Lumma Stealer

Overview

Lumma Stealer is a popular information-stealing malware sold as Malware-as-a-Service (MaaS). It targets browser credentials, cryptocurrency wallets, and two-factor authentication extensions. Lumma is distributed through various channels including fake software downloads, malvertising, and phishing campaigns.

Also Known As

LummaC2, Lumma, LummaStealer

How It Spreads

• • Malicious Google Ads leading to fake software sites
• • Fake software crack downloads
• • Phishing emails with malicious attachments
• • Compromised legitimate websites
• • YouTube video descriptions with malicious links

What It Does

• • Steals browser saved passwords and cookies
• • Extracts cryptocurrency wallet data
• • Captures 2FA browser extension data
• • Harvests Discord and Telegram tokens
• • Collects system and installed software information
• • Takes screenshots

Target Platforms

Windows 10, Windows 11

Detection Tips

• • Monitor for processes accessing browser credential files
• • Alert on outbound connections to newly registered domains
• • Watch for processes reading cryptocurrency wallet files
• • Detect execution from Downloads or Temp folders
• • Monitor PowerShell execution with encoded commands

MITRE ATT&CK Techniques

T1555, T1539, T1552, T1113, T1005