux as malicious actors adapt their tactics to pursue harmful objectives. These changes are influenced by our evolving digital behavior – ranging from changing social media use and online shopping trends to increased remote learning and high-profile data breaches that impact our digital security. With the global risk ratio being 24%, almost one in four users encountered some kind of threat each month.

In this section, we explore emerging threats, evolving techniques and notable shifts in global threat patterns that challenge what has traditionally been expected.

Remote access exploited by threat actors

Malicious remote access threats showed a significant increase during the first half of Q2/2025. The risk ratio of such threats increased by 62.13% quarter-over-quarter and affected many countries, including France, South Korea, and Brazil.

The largest share of malicious remote access activity continues to come from Remote Access Trojans (RATs), led by Wincir, a threat that resurged in Q1/2025. We observed a significant wave of Wincir infections, with the highest risk ratios occurring in African countries and Asia. Wincir is frequently delivered via Scam-Yourself Attacks, and we have seen threat actors abuse the MEGA Cloud storage service to host the final payload.

Mirai, the notorious IoT botnet which spreads by attacking vulnerable devices, also ramped up its activity this quarter, prominently targeting China, with notable increases in Hungary, Czechia and Spain.

However, remote access can be also exploited for distribution of malicious files or downloading payloads from file-sharing platforms and cloud services. We’ve spotted threat actors leveraging Microsoft OneDrive more frequently as a key component of their attack chains, exploiting synchronization processes to deliver malicious files. 

Scams: Consistent tactics, new channels

Scams are the most prevalent threat on mobile and the second most prevalent malware type overall. Even though the tactics used by scammers are repeated over and over – such as creating a sense of urgency, playing on emotions and vulnerabilities and making potential victims doubt themselves – the specific ways in which scammers achieve their goals evolve over time. Technical Support Scams (TSS) increased their risk in Q2/2025 by 64.69%, marked by systematically higher activity throughout the entire quarter. From a geographical perspective, the distribution of risk has shifted. For the first time in several quarters, Japan was overtaken by other countries in terms of risk ratio. Notably:

• Austria experienced a quarter-on-quarter increase of 83%.
• Germany saw a dramatic spike of 178%.
• France, while not in the top three, still showed a significant increase of 119%, making it a country to watch closely.

A particularly noteworthy development this quarter was the emergence of Facebook as an infection vector, with 14% of all blocked threats on Facebook being Technical Support Scams. While the misuse of Facebook through paid advertisements, fake posts and fraudulent user accounts has long been associated with other scam types such as investment fraud and marketplace scams, its use in Technical Support Scams represents a new trend.

The landing page to which users are redirected usually imitates the Facebook Messenger interface.

These pages are typically crafted to prompt user interaction, after which the attackers lock the victim’s browser, creating a sense of urgency and panic. This tactic is consistent with traditional Technical Support Scam behavior but now appears to be expanding into social media environments to increase reach and effectiveness.

As is typical for Technical Support Scam scenarios, a phone number to a fake help line is later presented to the victim, looking for a solution.

Sextortion Scams are a serious concern, as they manipulate victims by exploiting fear, shame and blackmail. These threats usually spread via email and often come in waves. This quarter, Sextortion Scams showed a 101% increase in risk ratio, mainly due to two significant waves in April and June, with notably higher peaks. The tactics remained the same: simple emails threatening to expose the content gained by alleged hacking of a victim’s device (usually a video or photos of the victim in sensitive situations, which can be artificially created or don’t exist at all). Their repeated occurrence shows an undying motivation of the attackers combined with a non-zero success rate and ease of carrying out such attacks.

Financial Scams showed a significant 340% increase in risk ratio during Q2/2025. This affected major countries including the United States, France, the UK and Germany. The increased activity of Financial Scams affected both desktop and mobile devices, the latter caused by ads from Meta, especially on Instagram, which are primarily viewed by users on mobile devices. However, ads were shared across all social media platforms.

When it comes to Financial Scams, we have identified three ways in which data is typically obtained from users. In the first, an advertisement redirects to a landing page, which often supports the narrative presented in the advertisement. In another example, an advertisement is used for drawing attention to the risks of scams and at the same time offers help. In some cases, attackers use a Facebook form or a Messenger bot, both serving as a way for the scammers to contact their victims and lure them into their fraudulent schemes.

