ESET joined forces with Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry in a global effort to disrupt Lumma Stealer, a notorious malware-as-a-service (MaaS) infostealer. The operation aimed to disable the infrastructure of Lumma Stealer, including all known command and control (C&C) servers from the past year, effectively rendering the exfiltration network nonoperational.
Key points of the collaboration:
- ESET participated in a coordinated global operation to disrupt Lumma Stealer.
- ESET conducted technical analysis and extracted crucial data from tens of thousands of malware samples.
- An overview of the Lumma Stealer MaaS ecosystem was provided.
- Technical analysis and an overview of Lumma Stealer’s evolution were presented, highlighting key static and dynamic properties critical to the disruption effort.
ESET’s contribution to the disruption:
ESET’s automated systems processed thousands of Lumma Stealer samples to extract key elements such as C&C servers and affiliate identifiers. This enabled continuous monitoring of Lumma Stealer’s activity, tracking development updates, clustering affiliates, and more.
Infostealer malware like Lumma Stealer poses a significant threat as harvested credentials are valuable commodities in the cybercrime underground. The disruption effort aimed to prevent potential devastating attacks by disrupting Lumma Stealer’s operations.
Lumma Stealer developers actively maintained and updated the malware, including changes to encryption algorithms and network protocols. The shared exfiltration network infrastructure was regularly maintained, with thousands of unique C&C domains observed between June 2024 and May 2025.
Background on Lumma Stealer: - Lumma Stealer has become a prevalent infostealer in the cybercrime ecosystem over the past two years, offering its infrastructure as a service to affiliates.
- The malware operates on a subscription model, where affiliates pay monthly fees for access to the latest malware builds and network infrastructure for data exfiltration.
- Lumma Stealer’s operators created a Telegram marketplace for affiliates to sell stolen data directly, bypassing intermediaries.
- The malware is distributed through various methods, including phishing, cracked software, and other malware downloaders like SmokeLoader and DarkGate.
Technical analysis of Lumma Stealer:
- The malware samples contain static properties such as encrypted C&C domains, affiliate identifiers, and dynamic configuration options.
- The encryption methods for C&C domains evolved over time, with a transition to ChaCha20 encryption in January 2025.
- Dead-drop resolvers were introduced in Lumma Stealer builds since June 2024, providing backups for C&C communication.
Overall, the disruption effort against Lumma Stealer highlighted the ongoing evolution and threat posed by the malware, emphasizing the complexity of combating such sophisticated cyber threats. If Lumma Stealer does not receive a response from any C&C server in the static configuration, it will extract the backup C&C from a dummy Steam profile web page acting as a dead-drop resolver. The Steam profile URL is heavily protected in the binary, just like the version string. The encrypted backup C&C URL is set in the Steam profile name using a simple Caesar cipher (ROT11).
In February 2025, Lumma Stealer was updated to include a feature for obtaining a new primary C&C URL from a Telegram channel dead-drop resolver. The C&C URL is extracted from the Telegram channel’s title field and protected using the same algorithm as the Steam profile dead-drop resolver. The main difference between the Telegram and Steam profile dead-drop resolvers is that the Telegram option is tested first, with the Steam profile used as a last resort if communication with previously obtained C&C servers fails.
The Telegram dead-drop resolver may be available for higher tier subscriptions, as many samples do not have the Telegram URL set. Therefore, the malware skips this method in those cases.
Each Lumma Stealer sample contains a unique hardcoded affiliate identifier known as LID. Up until March 2025, the LID parameter followed a structured format delimited by two dashes. However, in early March 2025, Lumma Stealer transitioned to using hexadecimal identifiers known as UID.
In addition to the LID parameter, Lumma Stealer samples may also contain an optional parameter referred to as J. This parameter is in cleartext and formatted as a 32-byte ASCII hex string. The J parameter is used in the C&C request for dynamic configuration with additional definitions for exfiltration.
If the J parameter is missing in a Lumma Stealer sample, an empty string is used in the C&C request, and a default configuration is retrieved. The J parameter plays a crucial role when present, enabling the retrieval of a dynamic configuration that enhances the stealer’s capabilities.
Analysis of static properties indicates that the first segment of the LID identifies the affiliate, while the second segment differentiates between campaigns. Visualizations of affiliate activities have provided insights into the patterns and behaviors of different threat actors using Lumma Stealer.
Lumma Stealer retrieves a dynamic configuration from the C&C server, specifying what to scan for exfiltration. It focuses on stealing data from various sources, including web browsers, password managers, VPNs, cloud services, and more. The dynamic configuration is in JSON format and is downloaded using an HTTPS POST request with the LID identifier, optional J parameter, and a specific User-Agent string.
The protection of the dynamic configuration has changed over time, and currently uses ChaCha20 encryption. The User-Agent string is crucial for receiving the dynamic configuration correctly. In April 2025, Lumma Stealer introduced a new layer of obfuscation by encrypting JSON values using an 8-byte XOR function. This encrypted dynamic configuration is delivered when a slightly updated User-Agent string is specified. The dynamic configuration includes encryption of some values to enhance data security.
