Global law enforcement and private firms have disrupted the Lumma information stealer malware. This operation seized 2,300 domains that acted as its command-and-control (C2) backbone. Lumma malware is deployed to steal sensitive information such as user login credentials. This data facilitates crimes including fraudulent bank transfers and also widespread cryptocurrency theft. The confiscated infrastructure had been used to target millions of victims across the world. Lumma Stealer active since late 2022 was used in at least 1.7 million instances. The U.S. Federal Bureau of Investigation (FBI) attributes around 10 million infections to Lumma. Microsoft also identified over 394,000 infected Windows computers globally in recent months. Europol described Lumma as the “world’s most significant infostealer threat” due to its reach.
The recent domain seizure impacts five login panels used by Lumma Stealer’s administrators. This prevents them from deploying malware or stealing further sensitive victim information effectively. Microsoft’s Digital Crimes Unit (DCU) partnered with other cybersecurity companies in this takedown. Partners included ESET BitSight Lumen Cloudflare CleanDNS and also the GMO Registry. The primary developer of Lumma is based in Russia and uses the alias ‘Shamel’. Shamel markets different service tiers for Lumma malware via Telegram and Russian chat forums. This stealer is sold under a malware-as-a-service (MaaS) model on a subscription basis. Subscription costs range from $250 up to $1,000 depending on the service tier. A $20,000 plan even grants customers access to the malware’s valuable source code. Higher tiers offer custom data collection advanced evasion tools and early access to features.
Over the years Lumma has become a somewhat notorious and widespread cybersecurity threat.
It is typically delivered to victims via a variety of different distribution vectors. These methods include the increasingly popular ClickFix malware distribution technique often seen now. Microsoft which tracks the actor as Storm-2477 calls its distribution infrastructure dynamic. It leverages phishing malvertising drive-by downloads and abuse of many trusted online platforms. Recent campaigns used cloud object storage for fake reCAPTCHA pages with ClickFix-style lures. Lumma employs a sophisticated multi-tiered C2 infrastructure consisting of nine frequently changing domains. Its payloads are typically spread using pay-per-install networks or various illicit traffic sellers. The core binary is obfuscated with advanced protection like LLVM core and control flow flattening.
There were over 21,000 market listings selling Lumma Stealer logs in mid-2024.
This represented a significant 71.7% increase from the previous year’s similar period. The operators also created a Telegram marketplace with a rating system for affiliates. Lumma’s distribution infrastructure continually refines its sophisticated techniques to avoid being caught. It frequently rotates malicious domains and exploits ad networks and legitimate cloud services. To further hide real C2 servers they are all hidden behind Cloudflare’s proxy. This dynamic structure enables operators to maximize campaign success while complicating takedown efforts. The developer behind Lumma said in January 2025 they intended to cease operations. They stated they planned to stop their activities by the next fall season. Despite this Lumma’s growth clearly highlights the broader evolution of sophisticated modern cybercrime.
Reference:
