lumma_stealer_operators

Also known asLumma Stealer Operators

The Lumma Stealer operators are a cybercriminal group responsible for the development, distribution, and operation of the Lumma Stealer infostealer malware, which is the most prevalent infostealer in 2025, accounting for 51% of observed infections. Lumma Stealer is distributed as a malware-as-a-service (MaaS) tool and has infected hundreds of thousands of Windows computers globally. The operators leverage various infection vectors, including ClickFix social engineering campaigns and fake gaming mods (notably for Roblox and Minecraft), to deliver their malware. Their primary objective is credential harvesting, targeting identity portals and SaaS applications, and facilitating initial access for other cybercriminals, such as initial access brokers (IABs) who sell compromised credentials on dark web marketplaces. Lumma Stealer is also linked to ransomware operations, with a short median time between credential theft and subsequent ransomware activity. The malware is coded not to execute on Russian systems, suggesting a likely Russian-speaking origin or operational base. In May 2025, a globally coordinated law enforcement operation disrupted the Lumma Stealer infrastructure, but the resilience and adaptability of such groups remain a concern. No specific aliases or sub-groups are mentioned in the provided content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics7 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

2 techniques

T1583

Acquire Infrastructure

T1583.001

Domains

T1583.006

Web Services

T1587

Develop Capabilities

T1587.001

Malware

TA0002

Execution

1 technique

T1204

User Execution

T1204.001

Malicious Link

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

help net securityNews

Dec 3, 2025

Global law enforcement actions put pressure on cybercrime networks

Operators of Lumma Stealer provided malware-as-a-service, infecting hundreds of thousands of Windows computers globally to steal information.

flareio blogNews

Nov 6, 2025

Attack on Identity: Dissecting the 2025 Microsoft Digital Defense Report

Operators of Lumma Stealer are responsible for the majority of infostealer infections observed, targeting credentials and session tokens to facilitate further compromise or sale of access.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.