Microsoft and global law enforcement agencies on Wednesday announced the takedown of the ‘Lumma Stealer’ malware operation, seizing 2,300 domains that formed the infostealer’s command-and-control backbone and blocking the dark web markets that offered it for rent.
The coordinated strike, powered by a US court order and executed with Europol and Japan’s Cybercrime Control Center (JC3), effectively destroys the infrastructure that let the notorious infostealer vacuum up passwords, credit card numbers and cryptocurrency wallet keys for cybercriminals.
Along with the domain seizures, the US Justice Department took down Lumma’s central control panel while Europol and JC3 chased residual servers in Europe and Asia.
Microsoft said its internal Digital Crimes Unit has sinkholed more than 1,300 of the captured domains, rerouting victims to safe servers so defenders can study traffic patterns and disinfect machines.
According to the world’s largest software maker, infected Windows machines are plentiful. During a 60-day scan earlier this month, Redmond’s threat hunters spotted more than 394,000 Windows systems talking to Lumma controllers, a victim pool that stretched from small schools to global manufacturers.
Microsoft’s threat intel team described Lumma as a cut-price malware-as-a-service package that appeared on Russian-language forums as far back as 2022. The operation included paid subscriptions for cybercriminals to generate custom binaries in a slick web panel and point them at targets via spear-phishing, malvertising and drive-by downloads.
The malware is capable of stealing everything from browser credentials and cookies, autofill data from Chromium (including Edge), Mozilla, and Gecko-based browsers, to cold-storage crypto keys.
“Lumma Stealer actively searches for wallet files, browser extensions, and local keys associated with wallets like MetaMask, Electrum, and Exodus,” Microsoft warned, noting that data from virtual private networks (VPNs) (.ovpn), email clients, FTP clients, and Telegram applications are also being hijacked.
The malware is also programmed to harvest files found on the user profiles and other common directories (especially those with .pdf, .docx, or .rtf extensions) and collect system metadata such as CPU information, OS version, system locale, and installed applications for tailoring future exploits or profiling victims.
This data is later sold on dark-web markets or used in data-extortion ransomware attacks. “Typically, the goal of Lumma operators is to monetize stolen information or conduct further exploitation for various purposes. Lumma is easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses, making it a go-to tool for cybercriminals and online threat actors,” according to Steven Masada, assistant general counsel in Microsoft’s Digital Crimes Unit.
Microsoft said the malware service’s public face is a Russian developer who goes by “Shamel” and markets different tiers of service for Lumma via Telegram and other Russian-language chat forums.
The company cited a 2023 interview where “Shamel” bragged that he had “about 400 active clients” buying tiered licenses that ranged from $250 for entry-level access up to $20,000 for the source code.
Unlike earlier infostealers that relied heavily on bulk spam or exploits, Microsoft notes that Lumma displays a shift toward multi-vector delivery strategies with resourcefulness and proficiency in impersonation tactics.
Related: US, UK Slap Sanctions on Trickbot Cybercrime Gang
Related: US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon
Related: FBI Dismantles Ubiquiti Router Botnet Controlled by Russian Cyberspies
