Lumma Stealer

Malware updated 7 months ago (2024-11-29T14:31:44.496Z)
Download STIX
Preview STIX
Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was discovered that the more than 250 million estimated players of the game "Hamster Kombat" were targeted and lured into downloading Lumma Stealer by multiple simultaneous scams. By leveraging legitimate software and utilizing deceptive delivery methods, Lumma Stealer presents a persistent challenge for security teams. The malicious PowerShell script that initiated the Lumma Stealer infection downloaded and executed an archive with the malware. The Command and Control (C&C) servers associated with Lumma Stealer were active in April, May, and June 2024, indicating an ongoing campaign. Lumma Stealer was installed on Windows machines, while Atomic Stealer (AMOS) was used on Macs. A unique loader, FakeBat, has been used to drop follow-up payloads such as Lumma Stealer. In October 2024, Check Point Research highlighted a significant rise in infostealer malware, with Lumma Stealer dominating the list of prevalent threats. Researchers from various companies reported this campaign in August and September. According to Sarah Jones, a cyber-threat intelligence research analyst at Critical Start, protecting against ongoing Lumma Stealer threats requires close collaboration between threat intelligence, security operations centers (SOCs), and incident-response teams. Continuous monitoring, adaptation, and regular updating of detection rules, indicators of compromise, and security controls are crucial given the rapid evolution of threats like Lumma Stealer.
Description last updated: 2024-11-21T10:34:24.554Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Lumma is a possible alias for Lumma Stealer. Lumma is a malicious software (malware) that has been causing significant security concerns due to its ability to steal sensitive information. The malware was delivered to victims primarily through websites hosting cracked games, specifically targeting gamers. In August and September, researchers re
12
Lummac2 is a possible alias for Lumma Stealer. LummaC2 is a malicious software (malware) that was initially identified in Russian-speaking forums in 2022. The malware, written in C and distributed as Malware-as-a-Service (MaaS), has been actively developed over time, with researchers noting that LummaC2 4.0 operates as a dynamic malware strain.
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Windows
Payload
Infostealer
Credentials
Youtube
Domains
Trojan
Exploit
Maas
Phishing
Downloader
Android
Infostealers
Telegram
PowerShell
Bot
Cybercrime
Infostealer ...
Rat
Vulnerability
Browser Exte...
Chrome
Fortiguard
Sandbox
Github
Eset
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Redline Malware is associated with Lumma Stealer. RedLine is a type of malware, or malicious software, designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage forUnspecified
5
The Netsupport Rat Malware is associated with Lumma Stealer. NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operationsUnspecified
3
The Vidar Malware is associated with Lumma Stealer. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malwUnspecified
3
The Redline Stealer Malware is associated with Lumma Stealer. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects sUnspecified
3
The Magecart Malware is associated with Lumma Stealer. Magecart is a form of malware that targets e-commerce platforms by injecting malicious code to steal customer data. The malware can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operations and steal personal informatUnspecified
2
The Amadey Malware is associated with Lumma Stealer. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includUnspecified
2
The Clickfix Malware is associated with Lumma Stealer. ClickFix is a malicious software (malware) that has been actively exploiting computers and devices, primarily through fake WordPress plug-ins. The malware campaign leverages these bogus plug-ins to inject JavaScript that leads to ClickFix fake browser updates. These updates use blockchain and smart Unspecified
2
The Autoit Malware is associated with Lumma Stealer. AutoIt is a type of malware, a malicious software designed to exploit and damage computers or devices. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, AutoIt can steal personal information, disrupt operations, or even hold data hUnspecified
2
The Rhadamanthys Malware is associated with Lumma Stealer. Rhadamanthys is a sophisticated and notorious malware, known for its ability to steal sensitive information. It has been utilized by various threat actors, including nation-state entities such as Iran's Void Manticore and the pro-Palestine group "Handala." Its deployment often involves phishing tactUnspecified
2
The Mozi Malware is associated with Lumma Stealer. Mozi, a malicious software (malware), has been a significant force in the cyber threat landscape. This malware, known for exploiting outdated and vulnerable Internet of Things (IoT) devices, was responsible for 74% of all IoT attacks in 2021. The Mozi botnet, infamous for hijacking hundreds of thousUnspecified
2
The Netsupport Malware is associated with Lumma Stealer. NetSupport is a legitimate remote access software that has been repurposed as malware by various cybercriminal groups. It has been observed in several high-profile cyber-attacks, including the Royal ransomware attack and operations conducted by former ITG23 members. The malware can infiltrate systemUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The FIN7 Threat Actor is associated with Lumma Stealer. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
2
Source Document References
Information about the Lumma Stealer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Malware-traffic-analysis.net
3 days ago
ESET
8 days ago
Malware-traffic-analysis.net
9 days ago
InfoSecurity-magazine
9 days ago
InfoSecurity-magazine
17 days ago
InfoSecurity-magazine
a month ago
InfoSecurity-magazine
a month ago
Malwarebytes
a month ago
Securityaffairs
a month ago
InfoSecurity-magazine
a month ago
ESET
a month ago
Krebs on Security
a month ago
ESET
a month ago
InfoSecurity-magazine
a month ago
Securityaffairs
a month ago
Unit42
2 months ago
Flashpoint
2 months ago
Securelist
2 months ago
ESET
3 months ago
Trend Micro
3 months ago