Alongside financial scams, Invoice Scams became also very active in the second half of Q2/2025, similarly to the previous quarter. This involved the use of fake invoices to impersonate legitimate companies to obtain money.

Malvertising heavily uses malicious push notifications

Even though malvertising as a potential infection chain was on a slight decline in Q2/2025, this was not the case for malicious Push Notifications employed by malvertising. While their activity was relatively stable in Q1/2025, it grew significantly in Q2/2025 with a 317% increase in risk ratio, spiking primarily at the beginning and end of the quarter.

Push Notifications can take various forms, including pages designed to mimic well-known video players. These prompts often feature multiple animations to entice users to click on them. In the case of the top-hitting sample below, the design mimics CAPTCHA.

The outcome is immediate: users are bombarded with numerous push notifications delivering varied content. These often include affiliate promotions for legitimate antivirus brands with warnings about malware, advertisements for dating sites or imitations of system messages.

People are victimized by feeling an urgent need to click something that has popped up on their device without warning, resulting in malicious payloads being downloaded or sensitive information being shared.

Identity and personal data protection trends

Last quarter, we reported on the severity of data breaches as we entered 2025. This quarter was no different. Data breach events rose by nearly 21% in Q2/2025. Even though the overall number of breached records exposed in this way decreased, the number of breached emails increased by 16%.

Among the notable breaches discussed this quarter was an X (formerly Twitter) data leak that likely occurred in Q1/2025 but became public in April 2025. The breach exposed over 200M records of X accounts alongside their correlated emails. This breached information was combined with previously leaked data from 2023. The second notable breach was an exposure of various personal records including employment, WeChat accounts, bank accounts and other personal data in China. Additionally, reports emerged about a massive database containing 16 billion passwords being hacked; however, further analysis revealed that these credentials were largely aggregated from past breaches, many being outdated or duplicates. 

When it comes to identity protection, Gen saw Financial and Transaction Alerts increase by 22.84% and 7.45% quarter-over-quarter, respectively. However, compared to all identity-related alerts, Credit Alerts were still the most prevalent category, led by monthly credit score updates, instant credit inquiries and new account creations.

Credit Alerts originate from multiple credit bureaus tracking changes in people’s credit profiles, such as new accounts and credit inquiries. Their primary goal is to notify an individual of potential fraud attempts, personal information changes or suspicious activity in real time. As this category represents a majority of identity alerts sent, we’ll analyze it in more detail. 

The largest portion of these alerts come from Monthly Credit Score updates (65%), which provide routine insights into credit health, helping people track changes and detect unusual drops that may signal identity theft or unauthorized activity. Instant Credit Inquiry alerts (7%) notify individuals when a lender checks their credit, often a first sign of fraudulent applications. Similarly, New Account alerts (7%) flag the creation of new credit lines, which may indicate identity misuse if unrecognized. Credit Balance Change alerts (6%) and Credit Limit Change alerts (5%) help people monitor unexpected changes in credit utilization or available credit, both of which can affect credit scores and signal suspicious behavior.

While not all Credit Alerts indicate fraud, these alerts are an important part of protecting yourself and your financial position.

Threats impacting small businesses

While small businesses face distinct cybersecurity challenges, we see a great deal of overlap between what impacts small businesses and the issues individuals face. For both types of victims, social engineering remains king, but while malvertising remains the dominant threat for individuals in Q2/2025, scams top the list for small businesses. Small business threats are also focused more targeted data-stealing malware like infostealers and malicious droppers, followed by exploits and malicious remote access threats. This reflects attackers’ preference for traditional malware methods when targeting business entities.

While the risk ratio for scams on desktop is 10.96% when looking at a combination of both individual and small business users, for small businesses the risk was 5.68% in Q2/2025. The lower risk ratio of scams for businesses can be influenced by many factors, from businesses having their own security measures to people being more careful when it comes to their digital lives at work.

