A global law enforcement operation supported by Microsoft Corp. today disrupted the infrastructure behind Lumma, a prominent malware-as-a-service tool responsible for widespread information theft.
The takedown, at least for now, of Lumma was coordinated by the U.S. Department of Justice and resulted in the seizure of domains used to distribute Lumma, which had allowed cybercriminals to steal sensitive data from millions of individuals and organizations around the world.
Lumma first emerged in December 2022 and quickly grew in popularity among cybercriminals thanks to its affordability, modular design and ease of deployment. Marketed on underground forums with subscription tiers ranging from $250 to $20,000, Lumma allowed even low-skilled threat actors to launch sophisticated attacks.
The malware targeted a wide array of data, including browser credentials, cryptocurrency wallets and session tokens from platforms like Discord and Steam. Its distribution methods were varied, including phishing emails, fake software installers and malicious advertisements.
As noted in News’s previous coverage in November 2023, the then-current version of Lumma, LummaC2 v4.0, introduced advanced evasion techniques, such as trigonometry-based anti-sandbox mechanisms, to detect human-like mouse movements and avoid automated analysis environments.
Beyond its anti-sandbox capabilities, LummaC2 v4.0 incorporated several obfuscation strategies to hinder detection and analysis, such as control flow flattening, which disrupts the program’s natural execution path and XOR encryption of strings to conceal malicious code. The malware also utilized dynamic configuration files retrieved from command-and-control servers, encoded in Base64 and further obfuscated, allowing real-time updates to its behavior.
“The coordinated takedown of Lumma Stealer’s infrastructure marks a pivotal moment in combating the proliferation of malware-as-a-service platforms,” Ensar Seker, chief information security officer at extended threat inteligence provider SOCRadar Cyber Threat Intelligence Inc., told News via email. “Lumma Stealer, also known as LummaC2, has been a formidable tool in the cybercriminal arsenal, facilitating the theft of sensitive data, including credentials, financial information and cryptocurrency wallets from nearly 400,000 Windows systems globally between March and May 2025.”
Though it’s admirable that law enforcement and Microsoft have targeted Lumma, it’s not if, but when, those behind the malware return. Takedowns like these are nearly always like a game of Whac-A-Mole — take one malware provider out and then new groups and derivatives, often using the same malware code, appear.
That’s a sentiment shared by Rhys Downing, threat researcher at managed detection and response company Ontinue AG, who noted that “Lumma’s tactics and infrastructure are highly adaptive.” Although takedowns are impactful, he added, “threat actors often respond quickly with rebrands, new delivery methods and rebuilt infrastructure.”
Image: News/Reve
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU
