Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

May 21, 2025 TH Author

Over the past year, Microsoft observed the persistent growth and operational sophistication of Lumma Stealer, an infostealer malware used by multiple financially motivated threat actors to target various industries. Our investigation into Lumma Stealer’s distribution infrastructure reveals a dynamic and resilient ecosystem that spans phishing, malvertising, abuse of trusted platforms, and traffic distribution systems. These findings underscore the importance of collaborative efforts to disrupt cybercrime. Microsoft, partnering with others across industry and international law enforcement, recently facilitated a disruption of Lumma infrastructure.

Lumma Stealer (also known as LummaC2) is a malware as a service (MaaS) offering that is capable of stealing data from various browsers and applications such as cryptocurrency wallets and installing other malware. Microsoft Threat Intelligence tracks the threat actor who developed and maintains the Lumma malware, command-and-control (C2) infrastructure, and the Lumma MaaS as Storm-2477. Affiliates who pay Storm-2477 for the service and operate their own Lumma campaigns access a panel to build the malware binary and manage the C2 communications and stolen information. We have observed ransomware threat actors like Octo Tempest, Storm-1607, Storm-1113, and Storm-1674 using Lumma Stealer in campaigns.

Unlike earlier infostealers that relied heavily on bulk spam or exploits, Lumma Stealer exemplifies a shift toward multi-vector delivery strategies. Its operators demonstrate resourcefulness and proficiency in impersonation tactics. The Lumma Stealer distribution infrastructure is flexible and adaptable. Operators continually refine their techniques, rotating malicious domains, exploiting ad networks, and leveraging legitimate cloud services to evade detection and maintain operational continuity. This dynamic structure enables operators to maximize the success of campaigns while complicating efforts to trace or dismantle their activities.

The growth and resilience of Lumma Stealer highlights the broader evolution of cybercrime and underscores the need for layered defenses and industry collaboration to counter threats. In this blog post, we share our analysis of Lumma Stealer and its infrastructure and provide guidance on how users and organizations can protect themselves from this threat. Microsoft remains committed to sharing insights, developing protections, and working with partners across industries to disrupt malicious ecosystems and safeguard users worldwide.

Heat map of Lumma Stealer infections around the world — *Figure 1. Heat map detailing global spread of Lumma Stealer malware infections and encounters across Windows devices.*

Lumma Stealer delivery techniques

Lumma Stealer leverages a broad and evolving set of delivery vectors. Campaigns often combine multiple techniques, dynamically adapting to evade detection and increase infection success rates. Delivery infrastructure is designed to be ephemeral, shifting rapidly across domains, platforms, and geographies to avoid takedowns.

Phishing emails: Lumma Stealer emails impersonate known brands and services to deliver links or attachments. These campaigns involve expertly crafted emails designed to evoke urgency, often masquerading as urgent hotel reservation confirmations or pending cancellations. The emails lead victims to cloned websites or malicious servers that deploy the Lumma payload to the targets’ environment.

Malvertising: Threat actors inject fake advertisements into search engine results, targeting software-related queries such as “Notepad++ download” or “Chrome update.” Clicking these poisoned links leads users to cloned websites that closely mimic legitimate vendors but instead deliver the Lumma Stealer.
Drive-by download on compromised websites: Threat actors were observed compromising groups of legitimate websites, typically through a particular vulnerability or misconfiguration. They modify site content by inserting malicious JavaScript. The JavaScript runs when sites are visited by unsuspecting users, leading to delivery of a payload, intermediary script, or displaying further lures to convince users to perform an action.
Trojanized applications: In many campaigns, cracked or pirated versions of legitimate applications are bundled with Lumma binaries and distributed through file-sharing platforms. These modified installers often contain no visible payload during installation, executing the malware silently post-launch.
Abuse of legitimate services and ClickFix: Public repositories like GitHub are abused and populated with scripts and binaries, often disguised as tools or utilities. A particularly deceptive method involves fake CAPTCHA pages, commonly observed in the ClickFix ecosystem. Targets are instructed to copy malicious commands into their system’s Run utility under the pretense of passing a verification check. These commands often download and execute Lumma directly in memory, using Base64 encoding and stealthy delivery chains.
Dropped by other malware: Microsoft Threat Intelligence observed other loaders and malware such as DanaBot delivering Lumma Stealer as an additional payload.

