ESET has collaborated with Microsoft<\/a>, BitSight<\/a>, Lumen<\/a>, Cloudflare<\/a>, CleanDNS<\/a>, and GMO Registry<\/a> in a worldwide disruption operation in opposition to Lumma Stealer, an notorious malware-as-a-service (MaaS) infostealer. The operation focused Lumma Stealer infrastructure with all recognized C&C servers up to now yr, rendering the exfiltration community, or a big a part of it, nonoperational.<\/p>\n Key factors of this blogpost:<\/strong><\/p>\n ESET automated techniques processed tens of 1000’s of Lumma Stealer samples, dissecting them to extract key components, resembling C&C servers and affiliate identifiers. This allowed us to repeatedly monitor Lumma Stealer\u2019s exercise, monitor growth updates, cluster associates, and extra.<\/p>\n Infostealer malware households, like Lumma Stealer, are sometimes only a foreshadowing of a future, way more devastating assault. Harvested credentials are a valued commodity within the cybercrime underground, offered by preliminary entry brokers to varied different cybercriminals, together with ransomware associates. Lumma Stealer has been one of the crucial prevalent infostealers over the previous two years, and ESET telemetry (see Determine 1) confirms that it has left no a part of the world untouched.<\/p>\n Lumma Stealer builders had been actively creating and sustaining their malware. We have now recurrently observed code updates starting from minor bug fixes to finish alternative of string encryption algorithms and adjustments to the community protocol. The operators additionally actively maintained the shared exfiltration community infrastructure. Between June 17th<\/sup>, 2024 and Might 1st<\/sup>, 2025, we noticed a complete of three,353 distinctive C&C domains, averaging roughly 74 new domains rising every week together with occasional updates to Telegram-based dead-drop resolvers (see Determine 2). We focus on the main points of the community infrastructure later within the blogpost.<\/p>\n This ongoing evolution underscores the numerous menace posed by Lumma Stealer and highlights the significance and complexity of the disruption effort.<\/p>\n Over the previous two years, Lumma Stealer (often known as LummaC or LummaC2<\/a>) has emerged as one of the crucial energetic infostealers within the cybercrime ecosystem, changing into a well-liked device amongst cybercriminals resulting from its energetic growth of malware options and its infrastructure being offered as a service.<\/p>\n Lumma Stealer adopts the idea of malware as a service (MaaS), the place associates pay a month-to-month payment, primarily based on their tier, to obtain the most recent malware builds and the community infrastructure needed for information exfiltration. Associates have entry to a administration panel with a user-friendly interface the place they will obtain exfiltrated information and harvested credentials.<\/p>\n The tiered subscription mannequin ranges from USD 250 to USD 1,000 per thirty days, every with more and more subtle options. Decrease tiers embrace fundamental filtering and log obtain choices, whereas greater tiers supply customized information assortment, evasion instruments, and early entry to new options. The costliest plan emphasizes stealth and flexibility, providing distinctive construct technology and decreased detection.<\/p>\n The operators of Lumma Stealer have additionally created a Telegram market with a score system for associates to promote stolen information with out intermediaries. {The marketplace} has been nicely documented in Cybereason analysis<\/a>. Furthermore, they preserve public documentation of the administration panel for associates and periodically share updates and fixes on hacking boards, as proven in Determine 3.<\/p>\n Open documentation not solely helps associates with much less expertise to make use of the malware service, but additionally supplies precious insights for safety researchers. Builders deal with malware builds, information pipelining, and infrastructure upkeep, whereas associates are chargeable for distributing the malware. This info, mixed with the service\u2019s reputation, ends in all kinds of compromise vectors.<\/p>\n Frequent distribution strategies embrace phishing, cracked software program, and different malware downloaders together with SmokeLoader, DarkGate, Amadey, Vidar, and others. Standard phishing schemes contain ClickFix<\/a> or pretend CAPTCHA<\/a> internet pages, fraudulent boards with cracked software program<\/a>, pretend GitHub repositories<\/a>, fraudulent hyperlinks on Reddit boards, and lots of extra.<\/p>\n Quite a few public analyses have already been written about Lumma Stealer and its compromise vectors. Our focus right here, nonetheless, is on the points related to the disruption. On this part, we are going to briefly introduce the important thing static and dynamic properties that we’ve got been actively extracting from Lumma Stealer.<\/p>\n Numerous info comes embedded in Lumma Stealer malware samples. This naturally presents a really perfect goal for automated extraction. In addition to the plain information of curiosity \u2013 C&C server domains \u2013 the samples additionally include identifier strings that tie the pattern to a selected affiliate and a marketing campaign, and an optionally available identifier resulting in a customized dynamic configuration. These identifiers are utilized in community communication with the C&C server throughout information exfiltration and requests for dynamic configuration. Within the sections beneath, we take a look at these properties in depth.<\/p>\n Every Lumma Stealer pattern comprises a listing of 9 encrypted C&C domains. Whereas the encryption strategies have developed over time, the attribute array construction has remained constant as much as the time of writing.<\/p>\n Primarily based on Lumma Stealer\u2019s inner pattern versioning, which is closely protected by stack string obfuscation, we all know that up till January 2025, the C&C domains within the samples have been protected by an XOR perform and base64 encoding (see Determine 4). When the base64-encoded string was decoded, it revealed a construction the place the primary 32 bytes served as an XOR key, and the remaining bytes contained the encrypted C&C area.<\/p>\n In January 2025, Lumma Stealer transitioned the safety of the C&C record to ChaCha20 encryption with a single hardcoded key and nonce (see Determine 5). This safety of the C&C record within the Lumma Stealer binaries has remained the identical up till the time of publication.