Lumma Infostealer Harvests Browser Data and Trades It on Underground Markets

Information stealers, better known as “infostealers,” have established themselves as a critical threat to both consumers and enterprises by surreptitiously extracting vast amounts of sensitive information from infected machines.

Among the most notorious is the Lumma infostealer, whose payloads are capable of vacuuming up login credentials, cryptocurrency wallet details, personally identifiable information (PII), session and multifactor authentication (MFA) tokens essentially any data stored within browsers.

This information, once harvested, is routinely packaged into “logs” batches of valuable credentials and data and auctioned on underground cybercrime marketplaces.

From Pirated Software to Global Infections

Originally surfacing in Russian-speaking cybercriminal forums in 2022, Lumma quickly gained notoriety for its effectiveness, user-friendliness, and its ability to evade detection by conventional security solutions.

Developed by the threat actor known as Shamel, aka lumma or HellsCoder, and believed to be Russia-based, the malware found rapid proliferation through various distribution vectors: phishing campaigns, malvertising, social engineering, and search engine optimization (SEO) techniques.

One of the most successful infection methods has involved luring victims searching for pirated or “cracked” software modified applications stripped of digital protections.

Unwitting users conducting queries like “download free cracked software” are often redirected via malicious Google links to file-sharing domains, where the payload is hidden, typically in the form of password-protected ZIP archives within NSIS installers.

These carry Lumma, often packed with the CypherIT crypter designed to defeat security tool detection.

In May 2025, global law enforcement agencies, including the US Department of Justice and Europol, in coordination with private partners such as Microsoft, temporarily disrupted Lumma’s operations.

Authorities seized over 2,300 related domains, disabled Lumma’s control panel, and took down key command-and-control (C2) infrastructure.

Microsoft recognized more than 394,000 infected Windows systems worldwide, and significant remediation efforts were launched.

However, Lumma’s operators responded swiftly, suggesting their infrastructure was partly restored and new C2 servers brought online.

Flashing their persistence, the group even taunted law enforcement and attempted to phish its own clientele using seized assets.

Abusing Windows Utilities

Recent threat intelligence has detailed more insidious techniques used post-compromise. Lumma actors routinely seek to maintain persistence and evade security monitoring by probing for active security processes.

Using legitimate Windows tools Tasklist.exe and Findstr (Windows equivalents of the Unix “ps” and “grep” utilities) the malware scans for signs of antivirus or security software such as Bitdefender or Sophos.

If found, Lumma’s routines may terminate these processes or cease operation to hinder detection.

This aligns with the broader trend of “living-off-the-land” tactics, abusing native system binaries (LOLBins) that rarely raise suspicion.

Traditional threat hunting approaches such as file hash and URL scanning are increasingly undermined by frequent code obfuscation and infrastructure churn, as attackers employ crypters to modify each malware drop, rendering signature-based detection unreliable.

Nevertheless, behavioral detection spotting suspicious sequences such as the joint usage of Tasklist and Findstr has proved more resilient.

Security researchers advocate monitoring command-line executions correlated with user roles and historical baselining, given that system administrators may sporadically use similar commands for legitimate purposes.

Ultimately, Lumma exemplifies the shifting sophistication of the infostealer landscape. Cybercriminals adapt swiftly in the face of takedowns, and the mass auction of stolen browser data continues to present serious challenges to organizations worldwide.

As security teams sharpen both their technical and behavioral detection capabilities, the arms race between defenders and adversaries shows no sign of abating.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates