Risk:	high
Damage:	high
Platform(s):	Microsoft® Windows OS
Advisory ID:	ngCERT-2025-0500012
Version:	N/A
CVE:	N/A
Published:	May 27, 2025

Summary

---

Lumma Stealer (also known as LummaC2) is a potent and widely distributed information-stealing malware targeting Windows systems. Operated as Malware-as-a-Service (MaaS) via illicit cybercrime markets, it was recently disrupted by Microsoft in response to its escalating threat profile. Lumma Stealer poses a high risk due to its commercial availability, sophisticated evasion, broad data theft capabilities, and network propagation. Its recent disruption highlights active law enforcement attention, but residual infections and potential re-emergence remain concerns. ngCERT urges organizations to reassess their security measures and implement strategies to mitigate infection risks.

Description & Consequence

---

Lumma Stealer is a fast-spreading information-stealing malware distributed via underground forums as Malware-as-a-Service (MaaS). It targets Microsoft Windows (MS-Windows) systems through phishing emails, malicious downloads, or cracked software. Once installed, it enables cybercriminals to remotely steal data.

1. Infection Vectors: Primarily spreads through phishing emails, malicious advertisements (malvertising), pirated software, and cracked games. Installs silently, functioning as a backdoor.
2. Data Theft: Actively steals sensitive information including:
   • Login credentials (browsers, applications)
   • Financial data (banking details, cards)
   • Cryptocurrency wallet information
   • Browser cookies & session data
   • Other confidential files.
3. Persistence & Evasion: Employs advanced techniques like code injection and encrypted communication with Command-and-Control (C2) servers to evade detection.
4. Lateral Movement: Capable of spreading within compromised networks, amplifying damage.
5. Monetisation: Stolen data is typically sold on dark web markets or used directly for financial fraud and identity theft.

Lumma Stealer poses a high risk due to its commercial availability, sophisticated evasion, broad data theft capabilities, and network propagation.

Solution

---

The following mitigations should be considered:

1. User Awareness: Train staff/users to identify phishing attempts and avoid downloading pirated/cracked software.
2. Endpoint Protection: Ensure robust, updated anti-malware solutions with behavioral detection capabilities.
3. Network Monitoring: Implement monitoring for suspicious outbound traffic (C2 communication) and lateral movement attempts.
4. Patch Management: Keep all systems and software rigorously updated.
5. Least Privilege: Enforce strict access controls to limit the impact of lateral movement.

Assessment: Lumma Stealer represents a significant, ongoing threat to organizational and personal data security requiring vigilant defensive measures

Reference

---

• https://thehackernews.com/2025/05/fbi-and-europol-disrupt-lumma-stealer.html
• https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/
• https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha
• https://www.europol.europa.eu/media-press/newsroom/news/europol-and-microsoft-disrupt-world%E2%80%99s-largest-infostealer-lumma
• https://www.trellix.com/blogs/research/a-deep-dive-into-the-latest-version-of-lumma-infostealer/

Revision

---