<\/p>\n Since June 2024, every Lumma Stealer construct got here with a brand new function for acquiring a backup C&C. If no C&C server from the static config responds to Lumma Stealer, then the backup C&C is extracted from a dummy Steam profile internet web page performing as a dead-drop resolver<\/a>. The Steam profile URL is closely protected within the binary, the identical approach because the model string. The encrypted backup C&C URL is about within the Steam profile identify, as proven in Determine 6, and the safety is a straightforward Caesar cipher<\/a> (ROT11).<\/p>\n In February 2025, Lumma Stealer acquired an replace that included a function for acquiring a brand new, main C&C URL from a Telegram channel dead-drop resolver. The C&C URL is extracted from the Telegram channel\u2019s title area, and it’s protected by the identical algorithm as within the case of the Steam profile dead-drop resolver. The primary distinction within the utilization of the Telegram and Steam profile dead-drop resolvers is that the Telegram possibility is examined first, whereas the Steam profile is used as a final resort if profitable communication has not been established with beforehand obtained C&C servers (Determine 16).<\/p>\n Furthermore, we consider that the Telegram dead-drop resolver is on the market for greater tier subscriptions. It is because many samples should not have the Telegram URL set, and subsequently the malware skips this technique.<\/p>\n Every Lumma Stealer pattern comprises a singular hardcoded affiliate identifier often known as LID. It’s embedded in plaintext kind and utilized for communication with C&C servers. Up till March 2025, the LID parameter string adopted a structured format, delimited by two dashes (Determine 7). A\u00a0detailed evaluation of the LID affiliate string is offered in an upcoming part.<\/p>\n Though essentially the most prevalent LID noticed throughout our monitoring begins with the string uz4s1o<\/span>; the second commonest LID, which begins with LPnhqo<\/span>, supplies a greater instance for visualizing typical LID variability. Within the phrase cloud in Determine 8, we current the highest 200 LIDs collected throughout our monitoring, beginning with LPnhqo<\/span>.<\/p>\n Nevertheless, in early March 2025, Lumma Stealer transitioned to utilizing hexadecimal identifiers, referred to internally as UID (see Determine 9).<\/p>\n Along with the LID parameter, Lumma Stealer samples can also include an optionally available parameter referred to internally as J. When current, this parameter is in cleartext and formatted as a 32-byte ASCII hex string (see Determine 10). The J parameter is utilized within the C&C request for dynamic configuration with extra definitions for exfiltration. We speak about dynamic configuration in additional element in a following part.<\/p>\n If the J parameter is lacking within the Lumma Stealer pattern, an empty string is used within the C&C request and a default configuration is retrieved. Not like LID, the J parameter is never current in Lumma Stealer samples. Nevertheless, it performs an important function when current, because it allows retrieving a dynamic configuration that considerably will increase the stealer\u2019s capabilities, making it a extra versatile exfiltration device for menace actors.<\/p>\n In March 2025, when the LID parameter was renamed to UID and its format modified, the J parameter was renamed to CID however with no change to its format or perform.<\/p>\n From our long-term monitoring and statistical evaluation of LID parameters, we consider that the primary phase of the LID identifies the affiliate, whereas the second phase differentiates between campaigns. Primarily based on this assumption you’ll be able to see the highest 200 affiliate identifiers in Determine 11.<\/p>\n Furthermore, we’ve got been in a position to create a visualization of the associates\u2019 actions over the previous yr (see Determine 12). This visualization highlights every week in January 2025. Most of these visualizations have offered us with precious insights into the patterns and behaviors of various menace actors. Moreover, the visualizations reveal a shared, domain-based C&C infrastructure amongst most Lumma Stealer associates. On the identical time, we have been in a position to determine much less steadily used C&C domains, which we suspect have been reserved for greater tier associates or extra necessary campaigns.<\/p>\n Lumma Stealer retrieves a dynamic configuration from the C&C server, which comprises definitions specifying what to scan for exfiltration (see Desk 1). The first focus is on stealing internet browser extension information and databases containing passwords, session cookies, internet looking historical past, and autofill information. In addition to internet browsers, it additionally focuses on stealing information from password managers, VPNs, FTP purchasers, cloud providers, distant desktop purposes, electronic mail purchasers, cryptocurrency wallets, and note-taking purposes.<\/p>\n Desk 1. Dynamic config\u2019s JSON fields<\/em><\/p>\n\n
\n
Disruption contribution<\/h2>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-1.png\" "\\"\\"")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-2.png\" "\\"Figure")
Background<\/h2>\n
Malware as a service<\/h3>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-3.png\" "\\"Figure")
Technical evaluation<\/h2>\n
Static properties of Lumma Stealer<\/h3>\n
C&C domains<\/h4>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-4.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-5.png\" "\\"Figure")
Useless-drop resolvers<\/h4>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-6.png\" "\\"Figure")
Lumma Stealer identifier<\/h4>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-7.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-8.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-9.png\" "\\"Figure")
Non-obligatory configuration identifier<\/h4>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-10.png\" "\\"Figure")
Evaluation of static properties<\/h3>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-11.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-12.png\" "\\"Figure")
Dynamic properties of Lumma Stealer<\/h3>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-13.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-14.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-15.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-16.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-17.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-18.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-19.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/lumma-stealer\/figure-20.png\" "\\"Figure")
![\"\"](\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\")
<\/a><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"