The vast operations carried out by a consortium of global law enforcement and private sector companies disrupt the online infrastructure associated with the product information steeler known as Lumma (also known as Lummac or Lummac2), seized 2,300 domains operating from a window infected with Command and Control (C2).
“Malware like LUMMAC2 is deployed to steal sensitive information such as user login credentials from millions of victims, and to promote many crimes, including fraudulent bank transfers and cryptocurrency theft,” the U.S. Department of Justice (DOJ) said in a statement.
Forbidden infrastructure is used by millions of targets worldwide through affiliate marketing and other cybercriminals. It is estimated that Lumma Stealer, which has been active since late 2022, is being used by at least 1.7 million instances to steal information such as browser data, autofill information, login credentials, and cryptocurrency seed phrases. The US Federal Bureau of Investigation (FBI) attributes roughly 10 million infections to Lumma.
The attack acts as the administrator login panel for Lumma Stealer and affects the five domains that you pay to your customers to deploy malware.
“Between March 16 and May 16, 2025, Microsoft identified over 394,000 Windows computers infected with Lumma malware,” Europol said, reducing communication between malicious tools and victims. The agency described Lumma as “the world’s most important infosealer threat.”
Microsoft’s Digital Crime Unit (DCU) said it had worked with other cybersecurity companies ESET, Bitsight, Lumen, CloudFlare, CleanDNS and GMO registries to remove roughly 2,300 malicious domains that formed the backbone of Lumma’s infrastructure.
 |
| Spreading Lumma Stealer malware infection across Windows devices |
“The major developers of Lumma are based in Russia and will go through the internet alias “Shamel,” said Steven Masada, assistant adviser at DCU. “Shamel sells various service tiers of Lumma through Telegram and other Russian chat forums. Depending on the service of Cyber Criminal purchases, you can create your own version of malware and add tools to track stolen information through an online portal.”
Steelers sold under the Malware as a Service (MAAS) model are available on a subscription basis, ranging from $250 to $1,000. Developers also offer a $20,000 plan that grants customers access to source code and the right to sell to other criminals.
 |
| Weekly count for new C2 domains |
“The lower layer includes basic filtering and log download options, while the higher tier provides early access to custom data collection, evasion tools and new features,” ESET said. “The most expensive plans highlight stealth and adaptability, providing unique build generation and detection reductions.”
Over the years, Lumma has become something of a notorious threat, and has been distributed via a variety of distribution vectors, including the increasingly popular Clickfix methods. The Windows maker tracks the threat actors behind the steeler under the name Storm-2477, but says its distribution infrastructure is “dynamic and resilient,” leveraging a combination of phishing, fraud, drive-by download schemes, trustworthy platform abuse, and traffic delivery systems like Prometheus.
 |
| Lumma C2 Selection Mechanism |
In a report published Wednesday, Cato Networks revealed that Russian threat actors are leveraging Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scaleway Object Storage, which hosts Clickfix-style lures to download Lumma Stealer using Clickfix-style lures.
“Recent campaigns leveraging Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage are built on previous methods and introduce new distribution mechanisms aimed at avoiding and targeting technically skilled users.”
 |
| Clickfix attack flow that leads to Lumma Stealer using Prometheus TDS |
Some of the notable aspects of malware are listed below –
- It employs a multi-tier C2 infrastructure consisting of nine frequently modified Tier-1 domains hardcoded in the malware configuration, and fallback C2 hosted on a telegram channel that refers to Tier-1 C2S.
- Payloads are typically spread using pay-per-installation (PPI) network or traffic sellers that provide installations as a service.
- Steelers are usually bundled with spoofed software or cracked versions of popular commercial software, targeting users who are trying to avoid paying for legitimate licenses
- Operators have created a telegram market with a rating system for affiliates to sell stolen data without intermediaries
- The core binaries are obfuscated with advanced protections such as low-level virtual machines (LLVM cores), control flow flattening (CFF), control flow obfuscating, customized stack decoding, huge stack variables, and dead code.
- There was an over 21,000 market listing selling Lumma Stealer logs at multiple Cybercrime forums from April to June 2024, up 71.7% from April to June 2023.
“The Lumma Stealer Distribution Infrastructure is flexible and adaptable,” Microsoft said. “Operators continuously improve their techniques, rotate malicious domains, exploit ad networks, leverage legitimate cloud services to avoid detection and maintain operational continuity. To further hide real C2 servers, all C2 servers are hidden behind the CloudFlare proxy.”
“This dynamic structure complicates operators’ efforts to track or dismantle activities while maximizing campaign success. LummaStealer’s growth and resilience highlights the broader evolution of cybercrime, highlighting the layered threat and the need for layered cooperation to counter the threat.”
In an interview with security researcher G0NJXA in January 2025, the developer behind Lumma said it intends to halt operations by fall of next year. “We’ve done a lot of work over the two years to achieve what we have now,” they said. “We are proud of this, and it has become a part of our daily lives.