The return of DealPly: Adware’s unexpected revival

Adware saw a decline during the first months of 2025, with strains that saw massive gains at the end of 2024 – such as BrowserKnocker, Popunder and DealPly – seeing sharp drops and BrowserKnocker and DealPly nearly disappearing from our telemetry. We attributed this to the shutting down of host domains, takedowns of hosted browser add-ons and decreased activity of the operators behind these adware threats.

But not one to be kept down, DealPly completely revived its presence in late May, with a more than quadruple increase in protected users. By all accounts, DealPly resurrected several previously used domains that helped propagate its browser add-on activity. Various Google Chrome extensions that were used in the past to harvest statistical and search data appear to be back online. Users worldwide were subjected to an increased barrage of adverts and obstructive redirects due to this resurgence.

On a country-by-country basis, we observe massive spikes in Brazil where DealPly multiplied its presence in terms of risk ratio by a factor of more than 25 in the space of a few days. The US and France saw a similar trend with respective fivefold and threefold increases in a short span of time. India experienced a more than 15 times the risk in a few days as well. In all the above-mentioned countries, DealPly kept the significantly increased impact through the end of the quarter. We estimate that this will continue into the next quarter as well, demonstrating that even though threats may seem extinct one day, they can completely revive the next – and both security companies and people need to ready for such changes.

Patrik Holop, Principal Data Scientist
Luis Corrons, Security Evangelist
Branislav Kramár, Sr Threat Analysis Engineer
Jakub Vávra, Sr Threat Analysis Engineer
Ondřej Mokoš, Sr Principal Threat Analysis Engineer
Alexej Savčin, Threat Analysis Engineering Manager

Featured stories: Q2/2025 – Inside today’s cybercrime empires

Cybercriminal groups today are smarter, faster and increasingly innovative. Their infrastructures rapidly evolve, their tactics grow more deceptive, and their operations span continents. In this section, we expose three distinct threats: MediPhantom's fake pharmaceutical empire, FunkSec's short-lived but destructive ransomware campaign and the relentless data-stealing business model of Lumma Stealer. Explore how these cyber actors operate, adapt and sometimes thrive and learn about the insights and actions essential to disrupting their dangerous endeavors.

PharmaFraud: Exposing the hidden empire of illegal online pharmacies

It's late, and you're urgently searching online for medication, perhaps a crucial antibiotic, an expensive weight-loss treatment or even something you’d rather not discuss openly. Among the search results, a polished website catches your eye: professional graphics, reassuring badges and low prices. 

It’s exactly what you need, exactly when you need it. It seems perfect, almost too good to be true. 

Because it is.

Over 95% of online pharmacies operate illegally, selling counterfeit, unapproved or prescription drugs without proper authorization. And, when factoring the online pharmacies that only advertise medications to take payment but never actually deliver, the number of fraudulent pharmacies online is likely even higher. These fake online pharmacies are what Gen refers to as PharmaFraud.

Behind PharmaFraud’s slick websites lurks a sophisticated, coordinated cybercrime infrastructure, meticulously designed to defraud unsuspecting victims and put their health and safety at serious risk. An extensive investigation by Gen has uncovered the dark machinery powering thousands of fraudulent online pharmacies.

A single shadowy empire

Our analysis connected thousands of seemingly independent pharmacy websites to a single, highly organized cybercriminal group we have named MediPhantom. This cyber gang orchestrates a vast, scalable infrastructure with remarkable precision. MediPhantom leverages advanced techniques such as hijacking legitimate medical websites, manipulating Google search rankings and exploiting public hosting platforms. Their strategy is disturbingly effective: victims are funneled seamlessly through spam emails, advertisements on adult websites, fake health blogs, misleading review platforms and even AI-powered chatbot recommendations.

Exploiting human vulnerability

The cybercriminals target medications driven by desperation or stigma: erectile dysfunction treatments, essential antibiotics like Amoxicillin, trendy and costly weight-loss drugs and even antivirals falsely marketed during flu seasons and global health crises. 

Victims seeking these medications online unknowingly risk purchasing counterfeit or contaminated products, potentially leading to severe health consequences. Beyond the physical risks, they expose themselves to financial fraud and identity theft, as cybercriminals harvest personal data through malicious payment gateways fully under their control.

