Lummac.V2
LummaC.V2 is an infostealer malware family referenced as one of the payloads delivered in UNC5142 campaigns. According to the provided content, UNC5142 is a financially motivated threat group that exploits vulnerable WordPress sites, injects JavaScript downloaders known as ClearShort, and uses the EtherHiding technique to store control information in BNB Smart Chain smart contracts while hosting malicious pages on Cloudflare pages.dev. The campaigns use social-engineering lures including fake Cloudflare verification pages and fraudulent Chrome update prompts, and by mid-2025 traces of the injected scripts were observed on about 14,000 websites. Within this delivery ecosystem, LummaC.V2 is distributed alongside other infostealers such as Vidar and RadThief. The content does not provide malware-internal capabilities or specific IOCs for LummaC.V2 itself beyond its classification as an infostealer and its use in UNC5142 distribution campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Infostealer malware distributed by UNC5142 via blockchain-based infrastructure, targeting credentials and sensitive data.
Infostealer malware distributed by UNC5142 via blockchain-based infrastructure, targeting credentials and sensitive data.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.