Lumma Stealer

Malware updated 7 months ago (2024-11-29T14:31:44.496Z)

Download STIX

Preview STIX

Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was discovered that the more than 250 million estimated players of the game "Hamster Kombat" were targeted and lured into downloading Lumma Stealer by multiple simultaneous scams. By leveraging legitimate software and utilizing deceptive delivery methods, Lumma Stealer presents a persistent challenge for security teams. The malicious PowerShell script that initiated the Lumma Stealer infection downloaded and executed an archive with the malware. The Command and Control (C&C) servers associated with Lumma Stealer were active in April, May, and June 2024, indicating an ongoing campaign. Lumma Stealer was installed on Windows machines, while Atomic Stealer (AMOS) was used on Macs. A unique loader, FakeBat, has been used to drop follow-up payloads such as Lumma Stealer. In October 2024, Check Point Research highlighted a significant rise in infostealer malware, with Lumma Stealer dominating the list of prevalent threats. Researchers from various companies reported this campaign in August and September. According to Sarah Jones, a cyber-threat intelligence research analyst at Critical Start, protecting against ongoing Lumma Stealer threats requires close collaboration between threat intelligence, security operations centers (SOCs), and incident-response teams. Continuous monitoring, adaptation, and regular updating of detection rules, indicators of compromise, and security controls are crucial given the rapid evolution of threats like Lumma Stealer.

Description last updated: 2024-11-21T10:34:24.554Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Lumma is a possible alias for Lumma Stealer. Lumma is a malicious software (malware) that has been causing significant security concerns due to its ability to steal sensitive information. The malware was delivered to victims primarily through websites hosting cracked games, specifically targeting gamers. In August and September, researchers re	12
Lummac2 is a possible alias for Lumma Stealer. LummaC2 is a malicious software (malware) that was initially identified in Russian-speaking forums in 2022. The malware, written in C and distributed as Malware-as-a-Service (MaaS), has been actively developed over time, with researchers noting that LummaC2 4.0 operates as a dynamic malware strain.	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Payload

Windows

Infostealer

Youtube

Credentials

Trojan

Exploit

Maas

Domains

PowerShell

Downloader

Infostealers

Android

Phishing

Bot

Rat

Infostealer ...

Vulnerability

Cybercrime

Sandbox

Github

Ransomware

Chrome

Eset

Browser Exte...

Fortiguard

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Redline Malware is associated with Lumma Stealer. RedLine is a type of malware, or malicious software, designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for	Unspecified	5
The Netsupport Rat Malware is associated with Lumma Stealer. NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operations	Unspecified	3
The Vidar Malware is associated with Lumma Stealer. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malw	Unspecified	3
The Redline Stealer Malware is associated with Lumma Stealer. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects s	Unspecified	3
The Autoit Malware is associated with Lumma Stealer. AutoIt is a type of malware, a malicious software designed to exploit and damage computers or devices. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, AutoIt can steal personal information, disrupt operations, or even hold data h	Unspecified	2
The Magecart Malware is associated with Lumma Stealer. Magecart is a form of malware that targets e-commerce platforms by injecting malicious code to steal customer data. The malware can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operations and steal personal informat	Unspecified	2
The Mozi Malware is associated with Lumma Stealer. Mozi, a malicious software (malware), has been a significant force in the cyber threat landscape. This malware, known for exploiting outdated and vulnerable Internet of Things (IoT) devices, was responsible for 74% of all IoT attacks in 2021. The Mozi botnet, infamous for hijacking hundreds of thous	Unspecified	2
The Netsupport Malware is associated with Lumma Stealer. NetSupport is a legitimate remote access software that has been repurposed as malware by various cybercriminal groups. It has been observed in several high-profile cyber-attacks, including the Royal ransomware attack and operations conducted by former ITG23 members. The malware can infiltrate system	Unspecified	2
The Amadey Malware is associated with Lumma Stealer. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includ	Unspecified	2
The Rhadamanthys Malware is associated with Lumma Stealer. Rhadamanthys is a sophisticated and notorious malware, known for its ability to steal sensitive information. It has been utilized by various threat actors, including nation-state entities such as Iran's Void Manticore and the pro-Palestine group "Handala." Its deployment often involves phishing tact	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The FIN7 Threat Actor is associated with Lumma Stealer. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	2

Source Document References

Information about the Lumma Stealer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	10 days ago	Widespread Campaign Targets Cybercriminals and Gamers
InfoSecurity-magazine	12 days ago	Acreed Emerges as Dominant Infostealer Threat Following Lumma Takedown
Malwarebytes	18 days ago	184 million logins for Instagram, Roblox, Facebook, Snapchat, and more exposed online
Securityaffairs	20 days ago	Security Affairs newsletter Round 525 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine	22 days ago	Law Enforcement Busts Initial Access Malware Used to Launch Ransomware
ESET	22 days ago	Lumma Stealer down for the count
Krebs on Security	22 days ago	Oops: DanaBot Malware Devs Infected Their Own PCs
ESET	22 days ago	ESET takes part in global operation to disrupt Lumma Stealer
InfoSecurity-magazine	23 days ago	Global Law Enforcers and Microsoft Seize 2300+ Lumma Stealer Domains
Securityaffairs	23 days ago	Law enforcement dismantled the infrastructure behind Lumma Stealer MaaS
Unit42	a month ago	Lampion Is Back With ClickFix Lures
Flashpoint	2 months ago	AgeoStealer: How Social Engineering Targets Gamers
Securelist	2 months ago	How Lumma Stealer sneaks into organizations
ESET	2 months ago	Threat Report H2 2024: Infostealer shakeup, new attack vector for mobile, and Nomani
Trend Micro	3 months ago	A Deep Dive into Water Gamayun's Arsenal and Infrastructure
InfoSecurity-magazine	3 months ago	Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT
Securelist	3 months ago	Kaspersky industrial threat report for Q4 2024
Malwarebytes	3 months ago	AMOS and Lumma stealers actively spread to Reddit users
Trend Micro	3 months ago	AI Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution
Checkpoint	3 months ago	10th March – Threat Intelligence Report - Check Point Research