Lumma Stealer

 ( Spyware ) 

Lumma Stealer is an infostealer malware as a service program developed for Microsoft Windows.

---

Technical overview Lumma Stealer is distributed by affiliates via a number of campaigns including phishing emails, malicious advertisements posing as legitimate downloads, and compromised websites. It is frequently associated with fake CAPTCHA pages, which prompt the user to paste a command into the Run command. It steals data from a number of programs including web browsers, crypto wallets and chat applications, as well as user files. The exfiltrated data is sent to a number of hardcoded control servers, falling back to Telegram, Dropbox and Steam if the servers are unreachable.

Lumma Stealer employs advanced obfuscation techniques, and uses process hollowing to impersonate legitimate programs for the purposes of evading detection. It delays detonation until a sufficent amount of human-like activity has occurred. Instead of using Windows API, it performs direct System call.

---

History Lumma is believed to have first originated on cybercrime forums in 2022.

From March to May 2025, Microsoft identified 394,000 computers that were been infected with Lumma. In 2025, Lumma was the second most common sample uploaded to ANY.RUN, and the third on MalwareBazaar. In May 2025, Microsoft announced the seizure of 2,300 domains associated with Lumma through a vulnerability. While Lumma has continued their operation, it is believed that this may have damaged their reputation.

Post Comment