Lumma Stealer: A Growing Threat in the Malware-as-a-Service Landscape
Estimated Reading Time: 3 minutes
Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment and you are unlikely to be protected if something goes wrong. Take 2 minutes to learn more
Understanding MaaS and Info-Stealers
Malware-as-a-Service (MaaS) has simplified cybercrime by offering low-cost, plug-and-play tools for aspiring threat actors. One prominent category within this model is information stealers—malware designed to harvest sensitive user data such as login credentials, credit card information, and crypto wallet details.
What is Lumma Stealer?
Lumma, also known as LummaC2, is a subscription-based info-stealer that emerged in 2022. Marketed through dark web forums and Telegram, it has become increasingly popular for its effectiveness in compromising devices and exfiltrating data. For as little as $250, cybercriminals can gain access to its powerful data theft capabilities.
Lumma is tailored to target Windows systems (Windows 7–11) and is compatible with major web browsers and crypto tools like Chrome, Firefox, MetaMask, Authenticator, Binance, and Ethereum wallets. It also targets software like AnyDesk and KeePass, extracting login data, session cookies, credit card numbers, and system information.
How Lumma Operates
Typically delivered through trojanized software or phishing emails, Lumma disguises itself as popular applications like VLC or ChatGPT. Once installed, it initiates data theft and communicates with its command-and-control (C2) servers using HTTP POST requests. One recurring behavior seen in compromised devices is the use of the “TeslaBrowser/5.5” user agent and the URI path “/c2sock”.
Darktrace, a cybersecurity firm, has monitored Lumma activity across several clients, detecting its operations through behavioral anomalies rather than traditional threat signatures. This includes identifying unfamiliar outbound connections and new user agents used by infected devices.
In one case, Darktrace flagged an infected device connecting to a known Lumma C2 server. A deeper probe revealed access to a Russian control panel interface, confirming the malware’s operations. Other malicious software—such as Raccoon, Vidar, and RedLine—were also detected around the same time, pointing to a broader campaign likely coordinated by traffer teams, organized cybercriminal groups that specialize in stealing credentials.
The Bigger Picture
Lumma’s success underscores the increasing accessibility of advanced malware through MaaS platforms. Even attackers with minimal technical knowledge can now deploy effective info-stealers, posing a serious risk to individuals and organizations alike. The rise of Lumma and similar tools highlights the need for dynamic, behavior-based security solutions that can detect novel threats without relying on static indicators.
