Lumma

Posted Mar 19, 2025 Updated Mar 17, 2026

3 min read

Author: Infinit3i & Deej1721

Start Date: 2022-08

Most Recent Activity: 2025-03-19

Executive Summary

LummaStealer, also known as LummaC2, is an information stealer offered through a malware-as-a-service model on Russian-speaking forums since at least August 2022. It is commonly delivered through phishing, fake CAPTCHA lures, malicious links, and staged payload chains. The primary impact is the theft and exfiltration of user credentials and other sensitive data to attacker-controlled command and control infrastructure.

Overview

Description

Type: Infostealer / Malware-as-a-Service

Delivery:
Phishing emails, phishing links, fake CAPTCHA pages, malicious downloads, staged follow-on payloads

Capabilities:
Credential theft, data staging, exfiltration, remote access enablement, file upload and execution, anti-analysis behavior

Notable Characteristics:
LummaStealer is commonly associated with multi-stage delivery chains and is often paired with loaders or memory-only payloads such as Peaklight. It is frequently observed in fake CAPTCHA and social engineering campaigns and is designed to collect and exfiltrate user and system data.

Attack Flow

Flow

Nmap → Email → Phishing Link → RDP → File Upload → Run Python Script (Data Staging) → Exfiltration → Remove Files

Adversary performs reconnaissance or host discovery
Phishing email or lure is delivered to the victim
Victim follows a phishing link or fake CAPTCHA workflow
Remote access or follow-on access is established through RDP or related means
Malicious files are uploaded to the target environment
Python or follow-on script is executed for staging collected data
Stolen data is exfiltrated to attacker-controlled infrastructure
Files or artifacts are removed to reduce forensic visibility

MITRE ATT&CK Techniques

MITRE ATT&CK

Mitigations

Mitigations

Endpoint Detection and Response: Implement advanced EDR with behavior-based detections and sandboxing for internet-downloaded executables
Multi-Factor Authentication: Enforce MFA across local, domain, default, and cloud accounts to reduce the value of stolen credentials
Security Awareness Training: Conduct regular training on phishing, fake CAPTCHA lures, and social engineering techniques
Email Security: Deploy robust email filtering to block phishing messages and malicious attachments
Execution Control: Apply strict software execution policies to block fake installers and unauthorized payload execution
Application Whitelisting: Allow only legitimate applications and scripts, including controls around mshta.exe abuse
Firewall and Egress Policy: Restrict or monitor outbound connections over ports 80 and 443 for suspicious processes such as mshta.exe where operationally feasible
IOC Blocking: Block known indicators of compromise from trusted intelligence sources
Conditional Access: Block logins from non-compliant devices or unauthorized geographies and IP ranges
Credential Hygiene: Eliminate default credentials, reduce password reuse, rotate SSH keys where applicable, and enforce strong credential policy
Account Auditing: Routinely audit domain and local accounts and permissions for unauthorized privileged access paths
Data Loss Prevention: Use DLP controls to detect and block sensitive data uploads through browsers and web services
Web Proxy Enforcement: Enforce external communication policy through proxies to prevent use of unauthorized services
Network Intrusion Detection and Prevention: Use network signatures and anomaly detection to identify adversary malware traffic and suspicious exfiltration patterns

Detections

Indicators of Compromise (IOCs)

URLs

Detection Rules

Rule	View	Download
YARA	N/A	N/A
Sigma	N/A	N/A
Suricata	N/A	N/A
SPL	N/A	N/A

Research & References

References

Malware, Info-Stealer

This post is licensed under CC BY 4.0 by the author.