{ "id": "3a5a8489-bda2-4e04-b0e1-6cbc81a6d7eb", "created_at": "2026-04-06T01:28:59.160054Z", "updated_at": "2026-04-10T13:11:28.139399Z", "deleted_at": null, "sha1_hash": "82eb931354c50d2b60110172c3fdd5148db44038", "title": "LummaC2 Stealer: Major Threat to Crypto Users' Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1722243, "plain_text": "LummaC2 Stealer: Major Threat to Crypto Users' Security\r\nBy cybleinc\r\nPublished: 2023-01-06 · Archived: 2026-04-06 00:52:13 UTC\r\nCRIL analyzes the latest version of LummaC2 Stealer , targeting crypto users via stealing their crypto wallet and\r\n2FA extensions.\r\nNew Stealer Targeting Crypto Wallets and 2FA Extensions of Various Browsers\r\nDuring a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime\r\nforum about an information stealer targeting both Chromium and Mozilla-based browsers. This stealer was named\r\nLummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive\r\ninformation from the victim’s machine.\r\nThe figure below shows the dark web post by the Threat Actors.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/\r\nPage 1 of 11\n\nFigure 1 – Dark Web Post for LummaC2 Stealer\r\nThe post also mentioned the link to LummaC2 Stealer’s seller website, which is written in Russian. The website\r\nalso offers various purchasing options for potential Threat Actors(TAs), with prices ranging from $250 to $20000\r\ndepending on the plan.\r\nThe image below shows the website where the stealer is available for sale.\r\nFigure 2 – LummaC2 Stealer Sellers Website\r\nIn addition, Threat Actors (TAs) behind the LummaC2 Stealer have created two Telegram channels in Russian: one\r\nfor sharing information about the stealer and one for reporting bugs in the malware.\r\nhttps://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/\r\nPage 2 of 11\n\nFigure 3 – Telegram Post by the Threat Actors\r\nThe researchers at CRIL found two active Command and Control servers connected to the LummaC2 Stealer.\r\nThe figure below illustrates the IP addresses of these servers, one located in Bulgaria and the other in Germany.\r\nhttps://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/\r\nPage 3 of 11\n\nFigure 4 – LummaC2 Stealer C\u0026C IPs\r\nThe figure below shows the login page of the LummaC2 Stealer’s Command and Control (C\u0026C) server.\r\nFigure 5 – LummaC2 C\u0026C panel Login Page\r\nTechnical Details\r\nhttps://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/\r\nPage 4 of 11\n\nThe LummaC2 Stealer is a 32-bit GUI type executable with sha256\r\nd932ee10f02ea5bb60ed867d9687a906f1b8472f01fc5543b06f9ab22059b264.\r\nThe figure below shows the additional file details of the LummaC2 stealer executable.\r\nFigure 6 – File Details of LummaC2 Stealer\r\nDetection Evasion:\r\nThe stealer has many Obfuscated strings that are being covered by a random string, “edx765”, to evade detection.\r\nUpon execution, the stealer passes the obfuscated string to a function that strips the random string and delivers the\r\noriginal string.\r\nThe figure below shows the routine for string manipulation.\r\nFigure 7 – Assembly Code to Replace the edx765 String\r\nCollects System Information:\r\nhttps://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/\r\nPage 5 of 11\n\nAfter getting the required strings, the malware resolves the APIs. It starts extracting multiple pieces of information\r\nfrom the system, including LummaC2 Build, Lumma ID, Hardware ID, Screen Resolution, System Language, CPU\r\nName, and Physical Memory. The malware stores this information in the memory under the name system.txt.\r\nThe below figure shows the code snippet of malware for collecting system information.\r\nFigure 8 – System Information Extracted by the Stealer\r\nFile Grabber:\r\nThe stealer now enumerates the %userProfile% directory and grabs .txt files from the Victims machine. These\r\ngrabbed files are stored in the memory under the name “Important Files/Profile” for exfiltration.\r\nWallets:\r\nThe stealer also targets crypto wallets such as Binance, Electrum, and Ethereum and collects sensitive information\r\nfrom the victim’s machine. The below figure shows the code snippet of stealers targeting crypto wallets.\r\nhttps://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/\r\nPage 6 of 11\n\nFigure 9 – The Stealer Targeting Wallets\r\nAfter collecting the victim’s wallet and system details, the stealer sends this information to its C\u0026C server, as\r\nshown below.\r\nFigure 10  – Initial C\u0026C Communication of the Stealer\r\nBrowsers:\r\nAfter sending the stolen information, the stealer checks for the following browsers installed on the system: Chrome,\r\nChromium, Edge, Kometa, Vivaldi, Brave, Opera Stable, Opera GX Stable, Opera Neon, and Mozilla Firefox and\r\nsteals sensitive information from the browsers.\r\nThe figure below shows the code to check the browsers.