SECURITY ADVISORY ON LUMMA STEALER (LUMMAC2) – SIGNIFICANT INFO-STEALING MALWARE THREAT

Advisory ID:  ngCERT-2025-050012

Probability:    High

Damage:        Critical

Platform(s):   Windows operating system

SUMMARY

Lumma Stealer (also known as LummaC2) is a potent and widely distributed information-stealing malware targeting Windows systems. Operated as Malware-as-a-Service (MaaS) via illicit cybercrime markets, it was recently disrupted by Microsoft in response to its escalating threat profile. Lumma Stealer poses a high risk due to its commercial availability, sophisticated evasion, broad data theft capabilities, and network propagation. Its recent disruption highlights active law enforcement attention, but residual infections and potential re-emergence remain concerns. ngCERT urges organizations to reassess their security measures and implement strategies to mitigate infection risks.

DESCRIPTION

Lumma Stealer is a fast-spreading information-stealing malware distributed via underground forums as Malware-as-a-Service (MaaS). It targets Microsoft Windows (MS-Windows) systems through phishing emails, malicious downloads, or cracked software. Once installed, it enables cybercriminals to remotely steal data.

CONSEQUENCES

KEY CHARACTERISTICS & IMPACT:

1. Infection Vectors: Primarily spreads through phishing emails, malicious advertisements (malvertising), pirated software, and cracked games. Installs silently, functioning as a backdoor.
2. Data Theft: Actively steals sensitive information including:Login credentials (browsers, applications)

1. • Financial data (banking details, cards)
   • Login credentials (browsers, applications)
   • Cryptocurrency wallet information
   • Browser cookies & session data
   • Other confidential files.
   • Persistence & Evasion: Employs advanced techniques like code injection and encrypted communication with Command-and-Control (C2) servers to evade detection.
   3. Lateral Movement: Capable of spreading within compromised networks, amplifying damage.
   4. Monetisation: Stolen data is typically sold on dark web markets or used directly for financial fraud and identity theft.

   Lumma Stealer poses a high risk due to its commercial availability, sophisticated evasion, broad data theft capabilities, and network propagation

SOLUTION/MITIGATION

 The following mitigations should be considered:

1. User Awareness: Train staff/users to identify phishing attempts and avoid downloading pirated/cracked software.
2. Endpoint Protection: Ensure robust, updated anti-malware solutions with behavioral detection capabilities.
3. Network Monitoring: Implement monitoring for suspicious outbound traffic (C2 communication) and lateral movement attempts.
4. Patch Management: Keep all systems and software rigorously updated.
5. Least Privilege: Enforce strict access controls to limit the impact of lateral movement.

Assessment: Lumma Stealer represents a significant ongoing threat to organizational and personal data security, requiring vigilant defensive measures. 

REFERENCES

• https://thehackernews.com/2025/05/fbi-and-europol-disrupt-lumma-stealer.htm
• https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/
• https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha
• https://www.europol.europa.eu/media-press/newsroom/news/europol-and-microsoft-disrupt-world%E2%80%99s-largest-infostealer-lumma
• https://www.trellix.com/blogs/research/a-deep-dive-into-the-latest-version-of-lumma-infostealer