Storm-2477
Storm-2477 is the Microsoft-tracked threat actor responsible for developing and maintaining the Lumma Stealer malware (also known as LummaC2), its command-and-control infrastructure, and the associated malware-as-a-service (MaaS) ecosystem. Microsoft notes that Lumma has been openly traded on Russian-speaking cybercrime forums since 2022. The actor operates a MaaS model in which affiliates pay to use a centralized panel to build malware binaries, manage C2 communications, and retrieve stolen data. Lumma is a financially motivated infostealer used to steal browser session cookies, saved logins, passwords, autofill data, cryptocurrency wallet data, browser extensions, MFA-related data, financial credentials, and other sensitive information; it can also install additional malware or plugins, including clipboard stealers and coin miners. Storm-2477’s Lumma ecosystem has been used by multiple financially motivated actors, including ransomware operators. Microsoft observed Octo Tempest, Storm-1607, Storm-1113, and Storm-1674 using Lumma in campaigns. Delivery methods described in the content are multi-vector and include phishing emails, malvertising, drive-by compromise, trojanized or pirated software, abuse of legitimate services such as GitHub, ClickFix fake-CAPTCHA social engineering, and delivery by other malware such as DanaBot. Specific campaigns included an early April 2025 EtherHiding and ClickFix chain using Binance Smart Chain-hosted code and mshta, and an April 7, 2025 campaign targeting organizations in Canada via Prometheus TDS, binadata[.]com, PowerShell/mshta stages, and a Lumma payload bundled with Xworm. The malware is described as technically sophisticated, with code written in C++ and assembly, advanced obfuscation and anti-analysis features, process injection or hollowing, and a layered C2 architecture using hardcoded domains plus fallback C2 locations on Steam profiles and Telegram channels, with infrastructure hidden behind Cloudflare and traffic encrypted over HTTPS. In May 2025, Microsoft, law enforcement, Europol, Japan’s JC3, and private-sector partners disrupted parts of the Lumma operation, including takedown, suspension, sinkholing, or blocking of approximately 2,300 malicious domains supporting the infrastructure.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they target
Geographies tied to known operations.
- 🇨🇦 Canada
Tradecraft
20 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Core developer/operator behind the Lumma malware-as-a-service ecosystem, maintaining and renting the infostealer to affiliates for credential, cookie, and data theft.
Tracked by Microsoft as the developer/operator behind LummaStealer and its command-and-control (C2) infrastructure; associated with the MaaS infostealer ecosystem that enables credential theft and follow-on malware delivery via affiliates.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.