ESET takes half in international operation to disrupt Lumma Stealer

ESET has collaborated with Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry in a world disruption operation in opposition to Lumma Stealer, an notorious malware-as-a-service (MaaS) infostealer. The operation focused Lumma Stealer infrastructure with all identified C&C servers prior to now yr, rendering the exfiltration community, or a big a part of it, nonoperational.

Key factors of this blogpost:

• ESET took half in a coordinated international operation to disrupt Lumma Stealer.
• ESET offered technical evaluation and statistical data, and extracted important information from tens of hundreds of malware samples.
• We offer an outline of the Lumma Stealer MaaS ecosystem.
• We additionally present technical evaluation and an outline of the evolution of Lumma Stealer’s key static and dynamic properties, which have been crucial to the disruption effort.

Disruption contribution

ESET automated techniques processed tens of hundreds of Lumma Stealer samples, dissecting them to extract key components, akin to C&C servers and affiliate identifiers. This allowed us to repeatedly monitor Lumma Stealer’s exercise, monitor growth updates, cluster associates, and extra.

Infostealer malware households, like Lumma Stealer, are sometimes only a foreshadowing of a future, rather more devastating assault. Harvested credentials are a valued commodity within the cybercrime underground, offered by preliminary entry brokers to numerous different cybercriminals, together with ransomware associates. Lumma Stealer has been probably the most prevalent infostealers over the previous two years, and ESET telemetry (see Determine 1) confirms that it has left no a part of the world untouched.

Lumma Stealer builders had been actively creating and sustaining their malware. We have now frequently seen code updates starting from minor bug fixes to finish alternative of string encryption algorithms and modifications to the community protocol. The operators additionally actively maintained the shared exfiltration community infrastructure. Between June 17^th, 2024 and Could 1^st, 2025, we noticed a complete of three,353 distinctive C&C domains, averaging roughly 74 new domains rising every week together with occasional updates to Telegram-based dead-drop resolvers (see Determine 2). We talk about the main points of the community infrastructure later within the blogpost.

This ongoing evolution underscores the numerous menace posed by Lumma Stealer and highlights the significance and complexity of the disruption effort.

Background

Over the previous two years, Lumma Stealer (often known as LummaC or LummaC2) has emerged as probably the most lively infostealers within the cybercrime ecosystem, changing into a popular software amongst cybercriminals on account of its lively growth of malware options and its infrastructure being offered as a service.

Malware as a service

Lumma Stealer adopts the idea of malware as a service (MaaS), the place associates pay a month-to-month charge, based mostly on their tier, to obtain the most recent malware builds and the community infrastructure mandatory for information exfiltration. Associates have entry to a administration panel with a user-friendly interface the place they’ll obtain exfiltrated information and harvested credentials.

The tiered subscription mannequin ranges from USD 250 to USD 1,000 per thirty days, every with more and more subtle options. Decrease tiers embody fundamental filtering and log obtain choices, whereas increased tiers provide customized information assortment, evasion instruments, and early entry to new options. The costliest plan emphasizes stealth and flexibility, providing distinctive construct era and decreased detection.

The operators of Lumma Stealer have additionally created a Telegram market with a ranking system for associates to promote stolen information with out intermediaries. {The marketplace} has been effectively documented in Cybereason research. Furthermore, they keep public documentation of the administration panel for associates and periodically share updates and fixes on hacking boards, as proven in Determine 3.

Open documentation not solely helps associates with much less expertise to make use of the malware service, but additionally offers precious insights for safety researchers. Builders deal with malware builds, information pipelining, and infrastructure upkeep, whereas associates are accountable for distributing the malware. This data, mixed with the service’s recognition, ends in all kinds of compromise vectors.

Frequent distribution strategies embody phishing, cracked software program, and different malware downloaders together with SmokeLoader, DarkGate, Amadey, Vidar, and others. Well-liked phishing schemes contain ClickFix or fake CAPTCHA internet pages, fraudulent boards with cracked software, pretend GitHub repositories, fraudulent hyperlinks on Reddit boards, and lots of extra.

Technical evaluation

Quite a few public analyses have already been written about Lumma Stealer and its compromise vectors. Our focus right here, nonetheless, is on the facets related to the disruption. On this part, we’ll briefly introduce the important thing static and dynamic properties that now we have been actively extracting from Lumma Stealer.

