Lumma Stealer Incident Response Guide
Incident Triage Steps
Within the first 30 minutes of suspecting a Lumma Stealer infection, your priority is to determine the scope and confirm data exfiltration. Begin by isolating the initially reported host from the network, but do not power it off. On this host, immediately collect a volatile memory dump using your approved forensic tool, as Lumma resides in memory during execution.
Next, assess the scope. Query your EDR solution or SIEM platform for recent process creation events matching known Lumma Stealer patterns. Look for processes with names that are random alphanumeric strings, or that mimic legitimate system processes (like svchost.exe or explorer.exe) but are running from unusual directories such as %AppData%, %LocalAppData%, %Temp%, or C:\ProgramData. Check for outbound network connections to known Lumma Command and Control (C2) infrastructure. Common C2 patterns include domains with random subdomains or IP addresses in regions associated with bulletproof hosting. Correlate these connections with spikes in outbound data transfer shortly after the suspicious process was spawned, which strongly indicates successful exfiltration.
To determine if data was exfiltrated, review proxy logs, firewall egress logs, and DNS query logs for the identified C2 indicators. Look for HTTPS POST requests to IP addresses or domains with large payloads (hundreds of KBs to MBs) containing stolen data. Simultaneously, check the affected user’s workstation for signs of data aggregation: look for large, recently created temporary files (e.g., .txt, .zip, .tmp) in the user’s profile directories, which Lumma creates before exfiltration. Interview the user to identify if they entered credentials into browsers or applications during the suspected infection window.
Evidence Collection
Before initiating containment or eradication, preserve the following evidence for forensic analysis. The goal is to capture the malware’s footprint and attack chain.
Memory and Process Artifacts:
- Memory Dump: Preserve the full memory dump of the infected host(s).
- Process List & Dumps: Export a detailed process list with hashes (MD5, SHA-256). Capture process memory dumps for any suspicious processes identified, especially those with open handles to browser data files or credential vaults.
- Autorun Locations: Document all entries from common persistence locations Lumma uses:
- Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run,RunOnce, and theHKCU\Environmentkey forUserInitMprLogonScript. - File System: Startup folders (
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup), scheduled tasks, and services.
- Registry:
File System Artifacts:
- Collect the Lumma payload executable, typically found in
%AppData%,%LocalAppData%,%Temp%, orC:\ProgramData\. Preserve its hash. - Collect any large temporary data files (e.g.,
data.txt,logs.zip) created in user profile directories prior to observed exfiltration. - Collect copies of browser data files (like
Login Data,Cookies,Web Datafrom Chrome/Edge profiles orkey4.db,logins.jsonfrom Firefox) to assess what credentials were targeted, noting their last-modified timestamps.
Network and Log Evidence:
- Preserve full packet captures (PCAPs) from the infected host’s network interface or from network sensors, if available.
- Export relevant firewall, proxy, DNS, and EDR logs covering at least 72 hours before and after the initial detection.
- Collect Windows Event Logs, particularly Security (4688 for process creation), System, and Application logs.
Containment Procedures
Containment aims to halt the attack and prevent further data loss without destroying evidence.
- Network Segmentation: Immediately move the confirmed infected host(s) to an isolated VLAN or network segment with no internet or internal network access. If the initial entry point is identified (e.g., a phishing email), block the sender’s domain and any associated URLs at the email gateway and web proxy.
- Credential Reset Scope: Assume all credentials present on the infected host are compromised. This includes:
- User Credentials: Force a password reset for the infected user’s domain/email account, any local administrator accounts used on the host, and any other users who may have logged into that workstation.
- Browser-Stored Credentials: All credentials auto-filled or saved in browsers (Chrome, Edge, Firefox, etc.) on the host must be considered exposed. Users must change these passwords on their respective websites/applications.
- Application Secrets: Any application passwords, API keys, or session tokens stored in file systems (e.g., in
%AppData%directories for Discord, Telegram, FTP clients, cryptocurrency wallets) must be revoked and reissued.
- C2 Blocking: Update your network intrusion prevention system (IPS), firewall, and web proxy to block all identified Lumma Stealer C2 IP addresses and domains. Implement sinkholing of related domains via internal DNS if possible. Block common ports used for exfiltration, such as HTTPS (443), but note that Lumma can use any port.
Eradication and Recovery
Eradication requires complete removal of the malware and its artifacts from all affected systems.
- Follow the Removal Guide: Execute the step-by-step procedures outlined in the Lumma Stealer Removal Guide. This will guide you through terminating malicious processes, removing persistence mechanisms, and deleting all associated files and registry keys specific to the Lumma variant you are facing.
- Credential Remediation: Enforce the credential resets defined in the Containment phase. Utilize your identity management system to invalidate existing sessions and require global password changes if the scope is large.
- Restore from Backups: For critically infected systems or where you cannot guarantee eradication, restore from known-clean backups. Ensure the backup predates the earliest indicator of compromise (IOC). Do not restore user profile data (like browser folders) from the infected period, as they may contain the stolen data files or corrupted databases.
- Verification: Before returning a system to the network, perform a thorough verification scan. Use a dedicated offline antivirus scanner and your EDR tool to conduct a full system scan. Validate that all persistence points listed in the Evidence Collection section are clean. Monitor the host for 24-48 hours in a monitored, segmented environment for any callback attempts before full reintegration.
Lessons Learned Checklist
After containment and eradication, conduct a post-incident review to improve defenses.
- Initial Infection Vector: How did Lumma Stealer gain execution? Was it a malicious email attachment, a drive-by download from a compromised site, or a fraudulent software installer? Analyze email logs, web gateway logs, and endpoint execution events.
- Control Failures: Which security controls did not perform as intended?
- Did email filtering fail to block the malicious attachment/link?
- Did web filtering allow access to the download site?
- Did endpoint protection fail to prevent execution or detect the malware’s behavior (credential access, data collection, exfiltration)?
- Detection Gaps: Why was detection delayed?
- Were there no alerts for the creation of executable files in
%AppData%? - Were network connections to the C2 infrastructure not correlated with suspicious process activity?
- Were there no behavioral detections for processes reading browser SQLite databases and making large HTTPS POSTs?
- Were there no alerts for the creation of executable files in
- Improvement Plan: Based on the gaps, define actionable improvements:
- Technical: Update IDS/IPS and EDR signatures with the collected Lumma IOCs. Implement stricter application allow-listing to prevent execution from user writable directories. Enhance SIEM correlation rules to flag the specific chain of events (e.g.,
powershell.exespawning a process in%Temp%, which then accessesLogin Dataand connects to a new external IP). - Process: Revise and communicate credential reset procedures for infostealer incidents. Implement more frequent backups of critical systems.
- Training: Conduct targeted user awareness training on the identified initial infection vector (e.g., phishing recognition, software download risks).
- Technical: Update IDS/IPS and EDR signatures with the collected Lumma IOCs. Implement stricter application allow-listing to prevent execution from user writable directories. Enhance SIEM correlation rules to flag the specific chain of events (e.g.,
For detailed steps on finding and removing Lumma Stealer, refer to the Removal Guide. To understand its indicators and hunting strategies, see the Detection Guide. For general information, visit the Lumma Stealer Overview.