All these mechanisms reflect threat actor behavior that prioritizes abuse of user trust, manipulation of legitimate infrastructure, and multi-layered distribution chains designed to evade both technical and human defenses. The following sections discuss some examples of campaigns where the mentioned distribution methods were used to deliver Lumma Stealer.

Drive-by download campaign leveraging EtherHiding and ClickFix to deliver Lumma

In early April 2025, Microsoft observed a cluster of compromised websites leveraging EtherHiding and ClickFix techniques to install Lumma Stealer. EtherHiding is a technique that involves leveraging smart contracts on blockchain platforms like Binance Smart Chain (BSC) to host parts of malicious code. Traditional methods of blocking malicious code, such as IP or domain blocking or content-based detections, are less effective against EtherHiding because the code is embedded in the blockchain. Meanwhile, in the ClickFix technique, a threat actor attempts to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware.

Attack flow diagram displaying the Lumma Stealer affiliate using the ClickFix technique to socially engineer users to ultimately download and deploy Lumma on their device, which exfiltrates targeted information to the attacker's C2 server. — *Figure 2. Attack flow for ClickFix to Lumma Stealer*

In this campaign, the JavaScript injected into compromised websites directly contacted BSC to retrieve the ClickFix code and lure, which was then presented to the target. Users needed to click the “I’m not a robot” prompt, at which point a command was copied into their clipboard. Users were then instructed to paste and launch this command via the Windows Run prompt. The command downloaded and initiated further code using mshta from check.foquh[.]icu.

Screenshot of a fake CAPTCHA on a compromised website stating "I'm not a robot" with a box for users to check — *Figure 3. Compromised website used EtherHiding and ClickFix techniques to present a fake CAPTCHA lure to visitors*

Screenshot of the injected JavaScript code — *Figure 4. Snippet of the injected JavaScript after Base64 decoding. It implements the EtherHiding technique and communicates with data-seed-prebsc-1-s1.bnbchain[.]org to fetch ClickFix code.*

Screenshot of the fake verification page with steps for the user to copy and paste a command that is malicious — Figure 5. This fake verification page is the final part of the ClickFix technique. It instructs users how to launch a malicious command. The command was silently copied into their clipboard during the previous step when they clicked “I’m not a robot”.

Email campaign targeting organizations in Canada to deliver Lumma Stealer

On April 7, 2025, Microsoft Threat Intelligence observed an email campaign consisting of thousands of emails targeting organizations in Canada. The emails used invoice lures for a fitness plan or an online education platform. The emails’ subject lines were personalized to include recipient-specific details such as “Invoice for [recipient email]”. Notably, the attack chain utilized multiple tools available for purchase on underground forums for traffic filtering and social engineering.

The emails contained URLs leading to the Prometheus traffic direction system (TDS) hosted on numerous compromised sites. The TDS in turn, redirected users to the attacker-controlled website binadata[.]com that hosted the ClickFix social engineering framework. Like the previous campaign, targets were instructed to click a “I’m not a robot” prompt and run malicious code via a multi-step process. The malicious code was an mshta command that downloaded and executed JavaScript from the IP address 185.147.125[.]174. The JavaScript ran a PowerShell command that downloaded more PowerShell code, which finally downloaded and launched a Lumma Stealer executable. Notably, Xworm malware was also bundled into this executable.

Diagram of the ClickFix attack flow depicting the Lumma Stealer affiliate redirecting users to the ClickFix framework. Users deploy Lumma Stealer and Xworm on their device, which exfiltrates targeted information to the attacker's C2 server. — *Figure 6. Attack flow for ClickFix leading to Lumma Stealer targeting users in Canada*

Screenshot of a fitness plan subscription themed email lure — *Figure 7. Fitness plan subscription themed email lure*

Screenshot of the ClickFix landing page requesting the user to prove whether they are a robot by following the instructions to launch a malicious command. — *Figure 8. Screenshot of the ClickFix landing after Prometheus TDS redirection*

Lumma Stealer malware analysis

The core Lumma Stealer malware is written in a combination of C++ and ASM. The malware author designed it as a MaaS offering. Threat actors can access the panel to build the malware binary and manage the C2 communications and stolen information. The core binary is obfuscated with advanced protection such as low-level virtual machine (LLVM core), Control Flow Flattening (CFF), Control Flow Obfuscation, customized stack decryption, huge stack variables, and dead codes, among others. These techniques are implemented on the critical functions to make static analysis difficult, as these can cause tools like Hex-Rays’ IDA fail to produce equivalent decompiled codes. In addition, most of the critical APIs are implemented via low-level syscalls and Heavens Gate Technology.

