Lumma

Malware updated a year ago (2024-11-29T13:56:02.848Z)

Download STIX

Preview STIX

Lumma is a malicious software (malware) that has been causing significant security concerns due to its ability to steal sensitive information. The malware was delivered to victims primarily through websites hosting cracked games, specifically targeting gamers. In August and September, researchers reported campaigns where Lumma was deployed using a deceptive CAPTCHA system. Furthermore, the malware was found to be part of a larger cyber threat landscape involving other malware families such as Vidar, Aresloader, and Canyon, among others. Interestingly, Lumma was also found to be associated with other notorious malware like RedLine, Meta, Vidar, and Raccoon Stealer that had infected devices storing Snowflake access credentials as early as 2020. The delivery of Lumma was facilitated by an exploit in Microsoft Defender SmartScreen, identified as CVE-2024-21412. This vulnerability allowed hackers to deliver not only Lumma but also other malware such as ACR and Meduza Stealers. Over time, Lumma evolved to survive disruptive operations by law enforcement, adapting and adopting new techniques to ensure its persistence. For instance, it was observed being sent over Latrodectus C2, and even being delivered alongside the Amadey Trojan. By July, more than 250 million estimated players were targeted and lured into downloading Lumma Stealer through multiple simultaneous scams. Given the rapid evolution of threats like Lumma Stealer, continuous monitoring, adaptation, and regular updating of detection rules, indicators of compromise, and security controls are necessary, says Sarah Jones, a cyber-threat intelligence research analyst at Critical Start. Lumma's tactics range from leveraging legitimate software to utilizing deceptive delivery methods, making it a persistent challenge for security teams. Protection against ongoing Lumma Stealer threats requires close collaboration between threat intelligence, security operations centers (SOCs), and incident-response teams. As Kumar notes, the investigation into Lumma Stealer reveals an evolving threat landscape characterized by the malware’s ability to adapt and evade detection.

Description last updated: 2024-11-15T16:02:11.430Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Lumma Stealer is a possible alias for Lumma. Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was di	15
Stealc is a possible alias for Lumma. StealC is a form of malware that specifically targets browser extensions and password managers. Its emergence was first reported in early 2023 and it quickly grew in popularity on the dark web due to its ability to bypass traditional security measures. The malware's modus operandi involves stealing	7
Rhadamanthys is a possible alias for Lumma. Rhadamanthys is a sophisticated and notorious malware, known for its ability to steal sensitive information. It has been utilized by various threat actors, including nation-state entities such as Iran's Void Manticore and the pro-Palestine group "Handala." Its deployment often involves phishing tact	4
Lumma Infostealer is a possible alias for Lumma.	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Infostealer

Domains

Payload

Maas

Credentials

Windows

Exploit

Cybercrime

Infostealers

Phishing

Loader

Ransomware

Android

Trojan

Youtube

Infostealer ...

Tool

PowerShell

Antivirus

Google

Source

Sandbox

Vulnerability

Exploits

Chrome

Downloader

Bot

Github

Scams

Scam

Dropper

Malvertising

Microsoft

Encrypt

XSS (Cross S...

Botnet

Crypter

Encryption

Fraud

Browser Exte...

Rat

Facebook

Malware Loader

Fortiguard

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Redline Malware is associated with Lumma. RedLine is a type of malware, or malicious software, designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for	Unspecified	9
The Lummac2 Malware is associated with Lumma. LummaC2 is a malicious software (malware) that was initially identified in Russian-speaking forums in 2022. The malware, written in C and distributed as Malware-as-a-Service (MaaS), has been actively developed over time, with researchers noting that LummaC2 4.0 operates as a dynamic malware strain.	Unspecified	6
The Amadey Malware is associated with Lumma. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includ	Unspecified	5
The Clickfix Malware is associated with Lumma. ClickFix is a malicious software (malware) that has been actively exploiting computers and devices, primarily through fake WordPress plug-ins. The malware campaign leverages these bogus plug-ins to inject JavaScript that leads to ClickFix fake browser updates. These updates use blockchain and smart	Unspecified	3
The Autoit Malware is associated with Lumma. AutoIt is a type of malware, a malicious software designed to exploit and damage computers or devices. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, AutoIt can steal personal information, disrupt operations, or even hold data h	Unspecified	2
The Amos Malware is associated with Lumma. AMOS is a malicious software (malware) specifically designed to target macOS systems. First identified in early 2023, it has been associated with campaigns such as the ClearFake campaign, which spread the AMOS information stealer across macOS devices. This malware is particularly dangerous due to it	Unspecified	2
The Redline Stealer Malware is associated with Lumma. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects s	Unspecified	2
The malware Meta Stealer is associated with Lumma.	Unspecified	2
The Latrodectus Malware is associated with Lumma. Latrodectus, a harmful malware discovered in late 2023, has been gaining momentum among threat actors, with a significant increase in activity noted throughout February and March. This malicious software is being employed by initial access brokers (IABs) in email threat campaigns and uses MSI files	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The BianLian Threat Actor is associated with Lumma. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directory	Unspecified	2

Source Document References

Information about the Lumma Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Recorded Future	12 days ago	Malicious Infrastructure Finds Stability with aurologic GmbH
Unit42	20 days ago	Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack
Checkpoint	a month ago	Dissecting YouTube’s Malware Distribution Network - Check Point Research
InfoSecurity-magazine	a month ago	Lumma Stealer Vacuum Filled by Upgraded Vidar 2.0 Infostealer
Recorded Future	a month ago	Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals
Flashpoint	a month ago	The Proactive Defender’s Guide to Infostealers
InfoSecurity-magazine	a month ago	Lumma Stealer Developers Doxxed
Trend Micro	a month ago	Shifts in the Underground: The Impact of Water Kurita’s (Lumma Stealer) Doxxing
Securelist	a month ago	Developing a machine-learning model to detect DLL hijacking
Checkpoint	2 months ago	Rhadamanthys 0.9.x - walk through the updates - Check Point Research
Flashpoint	2 months ago	Infostealers to Watch in 2025: Katz, Bee, Acreed, and More
Recorded Future	2 months ago	From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure
Malware-traffic-analysis.net	2 months ago	Malware-Traffic-Analysis.net - 2025-09-03: Kongtuke CAPTCHA page to ClickFix script to Lumma Stealer
Recorded Future	3 months ago	Behind the Curtain: How Lumma Affiliates Operate
Unit42	4 months ago	2025 Unit 42 Global Incident Response Report: Social Engineering Edition
CISA	4 months ago	#StopRansomware: Interlock \| CISA
Trend Micro	4 months ago	Back to Business: Lumma Stealer Returns with Stealthier Methods
InfoSecurity-magazine	4 months ago	Malware-as-a-Service Campaign Exploits GitHub to Deliver Payloads
Unit42	4 months ago	Fix the Click: Preventing the ClickFix Attack Vector
InfoSecurity-magazine	4 months ago	Hackers Target Employee Credentials Amid Spike in ID Attacks