Lumma Stealer

Malware updated 7 months ago (2024-11-29T14:31:44.496Z)
Download STIX
Preview STIX
Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was discovered that the more than 250 million estimated players of the game "Hamster Kombat" were targeted and lured into downloading Lumma Stealer by multiple simultaneous scams. By leveraging legitimate software and utilizing deceptive delivery methods, Lumma Stealer presents a persistent challenge for security teams. The malicious PowerShell script that initiated the Lumma Stealer infection downloaded and executed an archive with the malware. The Command and Control (C&C) servers associated with Lumma Stealer were active in April, May, and June 2024, indicating an ongoing campaign. Lumma Stealer was installed on Windows machines, while Atomic Stealer (AMOS) was used on Macs. A unique loader, FakeBat, has been used to drop follow-up payloads such as Lumma Stealer. In October 2024, Check Point Research highlighted a significant rise in infostealer malware, with Lumma Stealer dominating the list of prevalent threats. Researchers from various companies reported this campaign in August and September. According to Sarah Jones, a cyber-threat intelligence research analyst at Critical Start, protecting against ongoing Lumma Stealer threats requires close collaboration between threat intelligence, security operations centers (SOCs), and incident-response teams. Continuous monitoring, adaptation, and regular updating of detection rules, indicators of compromise, and security controls are crucial given the rapid evolution of threats like Lumma Stealer.
Description last updated: 2024-11-21T10:34:24.554Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Lumma is a possible alias for Lumma Stealer. Lumma is a malicious software (malware) that has been causing significant security concerns due to its ability to steal sensitive information. The malware was delivered to victims primarily through websites hosting cracked games, specifically targeting gamers. In August and September, researchers re
13
Lummac2 is a possible alias for Lumma Stealer. LummaC2 is a malicious software (malware) that was initially identified in Russian-speaking forums in 2022. The malware, written in C and distributed as Malware-as-a-Service (MaaS), has been actively developed over time, with researchers noting that LummaC2 4.0 operates as a dynamic malware strain.
4
Latrodectus is a possible alias for Lumma Stealer. Latrodectus, a harmful malware discovered in late 2023, has been gaining momentum among threat actors, with a significant increase in activity noted throughout February and March. This malicious software is being employed by initial access brokers (IABs) in email threat campaigns and uses MSI files
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Windows
Payload
Infostealer
Credentials
Youtube
Maas
Domains
Exploit
PowerShell
Trojan
Android
Downloader
Infostealers
Phishing
Telegram
Cybercrime
Bot
Rat
Vulnerability
Infostealer ...
Chrome
Fortiguard
Eset
Sandbox
Github
Ransomware
Browser Exte...
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Redline Malware is associated with Lumma Stealer. RedLine is a type of malware, or malicious software, designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage forUnspecified
5
The Redline Stealer Malware is associated with Lumma Stealer. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects sUnspecified
3
The Netsupport Malware is associated with Lumma Stealer. NetSupport is a legitimate remote access software that has been repurposed as malware by various cybercriminal groups. It has been observed in several high-profile cyber-attacks, including the Royal ransomware attack and operations conducted by former ITG23 members. The malware can infiltrate systemUnspecified
3
The Netsupport Rat Malware is associated with Lumma Stealer. NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operationsUnspecified
3
The Vidar Malware is associated with Lumma Stealer. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malwUnspecified
3
The Autoit Malware is associated with Lumma Stealer. AutoIt is a type of malware, a malicious software designed to exploit and damage computers or devices. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, AutoIt can steal personal information, disrupt operations, or even hold data hUnspecified
3
The Clickfix Malware is associated with Lumma Stealer. ClickFix is a malicious software (malware) that has been actively exploiting computers and devices, primarily through fake WordPress plug-ins. The malware campaign leverages these bogus plug-ins to inject JavaScript that leads to ClickFix fake browser updates. These updates use blockchain and smart Unspecified
2
The Amadey Malware is associated with Lumma Stealer. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includUnspecified
2
The Magecart Malware is associated with Lumma Stealer. Magecart is a form of malware that targets e-commerce platforms by injecting malicious code to steal customer data. The malware can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operations and steal personal informatUnspecified
2
The Mozi Malware is associated with Lumma Stealer. Mozi, a malicious software (malware), has been a significant force in the cyber threat landscape. This malware, known for exploiting outdated and vulnerable Internet of Things (IoT) devices, was responsible for 74% of all IoT attacks in 2021. The Mozi botnet, infamous for hijacking hundreds of thousUnspecified
2
The Rhadamanthys Malware is associated with Lumma Stealer. Rhadamanthys is a sophisticated and notorious malware, known for its ability to steal sensitive information. It has been utilized by various threat actors, including nation-state entities such as Iran's Void Manticore and the pro-Palestine group "Handala." Its deployment often involves phishing tactUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The FIN7 Threat Actor is associated with Lumma Stealer. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
2
Source Document References
Information about the Lumma Stealer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
21 hours ago
Securityaffairs
2 days ago
InfoSecurity-magazine
4 days ago
Malware-traffic-analysis.net
8 days ago
ESET
13 days ago
Malware-traffic-analysis.net
14 days ago
InfoSecurity-magazine
15 days ago
InfoSecurity-magazine
23 days ago
InfoSecurity-magazine
a month ago
InfoSecurity-magazine
a month ago
Malwarebytes
a month ago
Securityaffairs
2 months ago
InfoSecurity-magazine
2 months ago
ESET
2 months ago
Krebs on Security
2 months ago
ESET
2 months ago
InfoSecurity-magazine
2 months ago
Securityaffairs
2 months ago
Unit42
2 months ago
Flashpoint
3 months ago