Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Law enforcement dismantled the infrastructure behind Lumma Stealer MaaS

Microsoft found 394,000 Windows systems talking to Lumma stealer controllers, a victim pool that included global manufacturers. A US court order, with Europol and Japan’s JC3 dismantled the Lumma Stealer malware operation, seizing 2,300 domains used for command-and-control and blocking dark web markets offering the infostealer. A US court order, with Europol and Japan’s JC3, […]

Lumma Stealer

Microsoft found 394,000 Windows systems talking to Lumma stealer controllers, a victim pool that included global manufacturers.

A US court order, with Europol and Japan’s JC3 dismantled the Lumma Stealer malware operation, seizing 2,300 domains used for command-and-control and blocking dark web markets offering the infostealer.

A US court order, with Europol and Japan’s JC3, dismantled Lumma Stealer’s infrastructure, seizing domains and control panels. Microsoft’s Digital Crimes Unit sinkholed over 1,300 domains to reroute victims to safe servers for analysis and cleanup.

“The Justice Department announced today the unsealing of two warrants authorizing the seizure of five internet domains used by malicious cyber actors to operate the LummaC2 information-stealing malware service.” reads the press release published by DoJ.

Lumma Stealer is a Malware-as-a-Service (MaaS) infostealer designed to steal sensitive data like passwords, credit card info, and crypto wallet keys. It infiltrates systems via phishing, malvertising, and malicious downloads. It can also deploy additional malware and evade detection.

The malware had infected over 394,000 Windows systems, including those of global manufacturers.

Microsoft observed Lumma Stealer’s rapid growth and sophistication as a MaaS used by financially motivated threat actors. Distributed via phishing, malvertising, and abuse of trusted platforms, Lumma targets browsers, wallets, and apps. Lumma’s flexibility and resilience highlight the evolving cybercrime landscape and the need for layered, collaborative defense efforts.

Microsoft tracks the developer of Lumma Stealer and its C2 infrastructure as threat actor Storm-2477. Ransomware groups like Octo Tempest, Storm-1607, Storm-1113, and Storm-1674 have used Lumma in their campaigns.

Lumma Stealer uses a layered C2 infrastructure with hardcoded tier 1 servers and fallback C2s via Telegram and Steam, all hidden behind Cloudflare. Telegram is prioritized, and Steam is used if others fail. Affiliates can pay for personal C2s. All communication is encrypted via HTTPS.

“Different types of obfuscation are applied to each set of C2 servers. For example, the hardcoded list of C2s, and including the Telegram fallback C2 URL are protected with ChaCha20 crypto, while the Steam profile fallback C2 URL is encrypted using custom stack-based crypto algorithm that can change on each version of Lumma malware.” states Microsoft. “We have identified up to six versions of Lumma Stealer, and while each of these versions focuses on improving techniques to evade antivirus detections, there are also several changes in the C2 communication protocol and formats such as the C2 domains, URI path, POST data, and others. The core Lumma malware stores the build date as part of the embedded configuration to keep track of improvements, but in our investigation, we tracked major changes using the labels “version 1” through “version 6”.”

The FBI and US CISA also released a joint advisory that includes tactics, techniques, and procedures (TTPs) associated with Lumma Stealer along with indicators of compromise (IOCs).

“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft,” said Matthew R. Galeotti, head of the Justice Department’s Criminal Division. “Today’s announcement demonstrates that the Justice Department is resolved to use court-ordered disruptions like this one to protect the public from the theft of their personal information and their assets. The Department is also committed to working with and appreciates the efforts of the private sector to safeguard the public from cybercrime.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)