Overview
Lumma Stealer, also tracked as LummaC2, is a Malware-as-a-Service (MaaS) infostealer written in C that emerged in August 2022 on Russian-speaking cybercrime forums. It is sold through a tiered subscription model, with prices ranging from approximately $250 to $1,000 per month depending on feature access. The malware is developed and maintained by a threat actor operating under the alias “Shamel” (also known as “Lumma”). Its C2 infrastructure relies on rotating domains and has demonstrated resilience against takedown efforts. Lumma has grown rapidly in popularity, becoming one of the most widely distributed infostealers by volume as of 2024-2025.
Capabilities
Lumma Stealer targets a broad range of sensitive data on Windows systems. Its core capabilities include extraction of saved credentials, cookies, autofill data, and browsing history from Chromium and Gecko-based browsers. It is particularly focused on cryptocurrency theft, targeting over 40 browser-based wallet extensions and desktop wallet applications such as Exodus, Electrum, and Atomic Wallet. The stealer can also harvest system information, installed software lists, and two-factor authentication extension data. Higher-tier subscriptions unlock features like a non-resident loader, clipper module for swapping cryptocurrency addresses, and configurable exfiltration rules. Lumma employs multiple anti-analysis techniques, including control flow obfuscation, dynamic API resolution, and encrypted strings.
Distribution Methods
Lumma is distributed through diverse initial access vectors. Common delivery mechanisms include malicious Google Ads campaigns impersonating popular software downloads (e.g., Notepad++, OBS Studio, 7-Zip), SEO poisoning pages, phishing emails with ZIP or ISO attachments, cracked software distributed on file-sharing platforms, and fake CAPTCHA pages that trick users into running PowerShell commands. Affiliates frequently use loaders like SmokeLoader, Amadey, and PrivateLoader to deploy Lumma as a secondary payload.
Notable Campaigns
In late 2023 and throughout 2024, Lumma was at the center of large-scale malvertising campaigns exploiting Google Ads, redirecting victims through tracking templates to convincing software download pages. In early 2024, researchers observed Lumma being delivered via fake browser update prompts (ClearFake and SocGholish chains). By mid-2024, Lumma affiliates adopted a novel “ClickFix” technique using fake CAPTCHA verification pages that instructed users to paste clipboard content into the Windows Run dialog. In 2025, Microsoft and international law enforcement coordinated a partial disruption of Lumma infrastructure, though the operation resumed within weeks.
Detection & Mitigation
Detection strategies should monitor for suspicious PowerShell execution triggered from browsers, clipboard manipulation activity, and outbound HTTP POST requests to recently registered domains. YARA rules targeting Lumma’s characteristic string encryption patterns and API hashing routines are effective for static detection. Endpoint detection should flag mass reading of browser credential databases (Login Data, Cookies SQLite files) and access to cryptocurrency wallet files. Mitigation includes enforcing application allowlisting, disabling macro and script execution for standard users, deploying browser-based phishing protection, and educating users to avoid downloading software from ad-promoted links. Network-level blocking of known Lumma C2 domains via threat intelligence feeds provides an additional defensive layer.