Storm-2477

Storm-2477 is Microsoft’s designation for the developer/maintainer behind the Lumma Stealer (aka LummaC2) malware-as-a-service (MaaS) ecosystem, including its command-and-control (C2) infrastructure and affiliate program. According to Microsoft, paying affiliates use a management panel provided by Storm-2477 to build Lumma binaries and manage C2 communications and stolen data. Lumma is an infostealer active since at least 2022 that targets Windows systems and is designed to steal sensitive data such as credentials (including from browsers and applications), credit card data, and cryptocurrency wallet keys; it can also deploy additional malware/plugins (e.g., clipboard stealer plugin, coin miners). Distribution is described as multi-vector and heavily reliant on social engineering rather than exploits, including phishing, malvertising (SEO poisoning for software downloads/updates), drive-by downloads via compromised sites, trojanized/pirated software, abuse of legitimate services/platforms (e.g., GitHub; also noted: Steam/Discord), and ClickFix fake-CAPTCHA lures that instruct users to paste/run malicious commands (e.g., via Windows Run), often leveraging mshta and PowerShell stages. Microsoft observed campaigns in April 2025 including a drive-by chain using EtherHiding (malicious code hosted via Binance Smart Chain smart contracts) combined with ClickFix, and an April 7, 2025 email campaign targeting Canadian organizations using Prometheus TDS redirection and mshta/PowerShell to deliver Lumma (bundled with Xworm). Microsoft reports Lumma uses advanced obfuscation/anti-analysis and techniques such as process injection/hollowing, and a layered C2 design with hardcoded domains plus fallback C2s hosted as Steam profiles and Telegram channels, with C2 servers behind Cloudflare and HTTPS-encrypted traffic. Law-enforcement/private-sector disruption activity in May 2025 (including a US court order with Europol and Japan’s JC3, and Microsoft DCU actions) resulted in takedown/suspension/blocking and sinkholing of large numbers of domains (reported around 2,300 total, with Microsoft sinkholing 1,300+). Ransomware and other financially motivated groups reported as using Lumma in campaigns include Octo Tempest, Storm-1607, Storm-1113, and Storm-1674. Bitdefender also reports frequent changes in Lumma delivery loaders and highlights CastleLoader as a recent loader used to execute payloads in memory with obfuscation, sandbox/security-tool checks, and persistence mechanisms, with observed infrastructure overlap suggesting coordination or shared services with Lumma operations.