How the scam works

We unraveled the cybercriminals' elaborate techniques, starting with a carefully executed reconnaissance phase. Criminals monitor public forums and social media to identify high-demand medications. They then weaponize this information, crafting fake pharmacy websites and registering deceptive domains.

Victims are reached via two primary methods:

• Active methods: Spam campaigns are commonly used, where attackers send promotional emails that closely resemble legitimate pharmacy flyers, enticing victims to click on links that lead directly to fraudulent sites. Another tactic involves deceptive banner advertisements strategically placed on websites hosting adult or explicit content, occasionally appearing even on mainstream platforms like Facebook and YouTube.

Additionally, criminals utilize fake health blogs featuring AI-generated wellness articles. These blogs are multilingual and specifically optimized for search engine visibility, embedding deceptive banners within articles to redirect visitors subtly yet effectively to scam pharmacy websites. Furthermore, fraudulent review sites, such as PharmReviews[.]net, rank fake pharmacies highly and misleadingly, creating an illusion of trustworthiness through manipulated ratings and fabricated positive customer feedback.

• Passive methods: Criminals manipulate legitimate website rankings and inject malicious content into trusted sites, redirecting unsuspecting users directly into their scams.

While active methods often involve legally questionable tactics like spam and fake reviews, passive methods typically require unauthorized access to compromised web servers, making them more technically sophisticated and complex to detect.

Once the victim lands on a fraudulent pharmacy website, they proceed through a seemingly typical shopping workflow, ultimately leading to exploitation –usually stolen funds or credentials.

The purchasing process mimics legitimate e-commerce platforms: the user adds items to a cart and proceeds to checkout. However, the payment gateway is typically hosted in a separate domain that the attackers fully control, so there is no secure or legitimate payment processor.

To complete the purchase, the victim is prompted to enter private contact details and payment information, usually a credit card or cryptocurrency wallet which offers a 10% discount. Since the payment gateway is under the attacker’s control, all submitted data is directly transmitted to the threat actor.

The invisible infrastructure

Beneath these fraudulent storefronts lies a robust infrastructure, meticulously documented through our investigation:

• Over 5,000 domains were identified, continually rotating to evade detection.
• Around 60 unique domains host fraudulent payment gateways, most of which reuse a common template, while a few use dynamic gateways that select from over 20 templates based on context.
• Real human operators manage sophisticated live-chat systems to build trust.
• Centralized phone systems operate like call centers to handle victim inquiries.

During our research, we simulated the ordering process using test payment cards. Orders were typically confirmed, but when transactions failed, the sites used clever social engineering to push victims toward completing payment. In some cases, users were told, "If our system can't accept your card, you will receive the payment details to complete the payment. In this case, there will be no call confirmation, but make sure that all the information is correct." Other variations included prompts like, "Please make sure your card allows online transactions," or "If your order is not approved within 24 hours, your credit card might be blocked for internet transactions. Please get in touch with your bank and ask to remove the block." These messages are designed to blur the line between technical error and urgency, nudging victims to bypass their security instincts, and complete the transaction at any cost.

Despite diverse branding, the infrastructure consistently traces back to MediPhantom, the single, highly organized threat actor orchestrating a vast network of fake pharmacy websites. Frequent changes observed over short timeframes (often within weeks) suggest high operational activity, likely aimed at evading detection or reflecting ongoing infrastructure restructuring.

Our telemetry data reveals alarming global reach and scale. Fake pharmacy operations spike during peak periods, notably around holidays like Christmas, leveraging increased online activity. The cybercriminals operate multilingual platforms targeting regions such as Southeastern Europe (Greece, Croatia, Hungary), Central Europe (Germany, Switzerland, Austria), Western Europe (France, Spain) and extend their reach to the USA, Canada, Japan and Australia.

Beyond the scam: Real-world risks of fake medications

The damage caused by PharmaFraud does not end with stolen money or compromised identities. It reaches deep into the lives and bodies of those who take the pills. Counterfeit medications sold by these fraudulent websites often bypass every safeguard built into legitimate pharmaceutical supply chains.