Lumma Stealer is designed to steal from browsers based on Chromium and Mozilla technology, including Microsoft Edge. In addition, it has the capability to install other malware or plugins, including Clipboard stealer plugin and coin miners, either by downloading to disk or directly in memory.

Process injection and process hollowing

Lumma loader may use process hollowing to inject its malicious payload into legitimate system processes like msbuild.exe, regasm.exe, regsvcs.exe, and explorer.exe. This technique enables execution under the guise of a trusted binary to bypass behavioral detection and endpoint monitoring tools.

Information-stealing capabilities

Lumma Stealer targets a comprehensive set of user data using a specialized collection routine for each type of data. These capabilities have evolved over time, and Microsoft Threat Intelligence has recently observed that the instructions for the target credentials are specified in the configuration file retrieved from the active C2 server. The configuration file is divided into several parts: the “ex” section that pertains to the target list of apps for cryptocurrency wallets and extensions, and “c” sections that pertain to the list of applications and configuration details for browsers, user file’s locations, and other applications.

Browser credentials and cookies: Lumma Stealer extracts saved passwords, session cookies, and autofill data from Chromium (including Edge), Mozilla, and Gecko-based browsers.
Cryptocurrency wallets and extensions: Lumma Stealer actively searches for wallet files, browser extensions, and local keys associated with wallets like MetaMask, Electrum, and Exodus.
Various applications: Lumma Stealer targets data from various virtual private networks (VPNs) (.ovpn), email clients, FTP clients, and Telegram applications.
User documents: Lumma Stealer harvests files found on the user profiles and other common directories, especially those with .pdf, .docx, or .rtf extensions.
System metadata: Lumma Stealer collects host telemetry such as CPU information, OS version, system locale, and installed applications for tailoring future exploits or profiling victims.

A screenshot of the malware configuration file — *Figure 9. Lumma Stealer configuration file*

C2 communication

Lumma Stealer maintains a robust C2 infrastructure, using a combination of hardcoded tier 1 C2s that are regularly updated and reordered, and fallback C2s hosted as Steam profiles and Telegram channels that also point to the tier 1 C2s. The Telegram C2, if available, is always checked first, while the Steam C2 is checked only when all the hardcoded C2s are not active. To further hide the real C2 servers, all the C2 servers are hidden behind the Cloudflare proxy.

While Lumma Stealer affiliates share the tier 1 C2s, there is a capability to add a personal tier 1 C2 domain for an extra cost. The diagram below shows an overview of the Lumma Stealer infrastructure. All traffic is encrypted by HTTPS.

A diagram of a diagram — *Figure 10. Lumma Stealer C2 communication*

Different types of obfuscation are applied to each set of C2 servers. For example, the hardcoded list of C2s, and including the Telegram fallback C2 URL are protected with ChaCha20 crypto, while the Steam profile fallback C2 URL is encrypted using custom stack-based crypto algorithm that can change on each version of Lumma malware.

We have identified up to six versions of Lumma Stealer, and while each of these versions focuses on improving techniques to evade antivirus detections, there are also several changes in the C2 communication protocol and formats such as the C2 domains, URI path, POST data, and others. The core Lumma malware stores the build date as part of the embedded configuration to keep track of improvements, but in our investigation, we tracked major changes using the labels “version 1” through “version 6”.

Lumma Stealer keeps track of the active C2 for sending the succeeding commands. Each command is sent to a single C2 domain that is active at that point. In addition, each C2 command contains one or more C2 parameters specified as part of the POST data as form data. The parameters are:

act: Indicates the C2 command. Note: This C2 parameter no longer exists in Lumma version 6.
ver: Indicates C2 protocol version. This value is always set to 4.0 and has never changed since the first version Lumma.
lid (for version 5 and below)/uid (for version 6): This ID identifies the Lumma client/operator and its campaign.
j (for version 5 and below )/cid (for version 6): This is an optional field that identifies additional Lumma features.
hwid: Indicates the unique identifier for the victim machine.
pid: Used in SEND_MESSAGE command to identify the source of the stolen data. A value of 1, indicates it came from the Lumma core process.