Static properties of Lumma Stealer

Varied data comes embedded in Lumma Stealer malware samples. This naturally presents a perfect goal for automated extraction. In addition to the plain information of curiosity – C&C server domains – the samples additionally comprise identifier strings that tie the pattern to a selected affiliate and a marketing campaign, and an non-obligatory identifier resulting in a customized dynamic configuration. These identifiers are utilized in community communication with the C&C server throughout information exfiltration and requests for dynamic configuration. Within the sections beneath, we take a look at these properties in depth.

C&C domains

Every Lumma Stealer pattern accommodates an inventory of 9 encrypted C&C domains. Whereas the encryption strategies have developed over time, the attribute array construction has remained constant as much as the time of writing.

Primarily based on Lumma Stealer’s inner pattern versioning, which is closely protected by stack string obfuscation, we all know that up till January 2025, the C&C domains within the samples have been protected by an XOR perform and base64 encoding (see Determine 4). When the base64-encoded string was decoded, it revealed a construction the place the primary 32 bytes served as an XOR key, and the remaining bytes contained the encrypted C&C area.

In January 2025, Lumma Stealer transitioned the safety of the C&C record to ChaCha20 encryption with a single hardcoded key and nonce (see Determine 5). This safety of the C&C record within the Lumma Stealer binaries has remained the identical up till the time of publication.

Lifeless-drop resolvers

Since June 2024, every Lumma Stealer construct got here with a brand new characteristic for acquiring a backup C&C. If no C&C server from the static config responds to Lumma Stealer, then the backup C&C is extracted from a dummy Steam profile internet web page performing as a dead-drop resolver. The Steam profile URL is closely protected within the binary, the identical means because the model string. The encrypted backup C&C URL is about within the Steam profile identify, as proven in Determine 6, and the safety is an easy Caesar cipher (ROT11).

In February 2025, Lumma Stealer obtained an replace that included a characteristic for acquiring a brand new, main C&C URL from a Telegram channel dead-drop resolver. The C&C URL is extracted from the Telegram channel’s title subject, and it’s protected by the identical algorithm as within the case of the Steam profile dead-drop resolver. The primary distinction within the utilization of the Telegram and Steam profile dead-drop resolvers is that the Telegram possibility is examined first, whereas the Steam profile is used as a final resort if profitable communication has not been established with beforehand obtained C&C servers (Determine 16).

Furthermore, we imagine that the Telegram dead-drop resolver is out there for increased tier subscriptions. It’s because many samples wouldn’t have the Telegram URL set, and subsequently the malware skips this methodology.

Lumma Stealer identifier

Every Lumma Stealer pattern accommodates a novel hardcoded affiliate identifier referred to as LID. It’s embedded in plaintext type and utilized for communication with C&C servers. Up till March 2025, the LID parameter string adopted a structured format, delimited by two dashes (Determine 7). A detailed evaluation of the LID affiliate string is offered in an upcoming part.

Though probably the most prevalent LID noticed throughout our monitoring begins with the string uz4s1o; the second most typical LID, which begins with LPnhqo, offers a greater instance for visualizing typical LID variability. Within the phrase cloud in Determine 8, we current the highest 200 LIDs collected throughout our monitoring, beginning with LPnhqo.

Nevertheless, in early March 2025, Lumma Stealer transitioned to utilizing hexadecimal identifiers, referred to internally as UID (see Determine 9).

Elective configuration identifier

Along with the LID parameter, Lumma Stealer samples may additionally comprise an non-obligatory parameter referred to internally as J. When current, this parameter is in cleartext and formatted as a 32-byte ASCII hex string (see Determine 10). The J parameter is utilized within the C&C request for dynamic configuration with further definitions for exfiltration. We speak about dynamic configuration in additional element in a following part.

If the J parameter is lacking within the Lumma Stealer pattern, an empty string is used within the C&C request and a default configuration is retrieved. Not like LID, the J parameter is never current in Lumma Stealer samples. Nevertheless, it performs an important position when current, because it permits retrieving a dynamic configuration that considerably will increase the stealer’s capabilities, making it a extra versatile exfiltration software for menace actors.

In March 2025, when the LID parameter was renamed to UID and its format modified, the J parameter was renamed to CID however with no change to its format or perform.

Evaluation of static properties

From our long-term monitoring and statistical evaluation of LID parameters, we imagine that the primary section of the LID identifies the affiliate, whereas the second section differentiates between campaigns. Primarily based on this assumption you possibly can see the highest 200 affiliate identifiers in Determine 11.

Furthermore, now we have been capable of create a visualization of the associates’ actions over the previous yr (see Determine 12). This visualization highlights every week in January 2025. All these visualizations have offered us with precious insights into the patterns and behaviors of various menace actors. Moreover, the visualizations reveal a shared, domain-based C&C infrastructure amongst most Lumma Stealer associates. On the identical time, we have been capable of establish much less continuously used C&C domains, which we suspect have been reserved for increased tier associates or extra necessary campaigns.

Dynamic properties of Lumma Stealer

Lumma Stealer retrieves a dynamic configuration from the C&C server, which accommodates definitions specifying what to scan for exfiltration (see Desk 1). The first focus is on stealing internet browser extension information and databases containing passwords, session cookies, internet looking historical past, and autofill information. In addition to internet browsers, it additionally focuses on stealing information from password managers, VPNs, FTP purchasers, cloud providers, distant desktop purposes, e-mail purchasers, cryptocurrency wallets, and note-taking purposes.

Desk 1. Dynamic config’s JSON fields

Despite the fact that we haven’t seen vital modifications within the default configurations, this characteristic enhances the malware’s capacity to carry out focused exfiltration (see Determine 13). A complete overview of the configuration fields has already been effectively documented on this research by SpyCloud.

The configuration is in JSON format, and it’s downloaded from the C&C server utilizing an HTTPS POST request that features the LID identifier, non-obligatory J parameter, and a selected hardcoded Person-Agent string.

The safety of the dynamic configuration has modified a number of occasions just lately. Previously, it was protected in the identical means because the static C&C record, by a 32-byte XOR perform and base64 encoding. In March 2025 the safety modified to ChaCha20, the place the important thing and nonce have been prepended to the encrypted configuration.

The Person-Agent string is necessary to observe, as offering it appropriately is crucial for receiving the dynamic configuration. In April 2025, Lumma Stealer launched an extra layer of obfuscation by encrypting JSON values utilizing an 8-byte XOR perform (see Determine 14).

This encrypted variant of the dynamic configuration is delivered when a barely up to date Person-Agent string is specified (see Desk 2).

Desk 2. Person-Agent variants

In addition to this dynamic configuration strategy, Lumma Stealer samples nonetheless comprise hardcoded directions for exfiltrating recordsdata. These embody information from purposes akin to Outlook or Thunderbird, Steam account data, and Discord account tokens (see this SpyCloud blogpost). This mix of dynamic and hardcoded configurations ensures that Lumma Stealer can successfully acquire a variety of precious information.

To summarize all of the static and dynamic modifications talked about thus far, now we have created a timeline (Determine 15) highlighting probably the most vital developments noticed within the Lumma Stealer malware over the previous yr.

C&C communication

All through our Lumma Stealer monitoring interval, all extracted C&C domains constantly led to Cloudflare providers, that are utilized to hide Lumma Stealer’s actual C&C infrastructure. Cloudflare providers are additionally employed for C&C servers positioned through dead-drop resolvers.

First, Lumma Stealer must get hold of an lively C&C server. The mechanism of this selection is illustrated within the movement chart proven in Determine 16.

Handshake

Though the precise handshake request to the C&C server isn’t current within the newest Lumma Stealer builds, it’s price mentioning as a result of it was a characteristic of our monitoring for a very long time. The handshake request was an HTTPS POST request containing act=dwell and a hardcoded Person-Agent. Lively servers responded with a cleartext okay message.

Configuration request

When Lumma Stealer identifies an lively C&C server, it requests the configuration through an HTTPS POST request (Determine 17), which incorporates the LID and J parameters as information. If the J parameter isn’t current within the pattern, Lumma Stealer retrieves the default configuration from the C&C server. This configuration specifies what to scan for exfiltration, permitting the malware to adapt to totally different targets and environments.

Extra payload execution

After Lumma Stealer efficiently exfiltrates delicate information and harvested credentials, it points one ultimate HTTPS POST request to the C&C server – this time, with an extra sufferer {hardware} ID referred to as hwid. This ultimate request retrieves a configuration of an extra payload to be executed on the sufferer’s machine. The payload or a URL to obtain from is a part of that configuration. Notice that such a payload isn’t at all times offered.

Anti-analysis obfuscation methods

Lumma Stealer employs a number of, however efficient, anti-emulation methods to make evaluation as sophisticated as potential. These methods are designed to evade detection and hinder the efforts of safety analysts.

Oblique soar obfuscation

One of many main obfuscation methods utilized by Lumma Stealer is oblique management movement flattening, proven in Determine 18. This methodology successfully disrupts the code blocks of the capabilities, making it practically unimaginable to maintain monitor of the perform logic. By flattening the management movement, the malware obfuscates its operations, complicating the evaluation course of. For an in depth exploration of this method and thorough evaluation of those obfuscation patterns, together with an overview of the answer, you possibly can confer with this complete article by Mandiant.

Stack strings

One other approach employed by Lumma Stealer is the usage of encrypted stack strings, as illustrated in Determine 19. This methodology successfully hides binary information and lots of necessary strings within the Lumma Stealer pattern, making static evaluation of the binary troublesome. Furthermore, every encrypted string has its personal distinctive mathematical perform for decryption, including one other layer of complexity to the evaluation course of.

Import API obfuscation

In Lumma Stealer, imports are resolved at runtime. Import names are hashed utilizing the FNV-1a algorithm with every construct utilizing a customized offset foundation. As proven in Determine 20, since August 25^th, 2024, Lumma Stealer additionally obfuscates the FNV hash algorithm parameters by utilizing stack strings.

Conclusion

This international disruption operation was made potential by our long-term monitoring of Lumma Stealer, which now we have offered an outline of on this blogpost. We have now described the modus operandi of the Lumma Stealer group and its service. Moreover, now we have documented the necessary static identifiers and C&C communication in addition to its evolution during the last yr. Lastly, we summarized the important thing obfuscation methods that make the evaluation of Lumma Stealer difficult.

The disruption operation, led by Microsoft, goals to grab all identified Lumma Stealer C&C domains, rendering Lumma Stealer’s exfiltration infrastructure nonfunctional. ESET will proceed to trace different infostealers whereas carefully monitoring for Lumma Stealer exercise following this disruption operation.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at [email protected]. 

ESET Analysis provides personal APT intelligence stories and information feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.

IoCs

SHA-1	Filename	Detection	Description
6F94CFAABB19491F2B8E719D74AD032D4BEB3F29	AcroRd32.exe	Win32/Spy.Lumma Stealer.B	Lumma Stealer pattern – Construct 2024-06-27.
C5D3278284666863D7587F1B31B06F407C592AC4	Notion.exe	Win32/Spy.Lumma Stealer.B	Lumma Stealer pattern – Construct 2024-07-14.
5FA1EDC42ABB42D54D98FEE0D282DA453E200E99	explorer.exe	Win32/Spy.Lumma Stealer.B	Lumma Stealer pattern – Construct 2024-08-08.
0D744811CF41606DEB41596119EC7615FFEB0355	aspnet_regiis.exe	Win32/Spy.Lumma Stealer.B	Lumma Stealer pattern – Construct 2024-08-25.
2E3D4C2A7C68DE2DD31A8E0043D9CF7E7E20FDE1	nslookup.exe	Win32/Spy.Lumma Stealer.B	Lumma Stealer pattern – Construct 2024-09-20.
09734D99A278B3CF59FE82E96EE3019067AF2AC5	nslookup.exe	Win32/Spy.Lumma Stealer.B	Lumma Stealer pattern – Construct 2024-10-04.
1435D389C72A5855A5D6655D6299B4D7E78A0127	BitLockerToGo.exe	Win32/Spy.Lumma Stealer.B	Lumma Stealer pattern – Construct 2024-11-09.
2CCCEA9E1990D6BC7755CE5C3B9B0E4C9A8F0B59	exterior.exe	Win32/Spy.Lumma Stealer.B	Lumma Stealer pattern – Construct 2024-12-23.
658550E697D9499DB7821CBBBF59FFD39EB59053	Wemod-Premium-Unlocker-2025	MSIL/GenKryptik.HGWU	Lumma Stealer pattern – Construct 2025-01-18.
070A001AC12139CC1238017D795A2B43AC52770D	khykuQw.exe	Win32/Kryptik.HYUC	Lumma Stealer pattern – Construct 2025-02-27.
1FD806B1A0425340704F435CBF916B748801A387	Begin.exe	Win64/Injector.WR	Lumma Stealer pattern – Construct 2025-03-24.
F4840C887CAAFF0D5E073600AEC7C96099E32030	loader.exe	Win64/Kryptik.FAZ	Lumma Stealer pattern – Construct 2025-04-15.
8F58C4A16717176DFE3CD531C7E41BEF8CDF6CFE	Set-up.exe	Win32/Spy.Lumma Stealer.B	Lumma Stealer pattern – Construct 2025-04-23.

Community

MITRE ATT&CK methods

This desk was constructed utilizing version 17 of the MITRE ATT&CK framework.