\r\nhttps://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/\r\nPage 7 of 11\n\nFigure 11 – Stealer Checking for the Browsers in System\r\nCrypto Wallets and 2FA Extensions:\r\nThe stealer now searches for more information associated with the browser, such as crypto wallet and two-factor\r\nauthentication (2FA) extensions that may have been installed.\r\nThe figure below shows the wallets and 2FA extensions that the stealer targets.\r\nFigure 12 – Stealer Targeting Crypto Wallet And 2FA Extensions\r\nIn addition, the stealer can also steal browser history, login information, network cookies, and more from the\r\nsystem, as shown below.\r\nhttps://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/\r\nPage 8 of 11\n\nFigure 13 – Stealer Targeting Sensitive Browser Information\r\nCommand \u0026 Control Communication\r\nFinally, the stealer encrypts the data obtained from the infected system and sends it to the C\u0026C server, as shown\r\nbelow.\r\nThe figure below depicts the C\u0026C communication of the stealer.\r\nFigure 14 – C\u0026C Communication of the LummaC2 Stealer\r\nConclusion\r\nLummaC2 behaves in a manner comparable to other stealer-type malware, which can take away both system and\r\nsensitive data from the victim’s machine. These dangerous programs usually have the capacity to take information\r\nfrom web browsers and target Crypto wallets and 2FA extensions.\r\nThe additional information stored on web browsers, such as login credentials, PII, and financial information, can be\r\nfurther leveraged to conduct fraud activities as well.\r\nThreat actors can use the stolen data to steal cryptocurrencies from the victim’s accounts, or alternatively, they can\r\nsell this data to other threat actors for financial gain.\r\nCRIL continuously monitors emerging threats and will continue to keep readers informed.\r\nhttps://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/\r\nPage 9 of 11\n\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below: \r\nSafety Measures Needed to Prevent Malware Attacks\r\nRefrain from opening untrusted links and email attachments without verifying their authenticity. \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nConduct regular backup practices and keep those backups offline or in a separate network. \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic. \r\nUsers Should Take the Following Steps After the Malware Attack \r\nDetach infected devices on the same network. \r\nDisconnect external storage devices if connected. \r\nInspect system logs for suspicious events. \r\nImpact And Cruciality of Malware \r\nLoss of valuable data. \r\nLoss of the organization’s reputation and integrity. \r\nLoss of the organization’s sensitive business information. \r\nDisruption in organization operation. \r\nMonetary loss. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic  Technique ID  Technique Name \r\nDefense Evasion \r\nT1140\r\nT1562\r\nDeobfuscate/Decode Files or Information\r\nImpair Defences\r\nDiscovery \r\nT1082 \r\nT1083 \r\nSystem Information Discovery \r\nFile and Directory Discovery \r\nCollection\r\nT1119\r\nT1005\r\nAutomated Collection\r\nData from the Local System\r\nCommand and Control  T1071  Application Layer Protocol \r\nExfiltration  T1020  Automated Exfiltration \r\nIndicators of Compromise (IoCs)\r\nhttps://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/\r\nPage 10 of 11\n\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n1995a54dba0e05d80903d3d210c1e3da\r\nc43316ddcb51e143ab53f996587c23ea4985f6ea\r\n277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf\r\nMD5\r\nSHA1\r\nSHA256\r\nLummaC2\r\nBinary\r\na09daf5791d8fd4b5843cd38ae37cf97\r\n2c11592f527a35c3dac75139e870dd062b12dfe1\r\n60247d4ddd08204818b60ade4bfc32d6c31756c574a5fe2cd521381385a0f868\r\nMD5\r\nSHA1\r\nSHA256\r\nLummaC2\r\nBinary\r\n5aac51312dfd99bf4e88be482f734c79\r\n9ac88b93fee8f888cabc3d0c9d81507c6dad7498\r\n9b742a890aff9c7a2b54b620fe5e1fcfa553648695d79c892564de09b850c92b\r\nMD5\r\nSHA1\r\nSHA256\r\nLummaC2\r\nBinary\r\nc9c0e32e00d084653db0b37a239e9a34\r\nb97965e4a793ec0fa10abc86d0c6be5718716d8a\r\nd932ee10f02ea5bb60ed867d9687a906f1b8472f01fc5543b06f9ab22059b264\r\nMD5\r\nSHA1\r\nSHA256\r\nLummaC2\r\nBinary\r\n195[.]123[.]226[.]91 IP\r\nLummaC2\r\nC\u0026C\r\n144[.]76[.]173[.]247 IP\r\nLummaC2\r\nC\u0026C\r\nSource: https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/\r\nhttps://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/" ], "report_names": [ "lummac2-stealer-a-potent-threat-to-crypto-users" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775438939, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/82eb931354c50d2b60110172c3fdd5148db44038.pdf", "text": "https://archive.orkl.eu/82eb931354c50d2b60110172c3fdd5148db44038.txt", "img": "https://archive.orkl.eu/82eb931354c50d2b60110172c3fdd5148db44038.jpg" } }