Lumma Stealer - Removal Guide

Last updated: 2026-04-01

Lumma Stealer Malware Removal Guide

Signs of Infection

Lumma Stealer is an information-stealing malware that targets credentials, cryptocurrency wallets, browser data, and system information. Look for these specific indicators of compromise.

File System Artifacts:

  • Executables with random or misspelled names mimicking legitimate software (e.g., updater.exe, chrome-service.exe) in user profile directories (%APPDATA%, %LOCALAPPDATA%, %TEMP%).
  • New, suspicious files with extensions like .log, .txt, or .tmp in C:\ProgramData\ or C:\Windows\Temp\ that may contain exfiltrated data.
  • Batch files (.bat) or VBS scripts (.vbs) in startup folders (C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\) used for persistence.

Process & Behavior Indicators:

  • Unfamiliar processes consuming unexpected CPU or memory, often with names similar to svchost.exe, runtimebroker.exe, or services.exe.
  • Suspicious child processes spawned from legitimate applications like explorer.exe or msiexec.exe.
  • Unusual outbound network connections from non-browser processes to unknown IP addresses or domains.
  • Rapid creation and deletion of files in temporary folders.
  • Disabling of security software or Windows Defender notifications.

Network Indicators:

  • Beaconing traffic to known C2 (Command and Control) servers, often using HTTP/HTTPS POST requests with encoded data.
  • Connections to IP addresses associated with bulletproof hosting providers or newly registered domains (check Current Lumma Stealer IOCs).
  • DNS queries for domains with random alphanumeric subdomains or using free dynamic DNS services.

Immediate Containment Steps

Within the first 15 minutes of detection, take these steps to prevent further data loss.

  1. Network Isolation: Immediately disconnect the infected host from the network. Disable both wired and wireless adapters. If remote management is required, isolate the host to a restricted VLAN that only allows administrative access, blocking all other outbound traffic.
  2. Identify Scope: Check central authentication logs (e.g., Active Directory) and endpoint logs to identify any lateral movement or other potentially infected hosts. Treat them with the same level of suspicion.
  3. Terminate Malicious Processes: Using a trusted command-line tool or endpoint console, identify and kill the malicious processes noted during detection. Use their full Process ID (PID). Do not rely on the process name alone.
  4. Credential Rotation Priority:
    • Immediate: Rotate passwords for any domain, local administrator, and user accounts present on the infected machine.
    • High Priority: Rotate credentials for any web services (email, cloud storage, SaaS platforms, banking) accessed from this host. Enable multi-factor authentication (MFA) everywhere possible.
    • Investigate: Review browser history and system logs (if available) to identify which specific websites and services may have been targeted for credential theft.

Manual Removal Process

Proceed with manual removal only if you cannot use a dedicated anti-malware tool. Work from a known-clean system or bootable USB if possible.

Step 1: Terminate Malicious Processes.

  1. Open Task Manager or a command prompt as Administrator.
  2. Identify suspicious processes (reference detection signs and the Detection Rate page for common names).
  3. Note the PID and file location. End the task.

Step 2: Remove Persistence Mechanisms.

  1. Check common autostart locations:
    • Run shell:startup to open the current user’s startup folder. Delete any suspicious .lnk, .bat, or .vbs files.
    • Check the system-wide startup folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\.
  2. Examine Scheduled Tasks:
    • Open Task Scheduler (taskschd.msc).
    • Look for recently created tasks with random names or triggers set for user logon or system idle. Delete suspicious tasks.
  3. Clean the Windows Registry:
    • Open Registry Editor (regedit) as Administrator.
    • Navigate to and carefully inspect these keys for suspicious entries:
      • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
      • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    • Delete any keys pointing to the file paths of the malicious executables identified earlier.

Step 3: Delete Dropped Files.

  1. Navigate to the file locations identified from the processes and registry entries.
  2. Show hidden files and protected operating system files in Folder Options.
  3. Delete the primary executable, any associated DLLs, configuration files (often .json or .ini), and data dump files (.log, .txt) found in %TEMP%, %APPDATA%, and %LOCALAPPDATA%.

Step 4: Clear Artifacts.

  1. Clear temporary files using the Disk Cleanup utility or by manually deleting contents of C:\Windows\Temp\ and %TEMP%.
  2. Reset affected web browsers. Clear all browsing data (cookies, cache, history) and check for malicious extensions.

Verifying Removal

After removal, confirm the system is clean before reconnecting it to the network.

  1. Full System Scan: Perform a full, deep scan with an updated anti-malware solution and a dedicated second-opinion scanner. Ensure they are updated with the latest signatures that include Lumma Stealer IOCs.
  2. Log Analysis: Review Windows Event Logs (especially Security, System, and Application logs) for any residual malicious activity, failed service starts, or errors related to the deleted files/registry keys.
  3. File System Verification: Re-check the file paths and registry keys used for persistence. Confirm they have not been recreated.
  4. Network Monitoring: Before full reintegration, monitor the host’s network traffic in a controlled, isolated segment. Use a network monitoring tool or SIEM platform to look for any residual beaconing attempts or connections to known-bad IPs/domains from the IOC list.
  5. Process Monitoring: Observe the system’s process list and resource usage under normal load for several hours. Look for any new, suspicious processes spawning.

Post-Removal Security Hardening

Strengthen defenses to prevent reinfection via similar vectors.

  1. Application Control: Implement application allowlisting policies via Group Policy or endpoint security tools to prevent execution of unauthorized binaries from %APPDATA%, %TEMP%, and other user-writable locations.
  2. Enhanced Monitoring Rules: Create specific alerts in your SIEM or EDR solution for:
    • Processes making outbound HTTP/HTTPS requests to IP addresses not on an allowed list.
    • New scheduled tasks or registry run keys being created by non-admin users or unusual parent processes.
    • Large amounts of data being read from browser credential storage files or cryptocurrency wallet directories.
  3. Policy Updates:
    • Enforce the principle of least privilege. Standard users should not have local admin rights.
    • Implement robust email filtering and block executable attachments (.exe, .scr, .js, .vbs) commonly used in initial infection chains.
    • Conduct regular user security awareness training focusing on phishing and unsafe download sources, common initial access vectors for stealers like Lumma.
  4. Configuration Changes:
    • Enable tamper protection features on endpoint security software.
    • Consider disabling Office macros from the internet and restricting PowerShell script execution through Constrained Language Mode.
    • Ensure all software, especially browsers, Java, and Adobe products, are patched automatically.

For more background on this threat, see the Lumma Stealer Overview. Always correlate actions with the latest indicators from the Current Lumma Stealer IOCs.

Related

← Lumma Stealer Overview How to Detect Incident Response Protection Guide IOCs Samples All Families