Lumma Stealer

Malware updated 3 days ago (2024-11-21T11:31:17.464Z)

Download STIX

Preview STIX

Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was discovered that the more than 250 million estimated players of the game "Hamster Kombat" were targeted and lured into downloading Lumma Stealer by multiple simultaneous scams. By leveraging legitimate software and utilizing deceptive delivery methods, Lumma Stealer presents a persistent challenge for security teams. The malicious PowerShell script that initiated the Lumma Stealer infection downloaded and executed an archive with the malware. The Command and Control (C&C) servers associated with Lumma Stealer were active in April, May, and June 2024, indicating an ongoing campaign. Lumma Stealer was installed on Windows machines, while Atomic Stealer (AMOS) was used on Macs. A unique loader, FakeBat, has been used to drop follow-up payloads such as Lumma Stealer. In October 2024, Check Point Research highlighted a significant rise in infostealer malware, with Lumma Stealer dominating the list of prevalent threats. Researchers from various companies reported this campaign in August and September. According to Sarah Jones, a cyber-threat intelligence research analyst at Critical Start, protecting against ongoing Lumma Stealer threats requires close collaboration between threat intelligence, security operations centers (SOCs), and incident-response teams. Continuous monitoring, adaptation, and regular updating of detection rules, indicators of compromise, and security controls are crucial given the rapid evolution of threats like Lumma Stealer.

Description last updated: 2024-11-21T10:34:24.554Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Lumma is a possible alias for Lumma Stealer. Lumma is a malicious software (malware) that has been causing significant security concerns due to its ability to steal sensitive information. The malware was delivered to victims primarily through websites hosting cracked games, specifically targeting gamers. In August and September, researchers re	11

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Payload

Youtube

Windows

Infostealer

Exploit

Downloader

Android

Phishing

Bot

Infostealer ...

Credentials

PowerShell

Trojan

Infostealers

Chrome

Rat

Vulnerability

Browser Exte...

Fortiguard

Sandbox

Maas

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Redline Malware is associated with Lumma Stealer. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It often infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. RedLine has been favored by threat actor	Unspecified	4
The Redline Stealer Malware is associated with Lumma Stealer. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects s	Unspecified	3
The Magecart Malware is associated with Lumma Stealer. Magecart is a form of malware that targets e-commerce platforms by injecting malicious code to steal customer data. The malware can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operations and steal personal informat	Unspecified	2
The Vidar Malware is associated with Lumma Stealer. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malw	Unspecified	2
The Rhadamanthys Malware is associated with Lumma Stealer. Rhadamanthys is a sophisticated and notorious malware, known for its ability to steal sensitive information. It has been utilized by various threat actors, including nation-state entities such as Iran's Void Manticore and the pro-Palestine group "Handala." Its deployment often involves phishing tact	Unspecified	2
The Mozi Malware is associated with Lumma Stealer. Mozi, a malicious software (malware), has been a significant force in the cyber threat landscape. This malware, known for exploiting outdated and vulnerable Internet of Things (IoT) devices, was responsible for 74% of all IoT attacks in 2021. The Mozi botnet, infamous for hijacking hundreds of thous	Unspecified	2
The Netsupport Malware is associated with Lumma Stealer. NetSupport is a legitimate remote access software that has been repurposed as malware by various cybercriminal groups. It has been observed in several high-profile cyber-attacks, including the Royal ransomware attack and operations conducted by former ITG23 members. The malware can infiltrate system	Unspecified	2
The Netsupport Rat Malware is associated with Lumma Stealer. NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operations	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The FIN7 Threat Actor is associated with Lumma Stealer. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	2

Source Document References

Information about the Lumma Stealer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	2 days ago	Lumma Stealer Proliferation Fueled by Telegram Activity
Checkpoint	3 days ago	18th November – Threat Intelligence Report
Malwarebytes	3 days ago	Free AI editor lures in victims, installs information stealer instead on Windows and Mac \| Malwarebytes
Securelist	25 days ago	Lumma/Amadey: fake CAPTCHAs want to know if you’re human
Malwarebytes	12 days ago	Hello again, FakeBat: popular loader returns after months-long hiatus \| Malwarebytes
DARKReading	23 days ago	Facebook Businesses Targeted in Infostealer Phishing Campaign
DARKReading	a month ago	Tricky CAPTCHA Caught Dropping Lumma Stealer Malware
DARKReading	2 months ago	AI 'Nude Photo Generator' Delivers Infostealers, Not Images
BankInfoSecurity	2 months ago	Breach Roundup: AI 'Nudify' Sites Serve Malware
InfoSecurity-magazine	2 months ago	FIN7 Gang Hides Malware in AI “Deepnude” Sites
InfoSecurity-magazine	2 months ago	Malicious Ads Hide Infostealer in League of Legends ‘Download’
Krebs on Security	2 months ago	This Windows PowerShell Phish Has Scary Potential
InfoSecurity-magazine	3 months ago	Would-Be OnlyFans Hackers Targeted With Infostealer
CrowdStrike	3 months ago	Malicious Inauthentic Falcon Crash Reporter Installer Delivers Malware Named Ciro
DARKReading	4 months ago	Attackers Hijack Facebook Pages, Promote Malicious AI Photo Editor
DARKReading	4 months ago	'Stargazer Goblin' Amasses Rogue GitHub Accounts to Spread Malware
DARKReading	4 months ago	Hamster Kombat Players Threatened by Spyware & Infostealers
DARKReading	4 months ago	Cyberattackers Exploit Microsoft SmartScreen Bug in Stealer Campaign
ESET	4 months ago	The tap-estry of threats targeting Hamster Kombat players
Trend Micro	4 months ago	Social Media Malvertising Campaign Promotes Fake AI Editor Website for Credential Theft