Global Lumma Stealer Infrastructure Targeting Millions of Users Successfully Dismantled

The U.S. Department of Justice, with critical support from law enforcement, tech firms, and cybersecurity companies, has successfully dismantled the infrastructure behind Lumma Stealer (also known as LummaC or LummaC2) one of the most pervasive and sophisticated information-stealing malware-as-a-service (MaaS) operations in recent years.

Lumma Stealer is an actively developed infostealer malware family distributed via a MaaS model.

Affiliates, often recruited through underground forums, pay monthly subscriptions ranging from $250 to $1,000 to deploy Lumma Stealer through phishing, cracked software, and malicious downloaders such as SmokeLoader or DarkGate.

The service offers a user-friendly management panel for affiliates to aggregate and download exfiltrated credentials, session cookies, autofill data, crypto-wallet seed phrases, and sensitive information from a wide range of browsers and applications.

Technical Overview and Disruption Impact

Lumma Stealer’s development has been persistent, with regular code enhancements, upgraded data theft capabilities, and multiple layers of obfuscation.

The malware evolved from obfuscating configuration data with XOR and base64 encoding to using ChaCha20 symmetric cryptography for Command & Control (C&C) server lists and dynamic configurations.

To evade takedowns and avoid analysis, the operators leveraged dead-drop resolvers via Steam profiles and Telegram channels, advanced stack string encryption, dynamic API resolution, and custom API hash algorithms.

A critical part of the takedown was the seizure of five key domains serving as operational user panels for LummaC2, used by malware operators and affiliates to control infections and manage stolen data.

The rapid reaction by authorities prompted by attempts to reestablish infrastructure via new domains crippled the malware’s operational capabilities. Microsoft further bolstered the disruption, independently targeting and disabling an additional 2,300 domains linked to Lumma Stealer actors.

Threat Landscape

Telemetry and threat intelligence from ESET and other private partners revealed that Lumma Stealer had infected systems worldwide, with the FBI linking it to at least 1.7 million credential theft incidents.

The stolen credentials were frequently traded on cybercrime marketplaces and used by ransomware affiliates, posing a sustained risk to victims across sectors.

Lumma’s dynamic management framework allowed attackers to tailor exfiltration configurations remotely, specifying targets such as password managers, VPN clients, FTP programs, cryptocurrency wallets, and other high-value data sources.

According to the Report, The malware employed advanced anti-analysis techniques and obfuscation to evade defenses and hinder incident response efforts.

This operation exemplifies deep collaboration between government agencies including the FBI and the U.S. Attorney’s Office for the Northern District of Texas and private industry leaders such as Microsoft, ESET, BitSight, Cloudflare, and registry partners.

These efforts not only neutralized existing infrastructure but also provided threat intelligence for further mitigation and remediation activities.

Victims and organizations are urged to review network and endpoint activity for indicators of compromise (IoCs) associated with Lumma Stealer and to enhance credential security, especially for email, banking, and cryptocurrency services.

The U.S. Department of State’s Rewards for Justice Program is offering up to $10 million for information on foreign actors targeting U.S. critical infrastructure with malware like Lumma Stealer.

Indicators of Compromise (IoC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates