The Lumma Stealer (LummaC2 Stealer or LummaC2) has been one of the most prolific information-stealing malware offerings since its debut on underground forums in August 2022. Operating as a malware-as-a-service (MaaS), the threat actors behind it maintained high activity levels from June to September of this year, despite an earlier, unsuccessful law enforcement operation that briefly disrupted their infrastructure in May. However, the last month has seen a dramatic drop in activity, marked by a sharp decline in the use of its associated command-and-control (C&C) infrastructure, as noted by security researchers at Trend Micro.
This sudden halt in the operation, which is also tracked as Water Kurita and Storm-2477, coincides directly with an aggressive doxxing campaign aimed at the Lumma Stealer group. Allegedly driven by competing groups within the cybercrime ecosystem, this campaign has publicly unveiled the personal and operational details of several supposed core members. This unprecedented release of sensitive data has led to significant changes in Lumma Stealer’s operational infrastructure and its internal and external communications. The campaign created a website named ‘Lumma Rats’ where it published highly sensitive details for five individuals, including their personal information, social media profiles, financial information, and passwords.
The disclosed information included details like passport numbers, bank account specifics, email addresses, and various online profile links. Two of the five exposed individuals are believed to be the malware’s administrator and developer, while the roles of the remaining three remain undisclosed. Security analysts believe the doxxing campaign was executed by someone with insider knowledge of the operation or through access to compromised accounts or databases. The fallout from the disclosure was immediate and severe: the group’s Telegram account was reportedly compromised, effectively cutting off the threat actors from their customers and directly contributing to the steep drop in the infostealer’s operational activity.
While Trend Micro emphasizes that the accuracy of the doxed information and the actual involvement of the named individuals have not been independently verified, and that the campaign could be motivated by personal or competitive grudges, the impact is undeniable. The swift decline of Lumma Stealer has forced other cybercriminals to seek out alternatives. Two established information stealers, Vidar and StealC, have rapidly emerged as the top replacement options for those who previously relied on the MaaS. This shift also disrupted the Amadey pay-per-install (PPI) service, which was a key distribution mechanism for Lumma Stealer.
This sudden market disruption is expected to have broader implications for the cybercrime landscape. It has already encouraged other MaaS operators to aggressively intensify their marketing efforts to capture the newly available market share. More concerning, Trend Micro warns that this transition might catalyze the development and release of “new, stealthier infostealer variants” as operators attempt to avoid similar security and operational failures, ultimately pushing the threat landscape to evolve.
Reference:
