A sprawling operation undertaken by global law enforcement agencies and a consortium of private sector firms has disrupted the online infrastructure associated with a commodity information stealer known as Lumma (aka LummaC or LummaC2), seizing 2,300 domains that acted as the command-and-control (C2) backbone to commandeer infected Windows systems.
“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft,” the U.S. Department of Justice (DoJ) said in a statement.
The confiscated infrastructure has been used to target millions across the world through affiliates and other cyber criminals. Lumma Stealer, active since late 2022, is estimated to have been used in at least 1.7 million instances to steal information, such as browser data, autofill information, login credentials, and cryptocurrency seed phrases. The U.S. Federal Bureau of Investigation (FBI) has attributed around 10 million infections to Lumma.
The seizure impacts five domains that serve as login panels for Lumma Stealer’s administrators and paying customers to deploy the malware, thereby preventing them from compromising the computers and stealing victim information.
“Between March 16 and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware,” Europol said, adding the operation cuts off communications between the malicious tool and victims. The agency described Lumma as the “world’s most significant infostealer threat.”
Microsoft’s Digital Crimes Unit (DCU), in partnership with other cybersecurity companies ESET, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, said it took down approximately 2,300 malicious domains that formed the backbone of Lumma’s infrastructure.
 |
| Spread of Lumma Stealer malware infections across Windows devices |
“The primary developer of Lumma is based in Russia and goes by the internet alias ‘Shamel,'” Steven Masada, assistant general counsel at DCU, said. “Shamel markets different tiers of service for Lumma via Telegram and other Russian-language chat forums. Depending on what service a cybercriminal purchases, they can create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal.”
The stealer, marketed under a malware-as-a-service (MaaS) model, is available on a subscription basis for anywhere between $250 to $1,000. The developer also offers a $20,000 plan that grants customers access to source code and the right to sell it to other criminal actors.
 |
| Weekly counts of new C2 domains |
“Lower tiers include basic filtering and log download options, while higher tiers offer custom data collection, evasion tools, and early access to new features,” ESET said. “The most expensive plan emphasizes stealth and adaptability, offering unique build generation and reduced detection.”
Over the years, Lumma has become something of a notorious threat, being delivered via various distribution vectors, including the increasingly popular ClickFix method. The Windows maker, which is tracking the threat actor behind the stealer under the name Storm-2477, said its distribution infrastructure is both “dynamic and resilient,” leveraging a combination of phishing, malvertising, drive-by download schemes, abuse of trusted platforms, and traffic distribution systems like Prometheus.
 |
| Lumma C2 selection mechanism |
Cato Networks, in a report published Wednesday, revealed that suspected Russian threat actors are leveraging Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scaleway Object Storage to host fake reCAPTCHA pages that make use of ClickFix-style lures to trick users into downloading Lumma Stealer.
“The recent campaign leveraging Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage builds upon earlier methods, introducing new delivery mechanisms aimed at evading detection and targeting technically proficient users,” researchers Guile Domingo, Guy Waizel, and Tomer Agayev said.
 |
| Attack flow for ClickFix leading to Lumma Stealer using Prometheus TDS |
Some of the notable aspects of the malware are below –
- It employs a multi-tiered C2 infrastructure consisting of a set of nine frequently changing tier-1 domains hard-coded into the malware’s configuration and fallback C2s hosted on Steam profiles and Telegram channels that point to tier-1 C2s
- The payloads are typically spread using pay-per-install (PPI) networks or traffic sellers that deliver installs-as-a-service.
- The stealer is typically bundled with spoofed software or cracked versions of popular commercial software, targeting users looking to avoid paying for legitimate licenses
- The operators have created a Telegram marketplace with a rating system for affiliates to sell stolen data without intermediaries
- The core binary is obfuscated with advanced protection such as low-level virtual machine (LLVM core), Control Flow Flattening (CFF), Control Flow Obfuscation, customized stack decryption, huge stack variables, and dead codes, among others to make static analysis difficult
- There were more than 21,000 market listings selling Lumma Stealer logs on multiple cybercriminal forums from April through June of 2024, a 71.7% increase from April through June of 2023
“The Lumma Stealer distribution infrastructure is flexible and adaptable,” Microsoft said. “Operators continually refine their techniques, rotating malicious domains, exploiting ad networks, and leveraging legitimate cloud services to evade detection and maintain operational continuity. To further hide the real C2 servers, all the C2 servers are hidden behind the Cloudflare proxy.”
“This dynamic structure enables operators to maximize the success of campaigns while complicating efforts to trace or dismantle their activities. The growth and resilience of Lumma Stealer highlights the broader evolution of cybercrime and underscores the need for layered defenses and industry collaboration to counter threats.”
In an interview with security researcher g0njxa in January 2025, the developer behind Lumma said they intended to cease operations by next fall. “We have done a lot of work over two years to achieve what we have now,” they said. “We are proud of this. It has become a part of our daily life for us, and not just work.”