Lumma Infostealer Returns, Coyote Malware Exploits, Interlock Ransomware Alert – Cybersecurity News [July 21, 2025]
Lumma Infostealer Resurfaces Following Law Enforcement Crackdown
The Lumma infostealer malware is making a steady comeback after a major law enforcement operation in May took down over 2,300 domains and parts of its infrastructure.
Despite this disruption, Lumma wasn’t completely shut down. The group quickly confirmed the takedown on cybercrime forums, claiming their main server was wiped remotely but not seized. They began restoring systems almost immediately. Over time, they rebuilt the malware-as-a-service (MaaS) platform and regained credibility within criminal circles. Trend Micro reports that Lumma is now nearly back to pre-takedown levels, using new command-and-control domains and shifting its cloud hosting from Cloudflare to Selectel, a Russian provider, to avoid future takedowns.
The malware is being spread through four key methods–fake software cracks promoted through search manipulation, fake CAPTCHA pages on compromised sites that load the malware via PowerShell, malicious GitHub repos offering fake game cheats, and videos or posts on YouTube and Facebook that link to infected download sites. These tactics are designed to bypass detection and target users across multiple channels.
Lumma is active again, so you should avoid downloading cracked software or clicking suspicious ads and links.
Implementing SPF, DKIM, and DMARC can help prevent domain spoofing and reduce the risk of phishing campaigns like those used in these cyberattacks.
Coyote Malware Exploits Windows Accessibility Features to Steal Data
A new version of the Coyote banking trojan is now using a built-in Windows accessibility feature to spy on users and identify visits to banking and crypto exchange sites.
The feature, known as Microsoft UI Automation (UIA), is meant to help assistive technologies interact with app interfaces. However, the malware uses it to quietly scan a browser’s interface and extract web addresses, checking them against a list of 75 targeted banks and crypto platforms like Binance, Banco do Brasil, and CaixaBank. If it doesn’t find a match through a window title, it digs deeper using UIA to inspect tabs or address bars for matches.
Coyote was first spotted in early 2024 and mainly targets Brazilian users. It still relies on keylogging and phishing for some apps, but this UIA-based method helps it track activity across websites in a way that often evades security tools. The researchers at Akamai who had earlier warned of this threat have now also confirmed real-world attacks occurring since February 2025.
The method is limited to reconnaissance, but it could evolve, so it’s best to avoid downloading unknown apps and keep your system and antivirus software updated.
CISA, FBI Issue Alert on Rising Interlock Ransomware Activity
The FBI, CISA, HHS, and MS-ISAC have issued a joint advisory warning of rising Interlock ransomware activity targeting businesses and critical infrastructure, particularly in the healthcare sector.
Interlock, active since September 2024, uses double extortion; stealing data before encrypting it to pressure victims into paying ransoms. They’ve recently claimed attacks on major organizations like DaVita and Kettering Health, stealing over 1.5TB of data. The group is also tied to earlier ClickFix incidents and has deployed the NodeSnake remote access trojan in previous attacks on UK universities.
The group’s tactics include drive-by downloads from hacked websites, which is an uncommon approach among ransomware groups. They also employ a newer method called FileFix, where they trick users into running malicious scripts by exploiting trusted Windows elements like File Explorer and .HTA files. The latest advisory highlights fresh indicators of compromise (IOCs) collected as recently as June 2025. It also has a set of defenses organizations can adopt, such as DNS filtering, firewalls, and employee training.
Even right now, Interlock is active, so it’s best to update your systems regularly, use multifactor authentication, and educate teams to spot phishing and social engineering attempts.
Leading and Established Healthcare Network Reports Security Breach
AMEOS Group, which is a major healthcare provider in Central Europe, disclosed a cyberattack that may have exposed sensitive data belonging to patients, employees, and partners across its network.
The breach affected all their IT systems over more than 100 facilities across Germany, Austria, and Switzerland. Despite having what it described as “extensive security measures,” AMEOS confirmed that external attackers gained unauthorized access, potentially compromising personal and professional contact details. Now, as part of its legal obligation under GDPR, AMEOS issued a public statement acknowledging the incident.
In response to the attack, they immediately shut down all IT systems and disconnected all internal and external networks. They’ve also hired cybersecurity and forensic experts to support the investigation, and the relevant data protection authorities have been informed. A criminal complaint has also been filed.
AMEOS stated that it cannot rule out the risk of data misuse and pledged to inform affected individuals as soon as its ongoing investigation concludes.
Dior Notifies U.S. Customers of Data Breach Incident
Dior is informing U.S. customers of a data breach that exposed personal information during a cybersecurity incident in January 2025.
The luxury brand discovered the breach months later in May and began an investigation, where they found that an unauthorized party was able to access a database containing client data. Said data included names, contact details, addresses, dates of birth, and, in some cases, even Social Security numbers or government IDs. However, no payment details were compromised.
Dior says they promptly tried to contain the breach and did not find any signs of further unauthorized access. The incident appears connected to a larger attack linked to the ShinyHunters group, who allegedly breached a third-party vendor affecting multiple LVMH brands. Similar disclosures have already come from Dior’s South Korea and China operations, and Louis Vuitton has also reported related breaches in the UK, Turkey, and South Korea. Dior has not confirmed how many U.S. customers were affected, but law enforcement has been informed, and external experts have been brought in.
Impacted users are advised to stay alert for scams and can enroll in free credit monitoring and ID theft protection until October 31, 2025.