English | हिन्दी

MEITY
Cyber Swachhta Kendra

Lumma Infostealer

Original Issue Date:- June 12, 2025
Virus Type:-Infostealer
Severity:- Medium

It is reported that an info stealer dubbed as Lumma stealer, which is an advanced info-stealing malware, is being offered through a Malware-as-a-Service (MaaS) platform. First discovered in 2022, it has quickly gained traction among cybercriminals for its ease of use and high effectiveness. Designed to target Windows systems, it steals sensitive data such as stored browser credentials, cookies, cryptocurrency wallet details, two-factor authentication (2FA) codes, credit card information, session tokens and other personal data. Lumma has been used in global cyber campaigns impacting sectors like healthcare, banking, marketing, and telecom etc.

Infection Mechanism

Lumma Stealer employs multiple sophisticated techniques to infiltrate and infect the systems. The delivery tactics include advanced methodologies to go unnoticed and trick the security architecture. Major infection techniques include:

  • Deceptive CAPTCHA screens: Attackers mislead users into running harmful PowerShell commands by disguising them as part of a human verification check
  • Abuse of Discord CDN: Cybercriminals use Discord's Content Delivery Network to store and spread malicious software.
  • Deceptive Browser Update Prompts: Users are tricked into installing bogus updates that actually download and launch malware
  • ClickFix Method: Victims are manipulated through social engineering to run PowerShell commands supplied by the attacker, resulting in the installation of Lumma Stealer malware

Fig-1: Infection chain for ClickFix to Lumma Stealer (Source: Microsoft)

Many other critical techniques such phishing email, malvertising, drive by downloads etc. are being utilized to infect systems. Also, a group of compromised websites was found using EtherHiding and ClickFix tactics to deliver and install the Lumma Stealer malware. After execution, Lumma Stealer connects to its command-and-control servers to transmit stolen data and may also retrieve and install further malicious components.

Fig.2: Lumma Stealer C2 communication flow (Source: Microsoft)

Unusual Powershell activity, suspicious network traffic, unexpected processes, altered system files and browser anomalies may trigger the attention after infection.

Indicator of Compromise:

SHA 1:
  • 6F94CFAABB19491F2B8E719D74AD032D4BEB3F29
  • C5D3278284666863D7587F1B31B06F407C592AC4
  • 5FA1EDC42ABB42D54D98FEE0D282DA453E200E99

IP:
  • 172.67.134[.]100
  • 188.114.96[.]1

Detection:
  • Behavior:Win32/LummaStealer
  • Trojan:PowerShell/Powdow
  • Behavior:Win64/Shaolaod



For more detailed list of IoC, kindly refer the below URLs:

Best Practices and Recommendations:

  • Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from reputed application market only. Users must be aware while clicking on links during web search.
  • Update software and operating systems with the latest patches. Outdated applications and operating systems are the targets of most attacks.
  • Avoid running commands or downloading files presented during CAPTCHA checks, particularly if asked to perform tasks outside your web browser.
  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser
  • It is advised to block office applications from creating executable files.
  • Install ad blockers to combat exploit kits such as Fallout that are distributed via malicious advertising.
  • Prohibit external FTP connections and blacklist downloads of known offensive security tools.
  • All operating systems and applications should be kept updated on a regular basis. Virtual patching can be considered for protecting legacy systems and networks. This measure hinders cybercriminals from gaining easy access to any system through vulnerabilities in outdated applications and software. Avoid applying updates / patches available in any unofficial channel.
  • Restrict execution of Power shell /WSCRIPT in an enterprise environment. Ensure installation and use of the latest version of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis. https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
  • Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
  • Users are advised to disable their RDP if not in use, if required, it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Consider encrypting the confidential data as the ransomware generally targets common file types.
  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.


References: