Lumma

Malware updated 19 hours ago (2024-11-20T18:14:48.597Z)

Download STIX

Preview STIX

Lumma is a malicious software (malware) that has been causing significant security concerns due to its ability to steal sensitive information. The malware was delivered to victims primarily through websites hosting cracked games, specifically targeting gamers. In August and September, researchers reported campaigns where Lumma was deployed using a deceptive CAPTCHA system. Furthermore, the malware was found to be part of a larger cyber threat landscape involving other malware families such as Vidar, Aresloader, and Canyon, among others. Interestingly, Lumma was also found to be associated with other notorious malware like RedLine, Meta, Vidar, and Raccoon Stealer that had infected devices storing Snowflake access credentials as early as 2020. The delivery of Lumma was facilitated by an exploit in Microsoft Defender SmartScreen, identified as CVE-2024-21412. This vulnerability allowed hackers to deliver not only Lumma but also other malware such as ACR and Meduza Stealers. Over time, Lumma evolved to survive disruptive operations by law enforcement, adapting and adopting new techniques to ensure its persistence. For instance, it was observed being sent over Latrodectus C2, and even being delivered alongside the Amadey Trojan. By July, more than 250 million estimated players were targeted and lured into downloading Lumma Stealer through multiple simultaneous scams. Given the rapid evolution of threats like Lumma Stealer, continuous monitoring, adaptation, and regular updating of detection rules, indicators of compromise, and security controls are necessary, says Sarah Jones, a cyber-threat intelligence research analyst at Critical Start. Lumma's tactics range from leveraging legitimate software to utilizing deceptive delivery methods, making it a persistent challenge for security teams. Protection against ongoing Lumma Stealer threats requires close collaboration between threat intelligence, security operations centers (SOCs), and incident-response teams. As Kumar notes, the investigation into Lumma Stealer reveals an evolving threat landscape characterized by the malware’s ability to adapt and evade detection.

Description last updated: 2024-11-15T16:02:11.430Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Lumma Stealer is a possible alias for Lumma. Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was di	11
Stealc is a possible alias for Lumma. StealC is a form of malware that specifically targets browser extensions and password managers. Its emergence was first reported in early 2023 and it quickly grew in popularity on the dark web due to its ability to bypass traditional security measures. The malware's modus operandi involves stealing	3
Rhadamanthys is a possible alias for Lumma. Rhadamanthys is a sophisticated and notorious malware, known for its ability to steal sensitive information. It has been utilized by various threat actors, including nation-state entities such as Iran's Void Manticore and the pro-Palestine group "Handala." Its deployment often involves phishing tact	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Infostealer

Maas

Youtube

Trojan

Windows

Android

Payload

Cybercrime

Phishing

Exploit

Infostealer ...

Google

Loader

PowerShell

Credentials

Browser Exte...

Downloader

Dropper

Malware Loader

Fortiguard

Bot

Chrome

Sandbox

Github

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Redline Malware is associated with Lumma. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It often infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. RedLine has been favored by threat actor	Unspecified	6
The Amadey Malware is associated with Lumma. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includ	Unspecified	2
The Amos Malware is associated with Lumma. AMOS is a malicious software (malware) specifically designed to target macOS systems. First identified in early 2023, it has been associated with campaigns such as the ClearFake campaign, which spread the AMOS information stealer across macOS devices. This malware is particularly dangerous due to it	Unspecified	2

Source Document References

Information about the Lumma Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Malwarebytes	5 hours ago	Free AI editor lures in victims, installs information stealer instead on Windows and Mac \| Malwarebytes
Securelist	23 days ago	Lumma/Amadey: fake CAPTCHAs want to know if you’re human
Securelist	6 days ago	Crimeware and financial predictions for 2025
BankInfoSecurity	16 days ago	Canadian Cops Bust Suspected Hacker Tied to Snowflake Hits
DARKReading	a month ago	Tricky CAPTCHA Caught Dropping Lumma Stealer Malware
DARKReading	2 months ago	AI 'Nude Photo Generator' Delivers Infostealers, Not Images
DARKReading	2 months ago	Transport, Logistics Orgs Hit by Stealthy Phishing
InfoSecurity-magazine	2 months ago	Malicious Ads Hide Infostealer in League of Legends ‘Download’
InfoSecurity-magazine	3 months ago	Would-Be OnlyFans Hackers Targeted With Infostealer
DARKReading	3 months ago	Infostealers Waltz Through macOS to Grab Crypto Wallets, Browser Creds
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Checkpoint	4 months ago	5th August – Threat Intelligence Report - Check Point Research
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
ESET	4 months ago	The tap-estry of threats targeting Hamster Kombat players
Fortinet	4 months ago	Dark Web Shows Cybercriminals Ready for Olympics. Are You? \| FortiGuard Labs
DARKReading	5 months ago	Cut & Paste Tactics Import Malware to Unwitting Victims
InfoSecurity-magazine	5 months ago	Threat Actor Breaches Snowflake Customers, Victims Extorted
BankInfoSecurity	5 months ago	Snowflake Hacking Spree Puts At Risk 165 Organizations
Pulsedive	6 months ago	Pulsedive Blog \| Latrodectus Threat Research
Securityaffairs	6 months ago	Fake AV websites used to distribute info-stealer malware