{ "id": "293c65cb-d0a4-4cb1-bfd7-1ffa9600df5b", "created_at": "2026-04-06T00:09:04.74912Z", "updated_at": "2026-04-10T03:31:49.932739Z", "deleted_at": null, "sha1_hash": "539bc54edea87d3f83aabef4355e9adc7874f43c", "title": "Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 619711, "plain_text": "Disrupting Lumma Stealer: Microsoft leads global action against\r\nfavored cybercrime tool\r\nBy Steven Masada\r\nPublished: 2025-05-21 · Archived: 2026-04-05 18:05:42 UTC\r\nMicrosoft’s Digital Crimes Unit (DCU) and international partners are disrupting the leading tool used to\r\nindiscriminately steal sensitive personal and organizational information to facilitate cybercrime. On Tuesday, May\r\n13, Microsoft’s DCU filed a legal action against Lumma Stealer (“Lumma”), which is the favored info-stealing\r\nmalware used by hundreds of cyber threat actors. Lumma steals passwords, credit cards, bank accounts, and\r\ncryptocurrency wallets and has enabled criminals to hold schools for ransom, empty bank accounts, and disrupt\r\ncritical services.\r\nVia a court order granted in the United States District Court of the Northern District of Georgia, Microsoft’s DCU\r\nseized and facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that\r\nformed the backbone of Lumma’s infrastructure. The Department of Justice (DOJ) simultaneously seized the\r\ncentral command structure for Lumma and disrupted the marketplaces where the tool was sold to other\r\ncybercriminals. Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3)\r\nfacilitated the suspension of locally based Lumma infrastructure.\r\nBetween March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally\r\ninfected by the Lumma malware. Working with law enforcement and industry partners, we have severed\r\ncommunications between the malicious tool and victims. Moreover, more than 1,300 domains seized by or\r\ntransferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be\r\nredirected to Microsoft sinkholes. This will allow Microsoft’s DCU to provide actionable intelligence to continue\r\nto harden the security of the company’s services and help protect online users. These insights will also assist\r\npublic- and private-sector partners as they continue to track, investigate, and remediate this threat. This joint\r\naction is designed to slow the speed at which these actors can launch their attacks, minimize the effectiveness of\r\ntheir campaigns, and hinder their illicit profits by cutting a major revenue stream.\r\nhttps://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/\r\nPage 1 of 6\n\nHeat map detailing global spread of Lumma Stealer malware infections and encounters across\r\nWindows devices.\r\nSplash page displayed on 900+ domains seized by Microsoft. \r\nWhat is Lumma?\r\nLumma is a Malware-as-a-Service (MaaS), marketed and sold through underground forums since at least 2022.\r\nOver the years, the developers released multiple versions to continually improve its capabilities. Microsoft Threat\r\nIntelligence shares more details around the delivery techniques and capabilities of Lumma in a recent blog.\r\nTypically, the goal of Lumma operators is to monetize stolen information or conduct further exploitation for\r\nvarious purposes. Lumma is easy to distribute, difficult to detect, and can be programmed to bypass certain\r\nsecurity defenses, making it a go-to tool for cybercriminals and online threat actors, including prolific ransomware\r\nhttps://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/\r\nPage 2 of 6\n\nactors such as Octo Tempest (Scattered Spider). The malware impersonates trusted brands, including Microsoft,\r\nand is deployed via spear-phishing emails and malvertising, among other vectors.\r\nFor example, in March 2025, Microsoft Threat Intelligence identified a phishing campaign impersonating online\r\ntravel agency Booking.com. The campaign used multiple credential-stealing malware, including Lumma, to\r\nconduct financial fraud and theft. Lumma has also been used to target gaming communities and education systems\r\nand poses an ongoing risk to global security, with reports from multiple cybersecurity companies outlining its use\r\nin attacks against critical infrastructure, such as the manufacturing, telecommunications, logistics, finance, and\r\nhealthcare sectors.\r\nhttps://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/\r\nPage 3 of 6\n\nExample of phishing email impersonating Booking.com and fake CAPTCHA verification prompt.\r\n(Source:Microsoft – Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing\r\nmalware)\r\nThe primary developer of Lumma is based in Russia and goes by the internet alias “Shamel.” Shamel markets\r\ndifferent tiers of service for Lumma via Telegram and other Russian-language chat forums. Depending on what\r\nhttps://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/\r\nPage 4 of 6\n\nservice a cybercriminal purchases, they can create their own versions of the malware, add tools to conceal and\r\ndistribute it, and track stolen information through an online portal.\r\nDifferent tiers of service for Lumma, as well as Lumma’s logo used on marketing material. (Source: Darktrace –\r\nThe Rise of MaaS \u0026 Lumma Info Stealer)\r\nIn an interview with cybersecurity researcher “g0njxa” in November 2023, Shamel shared that he had “about 400\r\nactive clients.” Demonstrating the evolution of cybercrime to incorporate established business practices, he\r\neffectively created a Lumma brand, using a distinctive logo of a bird to market his product, calling it a symbol of\r\n“peace, lightness, and tranquility,” and adding the slogan “making money with us is just as easy.”\r\nShamel’s ability to operate openly underscores the importance for countries worldwide to address the issue of safe\r\nhavens and to advocate for the rigorous enforcement of due diligence obligations under international law.\r\nContinuing to work together to disrupt prolific cybercrime tools\r\nDisrupting the tools cybercriminals frequently use can create a significant and lasting impact on cybercrime, as\r\nrebuilding malicious infrastructure and sourcing new exploit tools takes time and costs money. By severing access\r\nto mechanisms cybercriminals use, such as Lumma, we can significantly disrupt the operations of countless\r\nmalicious actors through a single action.\r\nContinued collaboration across industry and government remains imperative. We are grateful for the partnership\r\nwith others across government and industry, including cybersecurity companies ESET, Bitsight, Lumen,\r\nCloudflare, CleanDNS, and GMO Registry. Each company provided valuable assistance by quickly taking down\r\nonline infrastructure.\r\nFinally, we know cybercriminals are persistent and creative. We, too, must evolve to identify new ways to disrupt\r\nmalicious activities. Microsoft’s DCU will continue to adapt and innovate to counteract cybercrime and help\r\nensure the safety of critical infrastructure, customers, and online users.\r\nhttps://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/\r\nPage 5 of 6\n\nOrganizations and individuals can protect themselves from malware like Lumma by using multi-factor\r\nauthentication, running the latest anti-malware software, and being cautious with attachments and email links.\r\nMore information for security professionals can be found here.\r\nTags: cyberattacks, cybersecurity, Microsoft Digital Crimes Unit, The Digital Crimes Unit\r\nSource: https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/\r\nhttps://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/" ], "report_names": [ "microsoft-leads-global-action-against-favored-cybercrime-tool" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434144, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/539bc54edea87d3f83aabef4355e9adc7874f43c.pdf", "text": "https://archive.orkl.eu/539bc54edea87d3f83aabef4355e9adc7874f43c.txt", "img": "https://archive.orkl.eu/539bc54edea87d3f83aabef4355e9adc7874f43c.jpg" } }