The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory warning of active LummaC2 malware campaigns targeting the nation’s critical infrastructure. As recently as this month, federal investigators and third-party sources have observed threat actors deploying the LummaC2 infostealer to breach networks and siphon off sensitive data. The malware is being used to exploit security gaps, stealing credentials, financial records, and other high-value information, posing a serious threat to individuals and organizations across critical sectors.
CISA and the FBI report that indicators of compromise (IOCs) linked to threat actors using the LummaC2 information-stealing malware have been observed in infections dating from November 2023 to May 2025. The agencies urge organizations to review the advisory and implement the recommended mitigation measures to help prevent infection and reduce the impact of LummaC2-related activity.
Amid the release of a new cybersecurity advisory, the U.S. Department of Justice announced the court-authorized seizure of five internet domains tied to the LummaC2 information-stealing malware operation. The action, carried out in coordination with Microsoft, disrupts infrastructure used by cybercriminals to target millions of victims worldwide. The DOJ also unsealed two warrants related to the takedown, marking a significant step in dismantling the malware’s global reach.
Concurrent with Wednesday’s actions and consistent with the Department’s approach to public-private operational coordination, Microsoft announced an independent civil action to take down 2,300 internet domains also claimed to be used by the LummaC2 actors or their proxies.
FBI’s Dallas Field Office is investigating the case. The U.S. Attorney’s Office for the Northern District of Texas, the National Security Division’s National Security Cyber Section, and the Criminal Division’s Computer Crime and Intellectual Property Section are handling the case.
The government’s affidavit further alleges that the seized domains, also referred to as user panels, served as login pages for the LummaC2 malware, allowing credentialed users and administrators to access and deploy LummaC2. On May 19, 2025, the government seized two domains. On May 20, 2025, as detailed in court documents, the LummaC2 administrators informed their users of three new domains that they had set up to host the user panel. The next day, the government then seized those three domains.
The seizure of these domains by the government will prevent the owners and cybercriminals from using the websites to access LummaC2 to compromise computers and steal victim information. Individuals who now visit the websites will see a message indicating that the site has been seized by the Justice Department, including the FBI.
The LummaC2 malware first surfaced on Russian-language cybercriminal forums in 2022. Since then, it has become a favored tool among threat actors for harvesting sensitive data at scale. Attackers commonly deploy LummaC2 via spearphishing emails containing malicious hyperlinks or attachments.
To evade detection, LummaC2 is often embedded within spoofed versions of legitimate software, such as media players or system utilities. This obfuscation enables it to slip past standard security defenses, including endpoint detection and response (EDR) tools and traditional antivirus software, which may fail to flag these modified installers.
The CISA-FBI advisory detailed that once installed, LummaC2 silently exfiltrates a wide range of sensitive data, including personally identifiable information (PII), financial credentials, browser extensions, cryptocurrency wallets, and even multi-factor authentication (MFA) codes, without triggering immediate alerts. The scale of its distribution is alarming. Between April and June 2024 alone, private sector sources identified over 21,000 listings for LummaC2 logs across underground marketplaces, a staggering 71.7 percent increase compared to the same period in 2023.
Without any C2 interactions, the LummaC2 malware does not create any files on the infected drive. It simply runs in memory, gathers system information, and exfiltrates it to the C2 server. The commands returned from the C2 server could indicate that it drops additional files and/or saves data to files on the local hard drive. This is variable, as these commands come from the C2 server and are mutable.
According to court documents, common targets for cybercriminals using malware like LummaC2 include browser data, autofill information, login credentials for accessing email and banking services, as well as cryptocurrency seed phrases, which permit access to virtual currency wallets. As alleged in the affidavits, the FBI has identified at least 1.7 million instances where LummaC2 was used to steal this type of information.
The FBI and CISA urge organizations, especially those in critical infrastructure, to implement key mitigations to reduce the risk of LummaC2 malware infections. These recommendations align with the cross-sector cybersecurity performance goals (CPGs), developed by CISA and NIST as a baseline set of security best practices. The CPGs are grounded in existing frameworks and aim to defend against the most common and damaging cyber threats.
Core mitigation steps include restricting registry access to only necessary users and applications, and actively monitoring for suspicious behavior such as unusual process activity, unexpected terminations, and system information queries.
To reduce the risk of LummaC2 malware, organizations should implement strict application controls, including allowlisting, to block unauthorized software, especially portable remote access tools that may evade antivirus detection through obfuscation or encryption. CISA recommends deploying phishing-resistant MFA and following its phishing guidance to defend against social engineering campaigns. Regularly reviewing registry changes, access logs, and applying authentication, authorization, and accounting (AAA) practices can help detect unauthorized activity.
Additionally, enforce least-privilege access, routinely audit user accounts, and promptly remove unused or inactive credentials. Keep all systems updated with patches and security fixes. Secure network devices by restricting command line access and following best practices for managing remote access tools. Use network segmentation, such as DMZs or virtual private clouds, to isolate sensitive systems. Finally, monitor API activity for suspicious or abnormal behavior.
Beyond implementing mitigations, the FBI and CISA recommend regularly testing and validating the organizational security programs against threat behaviors outlined in the MITRE ATT&CK Matrix for Enterprise.
