The Malware
A sprawling operation undertaken by global law enforcement agencies and a consortium of private sector firms has successfully disrupted the online infrastructure associated with a commodity information stealer known as Lumma (aka LummaC or LummaC2). Authorities seized 2,300 domains that served as the command-and-control (C2) backbone used to commandeer infected Windows systems.
According to a statement from the U.S. Department of Justice (DoJ), “Malware like LummaC2 steals sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft.”
Furthermore, cybercriminals and affiliates used the confiscated infrastructure to target millions across the world. Active since late 2022, Lumma Stealer has carried out at least 1.7 million attacks to steal browser data, autofill information, login credentials, and cryptocurrency seed phrases. The U.S. Federal Bureau of Investigation (FBI) attributes around 10 million infections to Lumma.
The seizure targets five domains that operate as login panels for Lumma Stealer’s administrators and paying customers, allowing them to deploy the malware. This action prevents further compromises of computers and theft of victim information.
In a related development, Europol stated, “Between March 16 and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware.” Europol also emphasized that the operation effectively cuts off communications between the malicious tool and its victims. The agency describes Lumma as the “world’s most significant infostealer threat.”
Microsoft’s Digital Crimes Unit (DCU), working in coordination with cybersecurity companies ESET, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, took down approximately 2,300 malicious domains that formed the backbone of Lumma’s infrastructure.
Spread of Lumma Stealer malware infections across Windows devices
“The primary developer of Lumma is based in Russia and goes by the internet alias ‘Shamel,'” Steven Masada, assistant general counsel at DCU, said. “Shamel markets different tiers of service for Lumma via Telegram and other Russian-language chat forums. Depending on what service a cybercriminal purchases, they can create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal.”
Meanwhile, the stealer, which follows a malware-as-a-service (MaaS) model, is offered on a subscription basis for anywhere between $250 and $1,000. Additionally, the developer sells a $20,000 plan that provides access to the source code and grants customers the right to resell it to other criminal actors.
Weekly counts of new C2 domains
“Lower tiers include basic filtering and log download options, while higher tiers offer custom data collection, evasion tools, and early access to new features,” ESET said. “The most expensive plan emphasizes stealth and adaptability, providing unique build generation and reducing detection.”
Lumma
Over time, Lumma has evolved into a notorious threat, delivered through various distribution vectors—including the increasingly popular ClickFix method. Microsoft, which tracks the threat actor behind the stealer under the name Storm-2477, describes its distribution infrastructure as both “dynamic and resilient.” The actor uses a mix of phishing, malvertising, drive-by download schemes, abuse of trusted platforms, and traffic distribution systems like Prometheus to spread the malware.
Lumma C2 selection mechanism
Cato Networks
In a recent development, Cato Networks, in a report published Wednesday, disclosed that suspected Russian threat actors are using Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scaleway Object Storage to host fake reCAPTCHA pages. These pages employ ClickFix-style lures to trick users into downloading Lumma Stealer.
“The recent campaign leveraging Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage builds upon earlier methods, introducing new delivery mechanisms aimed at evading detection and targeting technically proficient users,” said researchers Guile Domingo, Guy Waizel, and Tomer Agayev.
Attack flow for ClickFix leading to Lumma Stealer using Prometheus TDS
Some of the notable aspects of the malware include:
-
It uses a multi-tiered C2 infrastructure, featuring nine frequently changing tier-1 domains hard-coded into the malware’s configuration. It also relies on fallback C2s hosted on Steam profiles and Telegram channels, which redirect to the tier-1 C2s.
-
The payloads typically spread via pay-per-install (PPI) networks or traffic sellers that offer installs-as-a-service.
-
The stealer often comes bundled with spoofed or cracked versions of popular commercial software, targeting users who want to avoid paying for legitimate licenses.
-
The operators have established a Telegram marketplace with a rating system that allows affiliates to sell stolen data directly, eliminating intermediaries.
-
The core binary employs advanced obfuscation techniques—such as low-level virtual machine (LLVM core), Control Flow Flattening (CFF), Control Flow Obfuscation, customized stack decryption, large stack variables, and dead code insertion—to complicate static analysis.
-
From April through June of 2024, threat actors posted over 21,000 market listings selling Lumma Stealer logs on various cybercriminal forums, representing a 71.7% increase compared to the same period in 2023.
“The Lumma Stealer distribution infrastructure is flexible and adaptable,” Microsoft said. “Operators continuously refine their techniques, rotating malicious domains, exploiting ad networks, and leveraging legitimate cloud services to evade detection and maintain operational continuity. To further conceal the true C2 servers, they hide all of them behind the Cloudflare proxy.”
This dynamic architecture enables operators to maximize campaign success while complicating efforts to trace or disrupt their activities. The ongoing growth and resilience of Lumma Stealer highlight the broader evolution of cybercrime and stress the importance of layered defenses and industry collaboration to counter such threats.
Cloudflare actions
Meanwhile, web infrastructure company Cloudflare introduced a Turnstile-enabled interstitial warning page in front of the attackers’ C2 and marketplace domains. The company also took action against the accounts used to configure those domains.
“This disruption fully set back their operations by several days, taking down a significant number of domain names and ultimately blocking their ability to profit from cybercrime,” said Blake Darché, head of Cloudforce One. “Although the effort threw a sizable wrench into the world’s largest infostealer infrastructure, the threat actors behind Lumma will, like others, adapt and eventually return to relaunch their campaign.”
In a January 2025 interview with security researcher g0njxa, the developer behind Lumma announced plans to cease operations by next fall. “We have done a lot of work over two years to achieve what we have now,” they said. “We are proud of this. It has become a part of our daily life—not just work.”
Source: TheHackerNews
Read more at Impreza News