The following are some of the most common Lumma Stealer C2 commands and associated parameters:

PING / LIFE: Initial command to check if the C2 is active. Note: This command does not exist in version 6.
RECEIVE_MESSAGE: Command to download the stealer’s configuration. As noted above, this contains the specifications on the list of targets.
- version 3 and below: act=recive_message&ver=4.0&lid=[<lid_value>]&j=[<j_value>]
- version 4 and 5: act=receive_message&ver=4.0&lid=[<lid_value>]&j=[<j_value>]
- version 6: uid=<uid_value>&cid=[<cid_value>]
SEND_MESSAGE: Command to send back stolen data in chunks. The C2 parameters are specified as individual section in the whole POST data. The fields included are act=send_message, hwid, pid, lid/uid, and j/cid. The act field was removed in version 6.
GET_MESSAGE: Command to download the second configuration. This configuration contains information about the plugins and additional malware to install on the target systems. We have observed that in most cases this command will respond with valid but empty records “[]”, meaning nothing to download. So far, we have observed Lumma Stealer installing an updated version of the Clipboard stealer plugin and coin miners.
- versions 5 and below: act=get_message&ver=4.0&lid=[<lid_value>]&j=[<j_value>]&hwid=<hwid_value>
- version 6: uid=<uid_value>&cid=[<cid_value>]&hwid=<hwid_value>

Microsoft Digital Crimes Unit (DCU) engineered tools that identify and map the Lumma Stealer C2 infrastructure. As part of the disruption announced on May 21, Microsoft’s DCU has facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that formed the backbone of the Lumma Stealer infrastructure. More details of this operation are presented in the DCU disruption announcement.

Recommendations

Microsoft Threat Intelligence recommends the following mitigations to reduce the impact of this threat.

Strengthen Microsoft Defender for Endpoint configuration

Ensure that tamper protection is enabled in Microsoft Defender for Endpoint.
Enable network protection in Microsoft Defender for Endpoint.
Turn on web protection.
Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors.
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block execution of potentially obfuscated scripts
- Block JavaScript or VBScript from launching downloaded executable content
- Block process creations originating from PSExec and WMI commands
- Block credential stealing from the Windows local security authority subsystem
- Block use of copied or impersonated system tools

Strengthen operating environment configuration

Require multifactor authentication (MFA). While certain attacks such as adversary-in-the-middle (AiTM) phishing attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
Encourage users to use Microsoft Edge with Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
Enable Network Level Authentication for Remote Desktop Service connections.
Enable Local Security Authority (LSA) protection to block credential stealing from the Windows local security authority subsystem.
AppLocker can restrict specific software tools prohibited within the organization, such as reconnaissance, fingerprinting, and RMM tools, or grant access to only specific users.

Detection details

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:

Suspicious command in RunMRU registry
Possible Lumma Stealer activity
Information stealing malware activity
Suspicious PowerShell command line
Use of living-off-the-land binary to run malicious code
Possible theft of passwords and other sensitive web browser information
Suspicious DPAPI Activity
Suspicious mshta process launched
Renamed AutoIt tool
Suspicious phishing activity detected
Suspicious implant process from a known emerging threat
A process was injected with potentially malicious code
Process hollowing detected
Suspicious PowerShell download or encoded command execution
A process was launched on a hidden desktop

Microsoft Defender for Office 365

Microsoft Defender for Office 365 identifies and blocks malicious emails. These alerts, however, can also be triggered by unrelated threat activity:

A potentially malicious URL click was detected
Email messages containing malicious URL removed after delivery
Email messages removed after delivery
A user clicked through to a potentially malicious URL
Suspicious email sending patterns detected
Email reported by user as malware or phish

Defender for Office 365 also detects and blocks Prometheus TDS, EtherHiding patterns, ClickFix landing pages.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

ClickFix commands execution

Identify ClickFix commands execution.

