Article Details

FBI and Europol Disrupt Lumma Stealer Malware Network Linked to 10 Million Infections. A sprawling operation undertaken by global law enforcement agencies and a consortium of private sector firms has disrupted the online infrastructure associated with a commodity information stealer known as Lumma (aka LummaC or LummaC2), seizing 2,300 domains that acted as the command-and-control (C2) backbone to commandeer infected Windows systems. "Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft," the U.S. Department of Justice (DoJ) said in a statement. The confiscated infrastructure has been used to target millions across the world through affiliates and other cyber criminals. Lumma Stealer, active since late 2022, is estimated to have been used in at least 1.7 million instances to steal information, such as browser data, autofill information, login credentials, and cryptocurrency seed phrases. The U.S. Federal Bureau of Investigation (FBI) has attributed around 10 million infections to Lumma. The seizure impacts five domains that serve as login panels for Lumma Stealer's administrators and paying customers to deploy the malware, thereby preventing them from compromising the computers and stealing victim information. "Between March 16 and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware," Europol said, adding the operation cuts off communications between the malicious tool and victims. The agency described Lumma as the "world's most significant infostealer threat." Microsoft's Digital Crimes Unit (DCU), in partnership with other cybersecurity companies ESET, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, said it took down approximately 2,300 malicious domains that formed the backbone of Lumma's infrastructure. "The primary developer of Lumma is based in Russia and goes by the internet alias 'Shamel,'" Steven Masada, assistant general counsel at DCU, said. "Shamel markets different tiers of service for Lumma via Telegram and other Russian-language chat forums. Depending on what service a cybercriminal purchases, they can create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal." The stealer, marketed under a malware-as-a-service (MaaS) model, is available on a subscription basis for anywhere between $250 to $1,000. The developer also offers a $20,000 plan that grants customers access to source code and the right to sell it to other criminal actors. "Lower tiers include basic filtering and log download options, while higher tiers offer custom data collection, evasion tools, and early access to new features," ESET said. "The most expensive plan emphasizes stealth and adaptability, offering unique build generation and reduced detection." Over the years, Lumma has become something of a notorious threat, being delivered via various distribution vectors, including the increasingly popular ClickFix method. The Windows maker, which is tracking the threat actor behind the stealer under the name Storm-2477, said its distribution infrastructure is both "dynamic and resilient," leveraging a combination of phishing, malvertising, drive-by download schemes, abuse of trusted platforms, and traffic distribution systems like Prometheus. Cato Networks, in a report published Wednesday, revealed that suspected Russian threat actors are leveraging Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scaleway Object Storage to host fake reCAPTCHA pages that make use of ClickFix-style lures to trick users into downloading Lumma Stealer. "The recent campaign leveraging Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage builds upon earlier methods, introducing new delivery mechanisms aimed at evading detection and targeting technically proficient users," researchers Guile Domingo, Guy Waizel, and Tomer Agayev said. Some of the notable aspects of the malware are below - "The Lumma Stealer distribution infrastructure is flexible and adaptable," Microsoft said. "Operators continually refine their techniques, rotating malicious domains, exploiting ad networks, and leveraging legitimate cloud services to evade detection and maintain operational continuity. To further hide the real C2 servers, all the C2 servers are hidden behind the Cloudflare proxy." "This dynamic structure enables operators to maximize the success of campaigns while complicating efforts to trace or dismantle their activities. The growth and resilience of Lumma Stealer highlights the broader evolution of cybercrime and underscores the need for layered defenses and industry collaboration to counter threats." In an interview with security researcher g0njxa in January 2025, the developer behind Lumma said they intended to cease operations by next fall. "We have done a lot of work over two years to achieve what we have now," they said. "We are proud of this. It has become a part of our daily life for us, and not just work."