Unlike regulated drugs, which undergo strict quality control and precise dosing, fake pills may contain no active ingredients at all or dangerously high amounts. Some are laced with toxic additives, including heavy metals or unknown chemicals. In the most tragic of cases, some medications can be laced with life-threatening substances. In one U.S. enforcement case in late 2024, a network of fake online pharmacies sold millions of fentanyl-laced painkillers, killing at least nine confirmed victims. The DEA’s 2023 data showed a record 80 million fake pills seized nationwide; evidence of how deeply the problem has penetrated.

Health risks include everything from allergic reactions to treatment failure. In lab testing, over a third of pills from rogue pharmacies had no active ingredient. Patients depending on these drugs may see their conditions worsen, believing they are being treated when they are not. In the worst cases, a single counterfeit tablet can be fatal.

The global nature of this threat is equally alarming. In Europe, despite strong regulations and the EU’s pharmacy logo system, fake sites have surged, especially during drug shortages or health crises. During the COVID-19 pandemic, fake pharmacies in France pushed counterfeit chloroquine as a miracle cure. In Germany and Japan, fake or unauthorized sellers targeted consumers searching for restricted medications or lifestyle treatments like erectile dysfunction drugs and diet pills. Japan’s strict laws prohibit online prescription drug sales, yet customs officials there have intercepted hundreds of thousands of counterfeit shipments and shut down over 2,300 websites.

Even packaging can mislead. Criminals mimic logos, pill shapes and labels. But there are clues: no lot of numbers, poor-quality printing, suspicious expiry dates or pills that look slightly off. Still, to the average consumer, a fake pill often looks indistinguishable from the real thing until it fails or causes harm.

And the demand is high. In the U.S., high drug prices have pushed people to seek alternatives. Surveys show that 1 in 9 adults, and 1 in 6 among those over 55, have purchased medication online. That is a massive target audience. And cybercriminals like MediPhantom know it.

Taking action and fighting back

At Gen, we are proactively working to disrupt these PharmaFraud activities. Our dedicated cybersecurity team continuously monitors, identifies and blocks fraudulent domains and payment gateways. By leveraging advanced network analysis, we rapidly detect new malicious sites and quickly neutralize threats, significantly limiting their ability to exploit consumers.

But the fight does not end there. We collaborate closely with international law enforcement agencies, sharing intelligence and supporting coordinated global takedown efforts. Together, through constant vigilance, sophisticated technological solutions and strengthened international cooperation, we are committed to dismantling this dangerous empire piece by piece, protecting consumers worldwide from online pharmaceutical fraud. Our goal is clear: to educate people about PharmaFraud and make MediPhantom’s infrastructure visible, vulnerable, and ultimately, dismantled.

Beating FunkSec: When ransomware meets AI

It started like any other ransomware story: encryption, extortion and chaos. But this time, the ending was different, and it’s not because the criminals suddenly grew a conscience.

FunkSec ransomware emerged in late 2024, but its full operation unfolded in phases. The gang’s leak site listed its first victim as early as December 4 and suggested that their initial tactic was data exfiltration and extortion without encryption. The ransomware component came later. Based on available evidence, the ransomware development likely began in mid-December, with the first known sample dated December 31, 2024, just in time to ruin someone’s New Year’s Eve. And by January 1, a company working in the child protection sector had already been listed as a victim.

FunkSec was written in Rust, a modern programming language gaining traction in both cybersecurity tools and advanced malware due to its speed and memory safety. Leveraging the orion-rs cryptographic library, FunkSec encrypted victims' files using ChaCha20 and dropped a ransom note named README-{random}.md in every folder, appending the extension “.funksec” to all encrypted data. It was designed to kill dozens of services and processes to maximize disruption, including browsers, media players, email clients and even Task Manager.

Interestingly, some samples attempted to load a desktop wallpaper image from imgur[.]com as part of the data-encryption process. While not critical to its function, it shows how threat actors are experimenting with small touches of psychological manipulation or branding, even in destructive tools.

While FunkSec wasn’t the most technically advanced ransomware, the damage was real. In just a few months, the gang targeted over 100 organizations worldwide, including companies in the U.S., Italy, Spain, Brazil among others. The ransom demand was modest: 0.1 Bitcoin per victim. But with 113 companies listed on their leak site, the potential haul amounted to more than $1.1 million at today’s rates. Not bad for a short-lived, bug-prone operation.

And behind the scenes, something more alarming was taking shape: AI.

The FunkSec operators admitted to using AI to assist in parts of their operations, including tooling, phishing templates, and code snippets. While they estimated that AI accounted for only about 20% of their workflow, it was enough to raise concerns. This may be one of the first publicly known cases of ransomware development partially assisted by generative AI.

Quiet victories and free help

But here’s where the story takes a turn.

A team of researchers at Gen quietly discovered a cryptographic flaw in FunkSec’s encryption logic. We won’t reveal the details, even now, to avoid giving future threat actors a blueprint for improvement. But the vulnerability was significant enough to allow us to do what we are committed to doing whenever possible: help victims recover their data without paying the ransom.

Over the next few months, Gen collaborated discreetly with global law enforcement agencies, including ransomware investigators across the U.S. and Europe, providing support to help impacted victims regain access to their files through a free decryptor tool. The decryptor remained private throughout this phase to prevent detection or sabotage by the attackers.

Now that FunkSec has gone quiet (the last known victim was attacked on March 15), the decryptor is being made publicly available, including through the NoMoreRansom initiative. We’ve made our ransomware decryptor available for direct download here. 

Lessons from FunkSec

• AI is entering the ransomware workflow. Even in limited form, generative AI is speeding up the development of cybercrime tools.
• One crypto mistake can change everything. A flaw in the math helped dozens of victims avoid extortion and recover their data.
• Law enforcement collaboration works. Coordinated, quiet support can stop ransomware without tipping off the enemy.
• Ransomware doesn’t need to be perfect to be dangerous. Even experimental, buggy strains can hit real people and cause real harm.

The Avast FunkSec Ransomware Decryptor is just the latest, most recent in a list of over 40 free ransomware decryptors released under the AVG and Avast brands over the past decade. Ransomware isn’t going away. But stories like this remind us: when researchers and law enforcement join forces, it’s the criminals who end up losing control.

Lumma disrupted. But is the beast dead?

Imagine taking down one of the world's largest infostealer infrastructures: servers shut, command centers offline and criminals scrambling. Europol, in collaboration with Microsoft, achieved precisely that in a spectacular operation targeting Lumma Stealer, the malware-as-a-service titan notorious for harvesting sensitive data worldwide.

But here’s the question: Has the giant truly fallen or merely stumbled?

A long-standing threat

Lumma Stealer has been a recurring subject in our threat reports over the years, known for its adaptability and widespread use in various campaigns. Its operators have employed sophisticated social engineering tactics, such as Fake CAPTCHA pages, to trick users into executing malicious scripts and giving the infostealer access to their devices. These deceptive methods have been documented in multiple analyses, highlighting the malware's evolution and the ingenuity of its distribution strategies.

Gen Threat Labs has extensively researched how attackers use Fake CAPTCHAs to distribute malware, specifically mentioning Lumma Stealer as a commonly deployed threat in these attacks. Additionally, Lumma Stealer has been observed exploiting platforms like YouTube to spread via cracked software propagated through Fake Tutorials.

The success of all the techniques in Lumma Stealer’s toolbox resulted in a 1154% increase in activity during Q3/2024, indicating its aggressive proliferation and the effectiveness of its distribution tactics.

Distribution uninterrupted: Lumma’s silent persistence 

Gen telemetry from May, captured in the aftermath of Lumma Stealer’s takedown by Europol, reveals a troubling but not unexpected resilience. Instead of plunging dramatically, Lumma infection attempts continued steadily. Distribution channels, untouched by the operation, remain open and active, meaning Lumma is still knocking at users' doors. So how is it that Lumma was able to remain undisturbed after a successful governmental takedown? 

The answer boils down to how Lumma operates. The Europol and Microsoft intervention primarily targeted the Command-and-Control (C2) servers and administration panels, effectively cutting off the stealer’s ability to relay stolen data. But the malware itself, persistently distributed through phishing emails, fake software updates and other deceptive tactics, still infects new victims' devices daily.

In short, while the operation severed Lumma’s command structure, it failed to halt the distribution pipelines. Our internal data, highlighting a stable infection rate throughout May and the rest of Q2/2025, confirms this grim reality: Lumma’s reach remains alarmingly consistent.

Infrastructure resurrection: Lumma's swift recovery

Even though Lumma Stealer continued to be widely distributed after the takedown, the critical question was whether attackers had managed to re-establish their exfiltration infrastructure or if they were simply relying on short-term capabilities of its distribution network. Did the disruption impact its exfiltration capabilities in the long run? Could the attackers recover, restore and deploy new infrastructure to receive logs?

We’ve been closely monitoring Lumma’s use of dead drop resolvers, a technique that enables infected machines to dynamically retrieve updated command-and-control (C2) addresses. This mechanism allows threat actors to rotate infrastructure frequently without needing to redeploy the malware itself. In recent weeks, we’ve resolved multiple fresh C2 domains, clearly indicating an active and ongoing effort to maintain exfiltration capabilities.

In parallel, we uncovered a misconfigured administration panel tied to one of Lumma’s ongoing operations. It revealed thousands of logs, over 500 linked to cryptocurrency wallets, and a 3.5% “success rate” (wallets to total logs). Victims span over 100 countries, with Indonesia, the Philippines and Egypt topping the chart. We’ve observed the number of logs continuously increasing, clearly indicating that exfiltration is not just possible; it’s actively happening.

Together, these findings confirm that Lumma’s infrastructure wasn’t dismantled. It’s been resilient all along and barely missed a beat.

The reputational impact

Despite the unsettling evidence of Lumma’s operational recovery, the takedown achieved a critical and perhaps more lasting impact: reputational damage. 

Lumma’s trustworthiness and reliability, central to its infamous Malware-as-a-Service (MaaS) operations, have dealt a massive reputational blow. Potential affiliate partners are now hesitant, wary of law enforcement scrutiny and the possibility of compromised infrastructures.

History teaches us that in the dark corners of cybercrime, reputation often matters as much (if not more) as technological prowess. After all, cybercriminals thrive on trust among thieves. Once broken, regaining credibility can be even harder than rebuilding infrastructure.

The partial disruption of Lumma Stealer is not an isolated victory. Recent months have witnessed several notable successes thanks to extensive international collaboration among law enforcement agencies and private sector entities. In the U.S., authorities indicted the leader behind the Qakbot botnet, notorious for facilitating major ransomware attacks. Separately, the DanaBot malware, responsible for infecting countless computers, saw its operators federally charged. Meanwhile, Europol’s Operation Endgame broke critical links in the ransomware kill chain by dismantling vital criminal networks at their very source.

What these coordinated takedowns make evident is that cross-border cooperation, information sharing and joint operations between law enforcement and cybersecurity companies are increasingly effective. While no single action fully eradicates cyber threats, each disruption chips away at criminal capabilities, degrades operational trust, and collectively raises the cost for cybercriminals globally.

What happens next?

As our investigation continues, we remain vigilant, closely monitoring Lumma’s evolving activity. For now, the beast appears wounded, not defeated. Its distribution network remains operational, infrastructure reconstruction efforts are ongoing, and yet the trust Lumma once commanded lies significantly damaged.

Stay tuned as we keep our finger on the pulse of this evolving story, uncovering whether Lumma Stealer can rise again or if this is the beginning of its ultimate downfall.

Jan Rubín, Threat Research Team Lead
Ladislav Zezula, Malware Researcher
Ľuboš Bever, Malware Researcher
Luis Corrons, Security Evangelist
Martin Chlumecký, Malware Researcher

In closing

The digital underground is a constantly shifting landscape, marked by rapid adaptation and ruthless innovation. As threat actors become more sophisticated, understanding their operational nuances becomes critical. By analyzing cases like Lumma Stealer infostealer, FunkSec ransomware, and the MediPhantom fake pharmacy gang, we equip ourselves not only to defend against present threats but to anticipate and disrupt emerging ones. Our collective vigilance and adaptability remain our strongest assets in confronting the evolving world of cybercrime.

Download the Q2/2025 Threat Report Key Highlights.

Visit our Glossary and Taxonomy for clear definitions and insights into how we classify today’s cyberthreats.