DeviceRegistryEvents
| where ActionType =~ "RegistryValueSet"
| where InitiatingProcessFileName =~ "explorer.exe"
| where RegistryKey has @"\CurrentVersion\Explorer\RunMRU"
| where RegistryValueData has "✅" or (RegistryValueData has_any ("powershell", "mshta", "curl", "msiexec", "^") and RegistryValueData matches regex "[\u0400-\u04FF\u0370-\u03FF\u0590-\u05FF\u0600-\u06FF\u0E00-\u0E7F\u2C80-\u2CFF\u13A0-\u13FF\u0530-\u058F\u10A0-\u10FF\u0900-\u097F]") or (RegistryValueData has "mshta" and RegistryValueName !~ "MRUList" and RegistryValueData !in~ ("mshta.exe\\1", "mshta\\1")) or (RegistryValueData has_any ("bitsadmin", "forfiles", "ProxyCommand=") and RegistryValueName !~ "MRUList") or ((RegistryValueData startswith "cmd" or RegistryValueData startswith "powershell") and (RegistryValueData has_any ("-W Hidden ", " -eC ", "curl", "E:jscript", "ssh", "Invoke-Expression", "UtcNow", "Floor", "DownloadString", "DownloadFile", "FromBase64String", "System.IO.Compression", "System.IO.MemoryStream", "iex", "Invoke-WebRequest", "iwr", "Get-ADDomainController", "InstallProduct", "-w h", "-X POST", "Invoke-RestMethod", "-NoP -W", ".InVOKe", "-useb", "irm ", "^", "[char]", "[scriptblock]", "-UserAgent", "UseBasicParsing", ".Content") or RegistryValueData matches regex @"[-/–][Ee^]{1,2}[NnCcOoDdEeMmAa^]*\s[A-Za-z0-9+/=]{15,}"))

DPAPI decryption via AutoIT or .NET Framework processes

Identify DPAPI decryption activity originating from AutoIT scripts .NET Framework processes.

DeviceEvents
| where ActionType == "DpapiAccessed"
| where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe" or InitiatingProcessImageFilePath has "\\windows\\microsoft.net\\framework\\" or InitiatingProcessFileName =~ "powershell.exe"
| where (AdditionalFields has_any("Google Chrome", "Microsoft Edge") and AdditionalFields has_any("SPCryptUnprotect"))
| extend json = parse_json(AdditionalFields)
| extend dataDesp = tostring(json.DataDescription.PropertyValue)
| extend opType = tostring(json.OperationType.PropertyValue)
| where dataDesp in~ ("Google Chrome", "Microsoft Edge", "Chromium", "Opera", "Opera GX", "IMAP Password", "Brave Browser", "AVG Secure Browser") and opType =~ "SPCryptUnprotect"
| project Timestamp, ReportId, DeviceId, ActionType, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, AdditionalFields, dataDesp, opType

Sensitive browser file access via AutoIT or .NET Framework processes

Identify .NET Framework processes (such as RegAsm.exe, MSBuild.exe, etc.) accessing sensitive browser files.

let browserDirs = pack_array(@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\"); let browserSensitiveFiles = pack_array("Web Data", "Login Data", "key4.db", "formhistory.sqlite", "cookies.sqlite", "logins.json", "places.sqlite", "cert9.db");
DeviceEvents
| where AdditionalFields has_any ("FileOpenSource") // Filter for "File Open" events.
| where InitiatingProcessVersionInfoInternalFileName == "AutoIt3.exe" or InitiatingProcessImageFilePath has "\\windows\\microsoft.net\\framework\\" or InitiatingProcessFileName =~ "powershell.exe"
| where (AdditionalFields has_any(browserDirs) or AdditionalFields has_any(browserSensitiveFiles)) | extend json = parse_json(AdditionalFields)
| extend File_Name = tostring(json.FileName.PropertyValue)
| where (File_Name has_any (browserDirs) and File_Name has_any (browserSensitiveFiles))
| project Timestamp, ReportId, DeviceId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessCommandLine, File_Name

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, on X (formerly Twitter) at https://x.com/MsftSecIntel, and Bluesky at https://bsky.app/profile/threatintel.microsoft.com.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.