Lumma Stealer over more than two years grew into the go-to information-stealing malware for hundreds of threat actors looking to launch everything from ransomware attacks to phishing to malvertising.
The info-stealer, which was distributed via a malware-as-a-service (MaaS) operation, was used to harvest credentials like passwords and financial and personal data such bank accounts, credit card numbers, and cryptocurrency wallets, which was then sold through an underground marketplace. Microsoft over the past two months found 394,000 Windows systems worldwide were infected with Lumma – also known as LummaC2 – malware.
In an operation involving U.S. and international law enforcement agencies like Europol, working with various cybersecurity vendors that included Microsoft, ESET, BitSight, and Cloudflare, seized five domains associated with Lumma, which the Justice Department said were used to host panels that were used for login purposes by bad actors and administrator for deploying and managing the malware.
The domains were a central part of an operation that the FBI said was used to steal information in at least 1.7 million instances.
Microsoft Grabs 2,300 Domains
In coordination with that effort, Microsoft’s Digital Crimes Unit (DCU) via a U.S. court order seized about 2,300 malicious domains that were critical to the infrastructure used by Lumma’s creators and users. Microsoft’s actions cut communications between the malware and its victims and more than 1,300 domains that were seized by Microsoft and law enforcement agencies were redirected to the company’s sinkholes.
“This will allow Microsoft’s DCU to provide actionable intelligence to continue to harden the security of the company’s services and help protect online users,” Steven Masada, assistant general counsel to the Microsoft unit, wrote in a report. “These insights will also assist public- and private-sector partners as they continue to track, investigate, and remediate this threat.”
The complex operations by the law enforcement agencies and security vendors represent the latest initiative in multiple efforts over the past several years to proactively target and disrupt the operations of major cyberthreats operations, such as the LockBit and BlackCat/ALPHV ransomware groups.
The Malware’s Long Reach
Lumma cast a long shadow in the cybercrime world. ESET malware analyst Jakub Tomanek in a report outlined the vast reach and continued evolution of the malware, noting that “Lumma Stealer has been one of the most prevalent infostealers over the past two years, and ESET telemetry confirms that it has left no part of the world untouched.”
“Lumma Stealer developers had been actively developing and maintaining their malware,” Tomanek wrote. “We have regularly noticed code updates ranging from minor bug fixes to complete replacement of string encryption algorithms and changes to the network protocol. The operators also actively maintained the shared exfiltration network infrastructure.”
Between June 17h, 2024, and May 1, ESET researchers saw 3,353 unique C&C [command-and-control] domains, averaging approximately 74 new domains emerging each week including occasional updates to Telegram-based dead-drop resolvers.
Multi-Vector Deliveries
Microsoft security experts wrote in a report that Lumma differentiates itself from earlier infostealers that focused on bulk spam or exploits. Instead, the operator behind the malware – which they identify as Storm-2477 – used multi-vector delivery strategies, from phishing to malvertising to trojanized applications.
“Its operators demonstrate resourcefulness and proficiency in impersonation tactics,” they wrote, adding that the distribution infrastructure “is flexible and adaptable. Operators continually refine their techniques, rotating malicious domains, exploiting ad networks, and leveraging legitimate cloud services to evade detection and maintain operational continuity. This dynamic structure enables operators to maximize the success of campaigns while complicating efforts to trace or dismantle their activities.”
‘Scattered Spider’ in the Mix
The malware’s high-profile Lumma users include ransomware group Octo Tempest – also known as Scattered Spider – Storm-1607, Storm-1113, and Storm-1674. The key developer of Lumma is based in Russia and uses the internet alias ‘Shamel.’ They offer buyers different service tiers for Lumma through Telegram and other Russian-language chat forums, offering programs ranging in price from $250 to $1,000 a month, according to Microsoft DCU’s Masada.
“Depending on what service a cybercriminal purchases, they can create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal,” he wrote.
Widespread Attacks
Microsoft outlined a number of recent incidents in which Lumma was used, including one in April that involved a group of compromised websites using ClickFix and EtherHiding techniques to install the malware. Another April campaign involved using thousands of emails to victims in Canada.
Meanwhile, cybersecurity vendor Forcepoint earlier this month wrote about a Lumma campaign that used a sophisticated URL-base delivery method, adding that the “campaign highlights a layered and evolving malware delivery strategy that blends social engineering with abuse of legitimate infrastructure to bypass defences.”
Rhys Downing, threat researcher at cybersecurity firm Ontinue, applauded the coordinated effort involving law enforcement and cybersecurity firm, though he added that “Lumma’s tactics and infrastructure are highly adaptive. These takedowns are impactful, but threat actors often respond quickly with rebrands, new delivery methods, and rebuilt infrastructure. With the pricing of Lumma as a MaaS offering, they likely have the funds to bounce back.”