Aside from the dynamic configuration approach, Lumma Stealer samples still contain hardcoded instructions for exfiltrating files from various applications. This combination of dynamic and hardcoded configurations allows Lumma Stealer to collect a wide range of valuable data effectively.
Throughout the tracking period, all extracted C&C domains consistently led to Cloudflare services, which are used to conceal Lumma Stealer’s real C&C infrastructure. The mechanism for selecting an active C&C server is illustrated in a flow chart.
Lumma Stealer employs several anti-analysis obfuscation techniques to complicate the analysis process and evade detection. These techniques include indirect jump obfuscation, stack strings, and import API obfuscation.
The disruption operation, led by Microsoft, aims to seize all known Lumma Stealer C&C domains to render its exfiltration infrastructure nonfunctional. ESET will continue tracking other infostealers while monitoring Lumma Stealer activity following this operation.
For inquiries about the research published on WeLiveSecurity, contact threatintel@eset.com. ESET Research offers private APT intelligence reports and data feeds for further insights into cybersecurity threats. If you have any questions regarding this service, feel free to check out the ESET Threat Intelligence page.
IoCs
| SHA-1 | Filename | Detection | Description |
| — | — | — | — |
| 6F94CFAABB19491F2B8E719D74AD032D4BEB3F29 | AcroRd32.exe | Win32/Spy.Lumma Stealer.B | Lumma Stealer sample – Build 2024-06-27. |
| C5D3278284666863D7587F1B31B06F407C592AC4 | Notion.exe | Win32/Spy.Lumma Stealer.B | Lumma Stealer sample – Build 2024-07-14. |
| 5FA1EDC42ABB42D54D98FEE0D282DA453E200E99 | explorer.exe | Win32/Spy.Lumma Stealer.B | Lumma Stealer sample – Build 2024-08-08. |
| 0D744811CF41606DEB41596119EC7615FFEB0355 | aspnet_regiis.exe | Win32/Spy.Lumma Stealer.B | Lumma Stealer sample – Build 2024-08-25. |
| 2E3D4C2A7C68DE2DD31A8E0043D9CF7E7E20FDE1 | nslookup.exe | Win32/Spy.Lumma Stealer.B | Lumma Stealer sample – Build 2024-09-20. |
| 09734D99A278B3CF59FE82E96EE3019067AF2AC5 | nslookup.exe | Win32/Spy.Lumma Stealer.B | Lumma Stealer sample – Build 2024-10-04. |
| 1435D389C72A5855A5D6655D6299B4D7E78A0127 | BitLockerToGo.exe | Win32/Spy.Lumma Stealer.B | Lumma Stealer sample – Build 2024-11-09. |
| 2CCCEA9E1990D6BC7755CE5C3B9B0E4C9A8F0B59 | external.exe | Win32/Spy.Lumma Stealer.B | Lumma Stealer sample – Build 2024-12-23. |
| 658550E697D9499DB7821CBBBF59FFD39EB59053 | Wemod-Premium-Unlocker-2025 | MSIL/GenKryptik.HGWU | Lumma Stealer sample – Build 2025-01-18. |
| 070A001AC12139CC1238017D795A2B43AC52770D | khykuQw.exe | Win32/Kryptik.HYUC | Lumma Stealer sample – Build 2025-02-27. |
| 1FD806B1A0425340704F435CBF916B748801A387 | Start.exe | Win64/Injector.WR | Lumma Stealer sample – Build 2025-03-24. |
| F4840C887CAAFF0D5E073600AEC7C96099E32030 | loader.exe | Win64/Kryptik.FAZ | Lumma Stealer sample – Build 2025-04-15. |
| 8F58C4A16717176DFE3CD531C7E41BEF8CDF6CFE | Set-up.exe | Win32/Spy.Lumma Stealer.B | Lumma Stealer sample – Build 2025-04-23. |Network
For more information on the network details related to Lumma Stealer, please refer to the ESET Threat Intelligence page.
MITRE ATT&CK Techniques
The following table showcases the MITRE ATT&CK techniques used by Lumma Stealer operators:
| Tactic | ID | Name | Description |
| — | — | — | — |
| Resource Development | T1587.001 | Develop Capabilities: Malware | Lumma Stealer operators actively developed their malware as a product for their service. |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains | Lumma Stealer operators registered domains for their exfiltration infrastructure. |
| Execution | T1059.003 | Command-Line Interface: Windows Command Shell | Lumma Stealer executes cmd.exe to delete temporary files. |
| … (continued) |Feel free to explore more details on the ESET Threat Intelligence page for a comprehensive understanding of Lumma Stealer and its operations. phrase in your own words:
"Actions speak louder than words."
"Actions show more about a person’s true intentions and beliefs than what they say."
