Lumma Stealer
Lumma Stealer, also referred to as Lumma, LummaC2, and LummaStealer, is a Windows information-stealing malware family commonly sold as a malware-as-a-service offering through underground forums, dark web marketplaces, and Telegram channels, with reporting citing entry pricing around $250 per month and broader MaaS pricing in the hundreds of dollars per month. It is repeatedly described as a popular off-the-shelf infostealer and one of the dominant families in mass credential-theft campaigns.
The malware is associated with theft of browser-stored credentials, authentication cookies, browsing history, and cryptocurrency wallet data. Reporting in the provided content also links Lumma to theft of session cookies and credential pairs used in large-scale credential pipelines, including campaigns affecting Snowflake customers and FIFA-related accounts. One report states that Lumma operators claimed they could restore expired Google authentication cookies, and Google specifically cited Lumma when rolling out Device Bound Session Credentials to counter stolen-cookie abuse. Check Point assessed that Remus Stealer is likely a variant of Lumma Stealer.
Observed delivery vectors in the content include malicious installers, spoofed software update prompts, fake project download sites reached via SEO poisoning and traffic distribution systems, fake GitHub security issues that direct users to a counterfeit github-scanner[.]com site, and ClickFix-style social engineering. One ClickFix chain used zipsage.pages[.]dev and get-1o8.pages[.]dev to deliver an obfuscated JavaScript downloader that fetched %TEMP%\putty.exe; the resulting activity generated repeated POST requests to /api endpoints on multiple .lat domains including sustainskelet[.]lat, sweepyribs[.]lat, grannyejh[.]lat, discokeyus[.]lat, necklacebudi[.]lat, energyaffai[.]lat, aspecteirs[.]lat, crosshuaht[.]lat, and rapeflowwj[.]lat, which the report assessed as consistent with Lumma Stealer. Another campaign abused GitHub Issues and legitimate notifications@github.com emails to lure users to github-scanner[.]com, where a fake CAPTCHA copied a malicious command that downloaded l6E.exe, saved it as SysSetup.exe, and executed Lumma Stealer. Additional suspicious domains contacted in that campaign included eemmbryequo[.]shop, keennylrwmqlw[.]shop, licenseodqwmqn[.]shop, reggwardssdqw[.]shop, relaxatinownio[.]shop, tendencctywop[.]shop, tesecuuweqo[.]shop, and tryyudjasudqo[.]shop.
Behavior noted in the content includes in-memory execution via obfuscated PowerShell, staging data in a custom user data directory under %USERPROFILE%\AppData\Roaming, and use of anti-detection and persistence capabilities. A reported Lumma variant had SHA-256 09bb6673b62ed69b38035c562752867ff16d0624df6b3b2abf24ac90b5fda6cd. The malware is also mentioned as a payload delivered by ClearFake campaigns and as malware that may be distributed through signed-malware ecosystems and malware-signing services.
The content links Lumma Stealer to broader criminal operations and downstream ransomware activity. Microsoft connected Fox Tempest-enabled and related activity to campaigns involving Oyster, Vidar, Rhysida, Akira, INC, Qilin, BlackByte, and Lumma Stealer, and also linked Lumma-related activity to Vanilla Tempest and other actors or affiliates. Overall, the provided reporting consistently characterizes Lumma Stealer as a widely used Windows infostealer central to mass credential theft, cookie theft, and criminal access pipelines.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2026-1731 BeyondTrust RS/PRA 9.8 Yes (GitHub) Yes (BT26-02) ... CVE-2026-1731 (BeyondTrust) is associated with HAFNIUM and linked to Lumma Stealer, SparkRAT, and VShell malware deployments.
Groups observed using it
27 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Microsoft linked Fox Tempest-enabled activity to ransomware and malware operations involving Vanilla Tempest, Rhysida, Oyster, Lumma Stealer, Vidar, INC, Qilin, Akira, and other families or affiliates.
Microsoft linked Fox Tempest-enabled activity to ransomware and malware operations involving Vanilla Tempest, Rhysida, Oyster, Lumma Stealer, Vidar, INC, Qilin, Akira, and other families or affiliates.
ClearFake has delivered multiple payloads over time, including ArechClient2 and LummaC2; most recently, we’ve observed ACR Stealer, which debuts in this month’s top 10.
