Malware remains one of the most persistent threats to organisations across all sectors. It’s also one of the most rapidly evolving, with attackers constantly refining their tactics to evade detection. Crude viruses and obvious payloads have morphed into sophisticated, multi-stage attacks designed to deceive users and exfiltrate data without a trace.
Two major threats have significantly reshaped the cybersecurity landscape in the first half of 2025: ClickFix, a deceptive social‑engineering attack vector, and Lumma Stealer, the most prevalent infostealer currently in operation. As these threats grow, they highlight a critical need for businesses to rethink their defences.
ClickFix: Turning fake errors into infection vectors
ESET’sThreat Report for H1 2025 highlights a 517% surge in ClickFix or ‘fake‑captcha’ style attacks, making itthe second most common attack vector behind phishing. According to ESET, ClickFix accountedfor nearly 8% of all blocked threats across Windows, Linux, and macOS environments.
These attacks rely on social engineering. Users are shown fraudulent error messages or spoofed CAPTCHA pages and are instructed to copy and paste commands (like PowerShell scripts) into their Run dialog. Once executed, these scripts launch malware downloads directly into memory, bypassing standard disk‑based detection. ESET reports that ClickFix is delivering payloads across the board, from remote‑access trojans and cryptominers to ransomware and infostealers, making it a highly versatile and dangerous vector.
Lumma Stealer: Infostealer at Scale
Also known as LummaC2, Lumma Stealer has become the dominant infostealer in use. It currently accounts for over 25% of recorded infostealer attacks globally, according to Lumu’s Compromise Report for H1 2025. Lumma’s capabilities are extensive: it steals credentials, browser artifacts, MFA tokens, and more using memory‑only execution and obfuscation to evade detection.
Between March and May, Microsoft observed over 394,000 Windows systems infected with Lumma Stealer, prompting international law enforcement and tech companies to coordinate a takedown of more than 2,300 domains linked to its command‑and‑control infrastructure. However, the operators have now pivoted to more covert distribution channels, abusing GitHub repositories, deploying fake cracked software and CAPTCHA pages, to rebuild and relaunch their operations.
The ClickFix–Lumma connection
ClickFix is directly implicated in delivering Lumma. In one campaign observed by Microsoft, compromised websites delivered scripts via blockchain‑connected ‘EtherHiding’ and fake CAPTCHA pages. Victims were coaxed into pasting a clipboard command into the Windows Run prompt, initiating a malware download that ultimately loaded Lumma Stealer.
As this attack chain relies purely on social manipulation, traditional antivirus and sandbox defences are often bypassed. That’s what makes the ClickFix-Lumma combo particularly insidious.
The importance of recovery‑first defence
The sophistication and stealth of these threats highlight the fact that prevention alone is no longer sufficient. Instead, businesses should adopt recovery-first strategies that enable fast, reliable restoration.
- Failsafe against human error: ClickFix relies on tricking users into executing malicious commands, making it difficult to prevent through technical controls alone. A strong recovery strategy serves as a critical safety net when user behaviour becomes the attack vector.
- Immutability: Immutable backups mean any malicious file or process can be wiped instantly without fear of tampering. Even if Lumma manages to exfiltrate or corrupt data, backups remain pristine.
- Rapid recovery: Solutions that support near-instant restoration of systems and data can significantly reduce downtime and help organisations avoid the costly consequences of attacks.
How Redstor neutralises malware
Redstor’s cloud-native data protection platform is designed to respond to evasive attacks, ensuring data resilience even when prevention fails.
Rapid recovery
Redstor’s InstantData™ technology enables near-instant recovery of files, systems, and workloads. By streaming data directly from the cloud, you remove the need for lengthy downloads or hardware restores. If Lumma Stealer exfiltrates or encrypts critical data, businesses can quickly roll back to a clean, uncompromised state without paying ransoms or rebuilding from scratch.
Immutable, isolated backups
Redstor’s backups are tamper-proof and isolated from production systems, meaning malware like Lumma can’t delete or corrupt them. This level of protection acts as a failsafe when attackers gain privileged access or use living-off-the-land (LOTL) tactics to move laterally across networks.
Proactive threat detection
Redstor includes powerful anomaly detection that flags unusual file deletions, encryption patterns, or user behaviour. Our platform offers early warnings of potential compromise, providing valuable response time before damage spreads or backups are impacted.
Unified protection for hybrid environments
Whether protecting endpoints, servers, Microsoft 365, or cloud-native environments, Redstor provides a centralised platform through which to view, manage, and restore data. This unified approach simplifies incident response and reduces recovery complexity, even in highly distributed environments.
No Hardware, no hassle
As a fully cloud-based solution, Redstor eliminates the need for physical infrastructure. That means organisations can recover from any location, at any time. This is critical in ransomware incidents where onsite systems are disabled.
Stay resilient against emerging threats
The surge of a purely human‑triggered threat like ClickFix, coupled with the stealth and reach of Lumma Stealer, underscores the fact that cyberattacks are now as social as they are technical. By making recovery the cornerstone of cybersecurity design, organisations can be fully prepared to withstand the next wave of sophisticated, low‑visibility threats.
Redstor’s backup platform is built for a world where recovery matters as much as prevention. Get in touch to learn more.