Barracuda full logo

New series: Malware Brief

Topics:
Jun. 24, 2025
|
Tony Burgess

This post is the first in a new series for the Barracuda Blog. Each of our Malware Brief posts will highlight a few different trending malware threats. We’ll cover technical details and their places in the taxonomy of threat types, and we’ll look at how each one can potentially attack and damage your organization.

A useful resource for anyone looking to track which threats are dominating the landscape is the Any Run Malware Trends Tracker. And we’ll start with the top-listed malware on that list right now, Tycoon 2FA.

Tycoon 2FA

Type: Phishing kit (Phishing-as-a-Service)

Subtype: Adversary in the Middle (AiTM)

Distribution: Telegram channels, at $120 for 10 days

Common targets: Gmail, Microsoft 365 accounts

Known operator Telegram handles: Tycoon Group, SaaadFridi and Mr_XaaD

Tycoon 2FA is a Phishing-as-a-Service (PHaaS) platform first spotted in August 2023. It has been maintained and updated regularly, at least through early 2025.

As this version’s name implies, its most recent updates make it able to evade two-factor authentication strategies. An in-depth technical breakdown of Tycoon 2FA is in this Threat Spotlight blog post.

A key feature of Tycoon 2FA is its extreme ease of use. Individuals without a lot of technical skill can easily use it to create and execute targeted phishing attacks. Using URLs and QR codes, targets are directed to fake web pages where credentials are harvested.

Tycoon 2FA can then be used to deliver malware, conduct extended reconnaissance, and more. It evades MFA by acting as a man-in-the-middle, capturing and reusing session cookies. These can continue to be reused even after credentials have been updated, giving the user prolonged access to targeted networks.

As noted above, the operator behind Tycoon 2FA sells 10-day licenses for $120 via Telegram.

Lumma

Type: Infostealer

Distribution: Malware-as-a-Service

AKA: LummaC, LummaC2

Target systems: Windows 7 – 11

The Lumma infostealer first emerged in August 2022. It is easily accessible and offered for sale as a service, with several plans available at different price points.

Once it gains access to a system — either through a successful phishing campaign, hidden in fake software, or by direct messaging on Discord — Lumma is very effective. It finds, gathers and exfiltrates a wide array of sensitive data. It typically is used to target cryptocurrency wallets, login credentials and other sensitive data.

The malware can collect data logs from compromised endpoints, and it can also act as a loader, installing other types of malware.

Notably, in May 2025 Microsoft and Europol announced an operation to put an end to Lumma by shutting down the stealer’s “central command structure,” taking down more than 1,300 domains and closing the main marketplace for sale of the malware and stolen data. (Another Europol operation around the same time took down the infrastructures for a lot of other malware types.)

Nonetheless, many thousands of systems continue to be infected, and Lumma retains the No. 4 spot on Any Run’s global list of active malware.

Quasar RAT

Type: Remote Access Trojan (RAT)

Target systems: Windows, all versions

Author: Unknown

Distribution: Spam email campaigns

Quasar RAT is a type of malware that enables criminals to take control of infected systems. It is widely available as an open-source project, making it highly popular. Its original author is not known. While it may initially have been intended as a legitimate remote-access tool, it has gained great popularity as a cyberthreat weapon.

Quasar has been revised and updated repeatedly, increasing the range of potential actions it can take or allow its users to take. Users can access a graphical user interface on the malware’s server-side component and customize the client-side malware to meet their needs.

Functionality includes remote file management on the infected machine, registry alterations, recording the actions of a victim, establishing remote desktop connections, and more.

One notable feature is its ability to run “silently,” letting it go undetected for long periods of time while attackers control the infected PC.

Like other RATs, Quasar is distributed largely through email spam campaigns that deliver the malware or its loader disguised as a document.

Currently Quasar RAT is listed at No. 9 in Any Run’s global list, with a recent uptick in activity noted. 

Subscribe to the Barracuda Blog
Tony Burgess

Tony Burgess is a twenty-year veteran of the IT security industry and is Barracuda’s Senior Copywriter for Content and Customer Marketing. In this role, he researches complex technical subjects and translates findings into clear, useful, human-readable prose.

You can connect with Tony on LinkedIn here.

Related Posts:
August’s top threat actors: Ransomware, espionage and infostealers
August’s top threat actors: Ransomware, espionage and infostealers
 Malware Brief: Crafty phishing, BYOVD and Android RATs
Malware Brief: Crafty phishing, BYOVD and Android RATs
 Survey sees global decline in data breach costs
Survey sees global decline in data breach costs
 WolfGPT: The “Upgraded” Dark AI for Malware
WolfGPT: The “Upgraded” Dark AI for Malware
Search the blog

The Ransomware Insights Report 2025

Key findings about the experience and impact of ransomware on organizations worldwide

Get the report

Subscribe to the Barracuda Blog.

Sign up to receive threat spotlights, industry commentary, and more.

Managed Vulnerability Security: Faster remediation, fewer risks, easier compliance 

See how easy it can be to find the vulnerabilities cybercriminals want to exploit

WATCH THE WEBINAR

Sign up to receive threat spotlights, industry commentary, and more.

Get all the latest news, research, and analysis delivered right to your inbox.