Collection Atomic, Vidar, Meduza, Raccoon, Snaffler, Hekatomb, Lumma, DBeaver, MongoDB Compass, Azure SQL Query Editor, Cerebrata, FiveTran, Ave-Maria
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
An infostealer, reportedly Lumma Stealer, compromised a Context.ai employee’s endpoint through a Roblox cheat download in February 2026.
Amadey is a modular Windows botnet sold as MaaS by author "InCrease" on XSS/Exploit forums, active since 2018. It commonly drops Lumma, StealC, RedLine, CoinMiners, and RATs.
Proofpoint has also seen the .zip contain an executable that loaded Lumma Stealer.
Offered on underground forums as malware-as-a-service (MaaS) since at least August 2022, Lumma Stealer (also known as LummaC2 Stealer or LummaC2) has been one of the most prominent information stealers this year.
Initial iterations of this campaign distributed Lumma Stealer, before TA585 switched to MonsterV2 in early 2025.
Offered on underground forums as malware-as-a-service (MaaS) since at least August 2022, Lumma Stealer (also known as LummaC2 Stealer or LummaC2) has been one of the most prominent information stealers this year.
For TA2727, payloads are tailored... Windows typically receives DoiLoader and LummaStealer...
"On May 21, 2025, Europol, FBI, and Microsoft... announced an operation to dismantle the activity of the Lumma infostealer. The malware... is distributed through a malware-as-a-service model."
...has occasionally delivered other payloads including StealC and Lumma Stealer (information stealers with similar functionality to Rhadamanthys).
...but it has also delivered LummaC2 as a tertiary payload.
Check Point researchers have identified multiple malware families distributed through the videos, most of which are infostealers, such as Lumma and Rhadamanythys.
...relied on distributing infostealers such as RedLine, Lumma, or Vidar... to harvest credentials.
"On May 21, 2025, Europol, FBI, and Microsoft... announced an operation to dismantle the activity of the Lumma infostealer. The malware... is distributed through a malware-as-a-service model."
The following analytic detects BitLockerToGo.exe execution, which has been observed being abused by Lumma stealer malware.
"...information stealers, such as Atomic (AMOS), Lumma, Rhadamanthys... and Vidar..."
Bitdefender reports a surge in LummaStealer activity, showing the MaaS infostealer rebounded after 2025 law enforcement disruption... Lumma Stealer is a Malware-as-a-Service (MaaS) infostealer designed to steal sensitive data like passwords, credit card info, and crypto wallet keys.
Bitdefender reports a surge in LummaStealer activity, showing the MaaS infostealer rebounded after 2025 law enforcement disruption... Lumma Stealer is a Malware-as-a-Service (MaaS) infostealer designed to steal sensitive data like passwords, credit card info, and crypto wallet keys.
Bitdefender reports a surge in LummaStealer activity, showing the MaaS infostealer rebounded after 2025 law enforcement disruption... Lumma Stealer is a Malware-as-a-Service (MaaS) infostealer designed to steal sensitive data like passwords, credit card info, and crypto wallet keys.
"CVE-2026-1731 (BeyondTrust) is associated with HAFNIUM and linked to Lumma Stealer, SparkRAT, and VShell malware deployments."
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
4 techniquesVidar and Lumma malware are delivered through cracked software lures, malvertising networks, and Telegram cheat channels.
Social media posts on YouTube and Facebook — in many cases offering software cracks — have also been used for distribution.
Further analysis revealed that Fox Tempest expanded its offerings earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Users could upload malware to these systems and receive digitally signed binaries generated through certificates controlled by the group.
The malware is distributed using the strategy of making the distribution posts appear at the top of search engine results (SEO poisoning).
Initial Access
4 techniquesВ ноябре 2023 года APT29 (Midnight Blizzard) залезли в корпоративную среду Microsoft через password spraying единственного тестового облачного tenant без MFA... Initial Access и Credential Theft (T1078, T1621)... Valid Accounts (T1078...)
One example is ClickFix, a technique using fake browser alerts, fraudulent update prompts and drive-by downloads to initiate compromise.
The developer also said data on servers had been erased, and a phishing page was deployed to collect the IPs of the malware’s users.
