A sprawling operation undertaken by world regulation enforcement businesses and a consortium of personal sector companies has disrupted the web infrastructure related to a commodity data stealer referred to as Lumma (aka LummaC or LummaC2), seizing 2,300 domains that acted because the command-and-control (C2) spine to commandeer contaminated Home windows programs.
“Malware like LummaC2 is deployed to steal delicate data similar to person login credentials from hundreds of thousands of victims in an effort to facilitate a bunch of crimes, together with fraudulent financial institution transfers and cryptocurrency theft,” the U.S. Division of Justice (DoJ) mentioned in a press release.
The confiscated infrastructure has been used to focus on hundreds of thousands the world over by way of associates and different cyber criminals. Lumma Stealer, lively since late 2022, is estimated to have been utilized in at the least 1.7 million situations to steal data, similar to browser information, autofill data, login credentials, and cryptocurrency seed phrases. The U.S. Federal Bureau of Investigation (FBI) has attributed round 10 million infections to Lumma.
The seizure impacts 5 domains that function login panels for Lumma Stealer’s directors and paying prospects to deploy the malware, thereby stopping them from compromising the computer systems and stealing sufferer data.
“Between March 16 and Could 16, 2025, Microsoft recognized over 394,000 Home windows computer systems globally contaminated by the Lumma malware,” Europol mentioned, including the operation cuts off communications between the malicious software and victims. The company described Lumma because the “world’s most important infostealer menace.”
Microsoft’s Digital Crimes Unit (DCU), in partnership with different cybersecurity corporations ESET, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, mentioned it took down roughly 2,300 malicious domains that shaped the spine of Lumma’s infrastructure.
Unfold of Lumma Stealer malware infections throughout Home windows gadgets
“The first developer of Lumma is predicated in Russia and goes by the web alias ‘Shamel,'” Steven Masada, assistant basic counsel at DCU, mentioned. “Shamel markets completely different tiers of service for Lumma by way of Telegram and different Russian-language chat boards. Relying on what service a cybercriminal purchases, they’ll create their very own variations of the malware, add instruments to hide and distribute it, and observe stolen data by way of a web-based portal.”
The stealer, marketed beneath a malware-as-a-service (MaaS) mannequin, is accessible on a subscription foundation for anyplace between $250 to $1,000. The developer additionally provides a $20,000 plan that grants prospects entry to supply code and the proper to promote it to different felony actors.
Weekly counts of recent C2 domains
“Decrease tiers embody primary filtering and log obtain choices, whereas larger tiers supply customized information assortment, evasion instruments, and early entry to new options,” ESET mentioned. “The costliest plan emphasizes stealth and flexibility, providing distinctive construct technology and decreased detection.”
Over time, Lumma has grow to be one thing of a infamous menace, being delivered by way of varied distribution vectors, together with the more and more standard ClickFix technique. The Home windows maker, which is monitoring the menace actor behind the stealer beneath the identify Storm-2477, mentioned its distribution infrastructure is each “dynamic and resilient,” leveraging a mixture of phishing, malvertising, drive-by obtain schemes, abuse of trusted platforms, and site visitors distribution programs like Prometheus.
Lumma C2 choice mechanism
Cato Networks, in a report revealed Wednesday, revealed that suspected Russian menace actors are leveraging Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scaleway Object Storage to host faux reCAPTCHA pages that make use of ClickFix-style lures to trick customers into downloading Lumma Stealer.
“The current marketing campaign leveraging Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage builds upon earlier strategies, introducing new supply mechanisms geared toward evading detection and concentrating on technically proficient customers,” researchers Guile Domingo, Man Waizel, and Tomer Agayev mentioned.
Assault move for ClickFix resulting in Lumma Stealer utilizing Prometheus TDS
Among the notable points of the malware are beneath –
It employs a multi-tiered C2 infrastructure consisting of a set of 9 steadily altering tier-1 domains hard-coded into the malware’s configuration and fallback C2s hosted on Steam profiles and Telegram channels that time to tier-1 C2s
The payloads are sometimes unfold utilizing pay-per-install (PPI) networks or site visitors sellers that ship installs-as-a-service.
The stealer is usually bundled with spoofed software program or cracked variations of standard business software program, concentrating on customers trying to keep away from paying for professional licenses
The operators have created a Telegram market with a ranking system for associates to promote stolen information with out intermediaries
The core binary is obfuscated with superior safety similar to low-level digital machine (LLVM core), Management Stream Flattening (CFF), Management Stream Obfuscation, personalized stack decryption, large stack variables, and lifeless codes, amongst others to make static evaluation tough
There have been greater than 21,000 market listings promoting Lumma Stealer logs on a number of cybercriminal boards from April by way of June of 2024, a 71.7% improve from April by way of June of 2023
“The Lumma Stealer distribution infrastructure is versatile and adaptable,” Microsoft mentioned. “Operators frequently refine their methods, rotating malicious domains, exploiting advert networks, and leveraging professional cloud companies to evade detection and preserve operational continuity. To additional disguise the actual C2 servers, all of the C2 servers are hidden behind the Cloudflare proxy.”
“This dynamic construction allows operators to maximise the success of campaigns whereas complicating efforts to hint or dismantle their actions. The expansion and resilience of Lumma Stealer highlights the broader evolution of cybercrime and underscores the necessity for layered defenses and business collaboration to counter threats.”
In an interview with safety researcher g0njxa in January 2025, the developer behind Lumma mentioned they meant to stop operations by subsequent fall. “We now have finished plenty of work over two years to realize what we’ve now,” they mentioned. “We’re pleased with this. It has grow to be part of our every day life for us, and never simply work.”
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.