One campaign used realistic invoice-themed emails to trick recipients into opening SVG attachments... Another wave of phishing leaned on PDF attachments... One delivery chain involved IMG archives attached to phishing emails.
Execution
2 techniquesThese so-called “living off the land” binaries allowed them to execute commands, copy files, and decode hidden payloads... The script that followed was a lightweight reverse shell, providing attackers with command execution and data collection.
PowerShell scripts extracted the hidden data... One delivery chain involved IMG archives attached to phishing emails... This eventually led to the execution of obfuscated PowerShell code that unpacked and ran Lumma Stealer in memory.
Persistence
3 techniquesВ ноябре 2023 года APT29 (Midnight Blizzard) залезли в корпоративную среду Microsoft через password spraying единственного тестового облачного tenant без MFA... Initial Access и Credential Theft (T1078, T1621)... Valid Accounts (T1078...)
It then proceeds to create a run key in the \SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry location... This copy is registered to run automatically at each system startup...
Privilege Escalation
2 techniquesВ ноябре 2023 года APT29 (Midnight Blizzard) залезли в корпоративную среду Microsoft через password spraying единственного тестового облачного tenant без MFA... Initial Access и Credential Theft (T1078, T1621)... Valid Accounts (T1078...)
Stealth
6 techniquesThis eventually led to the execution of obfuscated PowerShell code that unpacked and ran Lumma Stealer in memory... The attackers hid the final payload inside an old Program Information File format, further lowering the chance that users or tools would catch it.
The cybercriminals have also created GitHub accounts that serve the malware under the guise of game cheats.
В ноябре 2023 года APT29 (Midnight Blizzard) залезли в корпоративную среду Microsoft через password spraying единственного тестового облачного tenant без MFA... Initial Access и Credential Theft (T1078, T1621)... Valid Accounts (T1078...)
By hiding malware inside trusted file formats, leaning on built-in system tools... they reduce the chances of being caught early.
registered for startup with the following command line: rundll32.exe C:\Users\{user}\OneDrive\Documents\AvivaUpdate_0001.dll,EntryPoint
This eventually led to the execution of obfuscated PowerShell code that unpacked and ran Lumma Stealer in memory, bypassing disk-based detection.
Defense Impairment
2 techniquesMicrosoft has announced the disruption of a large-scale malware-signing-as-a-service (MSaaS) operation that exploited its Azure Artifact Signing platform to generate fraudulent code-signing certificates... The group allegedly abused Microsoft's Artifact Signing service to create short-lived digital certificates that allowed malware to appear legitimate to both users and operating systems.
Credential Access
6 techniquesCredential-harvesting malware is the most common first-stage payload... configured to extract browser-stored credentials, saved tokens and session cookies.
the stealers copy all browser-stored credentials, cookies, autofill data, session tokens, and cryptocurrency wallet seeds from every infected device.
These tools are configured to extract browser-stored credentials, saved tokens and session cookies.
the stealers copy all browser-stored credentials, cookies, autofill data, session tokens, and cryptocurrency wallet seeds from every infected device.
Инфостилер читает файлы и память браузера, где лежат сессионные куки - Credentials from Web Browsers (T1555.003, Credential Access).
Collection
2 techniquesThe content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
Archives were the top delivery method in Q2 2025, making up 40 percent of observed threats... One delivery chain involved IMG archives attached to phishing emails.
Command and Control
3 techniquesData collected by Trend Micro showed that the cybercriminals quickly started restoring the infrastructure, with hundreds of new command and control (C&C) URLs spotted in the weeks after the takedown.
Researchers found that the malware-signing operation enabled customers to upload malicious files and receive code-signed versions using fraudulently acquired certificates.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Exfiltration
1 techniqueThe connections between infected devices and the malware’s servers were cut off, preventing communication and data exfiltration.
IOCs tracked for this family
579 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A stealer malware family referenced as the likely parent/related family of Remus Stealer.
Referenced as a malware-as-a-service stealer offering used as a pricing comparison against WeedHack.
Referenced as an example of a malware-as-a-service stealer sold through underground channels at higher subscription prices than Weedhack.
Information-stealing malware observed in campaigns tied to the fraudulent code-signing service. Microsoft also noted similar prior abuse of its signing services in campaigns involving Lumma Stealer.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.