{
	"id": "dae54161-5e65-4ff4-ac2c-4dcfd6059336",
	"created_at": "2026-04-06T00:12:53.675846Z",
	"updated_at": "2026-04-10T03:36:48.273304Z",
	"deleted_at": null,
	"sha1_hash": "c6957a9f9f170f07af82b5e1c3a1d93a6d37670b",
	"title": "LummaC2 Revisited: What’s Making this Stealer Stealthier and More Lethal",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1458073,
	"plain_text": "LummaC2 Revisited: What’s Making this Stealer Stealthier and\r\nMore Lethal\r\nBy James\r\nPublished: 2024-12-19 · Archived: 2026-04-05 22:00:02 UTC\r\nIt’s been about a year since our last analysis of LummaC2, and SpyCloud analysts have been hard at work\r\ntracking the changes to LummaC2 infostealer malware that have occurred since then – and there have been many,\r\nincluding changes to its:\r\nA graph comparing LummaC2 infections to other prevalent malware family infections. Around November 2024,\r\nLumma infections skyrocket.\r\nHere’s what we found when we looked back under the hood.\r\nUpdates to LummaC2's theft capabilities\r\nSince our last blog, LummaC2 has undergone several changes that upgrade its stealing capabilities. These changes\r\ninclude:\r\nIn addition to these specific changes, LummaC2’s theft operation has also evolved some of its functionalities.\r\nInstead of stealing information all at once, assembling it, and then exfiltrating it, LummaC2 now assembles\r\nhttps://spycloud.com/blog/lummac2-malware-stealthier-capabilities/\r\nPage 1 of 9\n\nand exfiltrates each newly obtained bit of information before a new function is executed.\r\nThis allows LummaC2 to be more resilient, and if it gets detected or something goes wrong during operation, it’s\r\npossible that it will still be able to exfiltrate partial logs to the command and control server (C2) that threat actors\r\ncan leverage.\r\nNew changes to LummaC2’s browser theft techniques\r\nIn late July 2024, Google released an update to Chrome that introduced “App Bound Encryption,” or ABE, a\r\nfeature designed to limit illicit access to credentials like cookies. This feature now encrypts the cookies and stores\r\nthem behind a device-specific ABE key, which is much more challenging for stealers to access.\r\nLummaC2 has developed a bypass for this technique which scrapes Chromium process’ internal memory for \r\n“chrome.dll” and finds the address to Chrome’s CookieMonster library, used for manipulating cookies. Using this\r\naddress, LummaC2 then interacts with Chrome’s CookieMonster library to dump the cookies to a text file, which\r\nis then exfiltrated to the C2.\r\nThis process can be viewed in depth here, however, it should be noted that the obfuscated pattern string used by\r\nLummaC2 for matching is at the time of this writing:\r\n9sdmLrTRuOE8????p4UMZQLB????jl7CKwIeGWvwDe3YvXN40wd763ssw7Cx????kdamAY3?\r\nPdE????6J????7Qy6S04NP0R????k70a?oAj7a3????????K3smA????maSd?3l4\r\nThe string can be seen in use by the malware in Image 1 below.\r\nImage 1: Displays LummaC2 passing the obfuscated pattern string to the Chrome DLL memory searcher.\r\nAdditionally, LummaC2 now steals the victim’s os_crypt.encrypted_key field, which can be used for further\r\ncredential decryption. This key is stored in “dp.txt” in the browser exfil folder.\r\nLummaC2’s new approach to extension theft\r\nIn order to make extension theft more resilient and modular, the developers of LummaC2 have added a few JSON\r\ndictionary keys to their extension dictionary options, namely  “ldb” and “ses”, as observed in Image 2. \r\nThese two keys, set to a boolean value (true/false), indicate if there are additional behaviors that need to be\r\nperformed or files that need to be stolen in order to properly steal the extension. For example, the “ldb” key\r\nindicates the presence of a .LDB file for LummaC2 to steal, which normally contains incredibly valuable\r\ninformation for LummaC2 such as recent transactions and wallet information.  The “ses” key indicates that\r\nLummaC2 should additionally attempt to steal files from Chrome’s “Sync Extension Settings” folder, which is a\r\nfeature used by Chrome to allow users to share extensions across multiple devices.\r\nAdditionally, LummaC2 has implemented the ability to steal from Firefox extensions, which opens the door to a\r\nwhole new avenue of extension theft through extensions that may be in use for Firefox but not Chrome.\r\nImage 2: Displays the two updated entries for LummaC2’s extension theft routines.\r\nhttps://spycloud.com/blog/lummac2-malware-stealthier-capabilities/\r\nPage 2 of 9\n\nLummaC2’s additional stealer capabilities\r\nWhile LummaC2 has a dynamic config that it pulls down from the C2 infrastructure that instructs the bot on what\r\nto steal, it also has a few hardcoded theft functions. Some of these functions are fairly new, such as those for\r\nDiscord, Steam, and Notepad++. Additionally, it has a new hardcoded C2 fallback functionality which is very\r\nunique in operation.\r\nDiscord user token theft\r\nAmong the newer hardcoded theft capabilities of LummaC2 is its ability to steal Discord user tokens. These\r\ntokens, which are normally base64 encoded, allow users and bots to log in and authenticate with servers. This\r\ncapability allows LummaC2 customers to easily take over control of Discord accounts.\r\nSteam profile information theft\r\nAnother one of LummaC2’s new hardcoded theft capabilities is its ability to steal Steam profile information. This\r\ntheft occurs in two parts, stealing from the Steam process memory as well as stealing Steam config files that allow\r\nfor easy account takeovers.  \r\nNotepad++ text file theft\r\nIn recent versions of LummaC2, LummaC2’s file theft routine focuses on stealing text files stored on the Desktop\r\nand in similar locations, and LummaC2’s newest hardcoded theft capability is an upgrade of this routine.\r\nLummaC2 can now find Notepad++ session.xml files, which are created when a Notepad++ session is closed\r\nunexpectedly (or Notepad++ is open), scrape the files, and then extract the “filename=” field to find additional\r\ntext files to steal and exfiltrate.\r\nC2 fallback\r\nIn recent samples of LummaC2, we observed a C2 fallback routine, which connects out to a hardcoded URL to\r\nobtain an obfuscated C2. It then deobfuscates the C2 to reveal an additional C2 not included in its hardcoded\r\nconfig. LummaC2 only uses this routine if the C2s contained in LummaC2’s hardcoded config are not responsive. \r\nWhile having a fallback routine is not unique in itself, what is unique is how LummaC2 goes about it, leveraging\r\nSteam accounts that are named the URL, and ROT +11 caesar ciphers to obfuscate, as observed in Image 3:\r\nhttps://spycloud.com/blog/lummac2-malware-stealthier-capabilities/\r\nPage 3 of 9\n\nImage 3: One of LummaC2’s fallback Steam profiles, along with the history used for the account.\r\nIn addition to the domain shown in Image 3, two of the fallback domains previously used by LummaC2 for C2\r\noperations are:\r\ntenntysjuxmz[.]shop\r\nreinforcedirectorywd[.]shop\r\nFor a LummaC2 infection, stolen credentials are not the only way for criminals to monetize access. In fact, as\r\nobserved in Image 4, using a collaboration with GhostSocks, LummaC2 now allows actors to infect victims with\r\nreverse proxy binaries to turn their victims into residential proxies.\r\nImage 4: LummaC2’s instructions for how to use the GhostSocks proxy plugin.\r\nUsing this feature, actors are able to easily leverage LummaC2’s “Google Expired Token Refresh” feature in\r\nconjunction with the residential proxies to refresh expired Google tokens, even when a victim has changed their\r\npassword. This is particularly concerning because other account protections that depend on same-device\r\nfingerprinting become trivial to bypass when traffic originates from the device that is fingerprinted.\r\nAdditionally, actors that work with ransomware teams (either directly or tangentially) can use these residential\r\nproxies to sell direct access to juicy victims to ransomware brokers. This feature gives actors an additional\r\nmonetization route that would’ve been much harder to establish without. Ransomware brokers can then sell this\r\naccess to teams that distribute ransomware, which results in easy access to environments to deploy ransomware.\r\nFigure 1: Flowchart showing how a threat actor can use LummaC2’s GhostSocks feature to turn a victim into a\r\nresidential proxy for further illicit activity.\r\nWe’ve observed another change to LummaC2’s use of a technique known as “dynamic import hashing” in order to\r\nobfuscate and hide its use of some Windows API calls. This technique of hashing the names of imports in order to\r\nhttps://spycloud.com/blog/lummac2-malware-stealthier-capabilities/\r\nPage 4 of 9\n\nhide functionality from analysts/AV is pretty standard for malware and LummaC2 is no different.\r\nIn past versions of Lumma, the hashing algorithm used for this purpose was murmurhash32, an established\r\nhashing algorithm. In current versions of Lumma, LummaC2 has shifted to using FNV1A with a standard prime\r\nand modified offset basis, as observed in Image 5.\r\nImage 5: LummaC2’s implementation of FNV1A using the 0x1000193 Prime.\r\nThe offset basis used for LummaC2’s dynamic import hashing implementation changes frequently, allowing\r\nLummaC2 to better hide from defenders and detection software, as function hashes are no longer detectable.\r\nLummaC2’s devs sell access to the malware on a tier-based system, including Corporate, Professional, and\r\nEnterprise tiers. As observed in Image 6, LummaC2 devs previously advertised “Heaven’s Gate” functionality\r\nincluded in the builds for its corporate tier only, allowing it to execute functions in 64-bit memory space from a\r\n32-bit application. This functionality leverages a known 64-bit handler embedded in 32-bit applications for\r\ncompatibility purposes.\r\nImage 6: One of LummaC2’s older ads that mentions Heaven’s Gate, from April 2023.\r\nhttps://spycloud.com/blog/lummac2-malware-stealthier-capabilities/\r\nPage 5 of 9\n\nThe technique, known as “Heaven’s Gate”, allows LummaC2 to better evade sandboxes and analyses, as the\r\nactual important function calls are heavily obfuscated and proxied into 64 bit memory space.\r\nIn recent builds of LummaC2, however, “Heaven’s Gate” has been included in the lower tiers, allowing all tiers of\r\nLummaC2 to access and leverage this technique.\r\nIn current builds, as observed in Image 7, LummaC2 first prepares a list of FNV1A hashed functions, as well as\r\ntheir corresponding ordinals in the libraries they exist in. \r\nImage 7: The buffer of hashed functions and their corresponding ordinals.\r\nWhen LummaC2 wants to call specific functions, it locates the hash in the list and then passes the ordinal to the\r\nHeaven’s Gate proxy function that allows access to 64-bit memory space, as observed in Image 8.\r\nhttps://spycloud.com/blog/lummac2-malware-stealthier-capabilities/\r\nPage 6 of 9\n\nImage 8: LummaC2 locating the hash of NtOpenFile and then executing it with the Heaven’s Gate proxy function.\r\nLummaC2’s 64-bit injected code can be observed in Image 9 below:\r\nhttps://spycloud.com/blog/lummac2-malware-stealthier-capabilities/\r\nPage 7 of 9\n\nImage 9: The disassembly of LummaC2’s Heaven’s Gate injection.\r\nThis change allows LummaC2 to more easily evade runtime detections that would otherwise detect the function\r\ncalls, as many sandboxes do not hook into 64-bit memory space for 32-bit processes.\r\nLast but not least in the long list of changes, LummaC2’s recent versions have released a code flattener that makes\r\nstatic analysis challenging.\r\nCode flattening, also known as control flow flattening, is an obfuscation technique that tries to obfuscate a control\r\nflow by “flattening” it – essentially putting all functions, jumps, conditional loops, and all other code branches\r\ninto one big loop with various switch case statements or “jumps” to handle the flow.\r\nNormally, these jumps are very clearly defined. LummaC2, however, first flattens its code before splitting it into\r\nchunks separated by jumps, and then also hides the next chunk of code using obfuscated addresses, which are then\r\ndeobfuscated to reveal the next code chunk using a math algorithm. This offset-calculating algorithm can be\r\nobserved in Image 10. This makes it challenging for static analysis, but trivial for dynamic runtime.\r\nImage 10: One of LummaC2’s obfuscated code chunk footers.\r\nAs observed in Image 10, the steps to calculate a new code block offset are as follows:\r\nThis particular method of moving through code is very effective at breaking “graph views” for disassemblers like\r\nIDA, which makes analysis challenging but not impossible – as demonstrated in this blog.\r\nLummaC2’s developers have been busy this past year. There have been many updates to the malware, and while\r\nmany of the changes aren’t surprising given adapting detection abilities, several are pretty novel – and certainly\r\nconcerning for defenders who should be aware of these evolved capabilities.\r\nThe new browser, extension, and third-party data theft mean LummaC2 is capturing more victim data than\r\never – all of which can be used against individuals and businesses in identity-based attacks.\r\nThe modified exfiltration routine enables data theft even if the malware is stopped mid-execution.\r\nThe evolved hashing, function, and code flattening features make LummaC2 tougher for defenders to spot and\r\nanalyze.\r\nThe capability that has us most concerned – and shouldn’t go unnoticed – is the LummaC2 and GhostSocks\r\ncollaboration that transforms a victim machine into a residential proxy after infection, giving bad actors an\r\neasy button for further illicit activity. Security teams have to monitor for and be able to identify employees,\r\ncustomers, vendors, and contractors infected with infostealers like LummaC2 and fully remediate infections to\r\navoid threats from escalating to attacks like ransomware.\r\nAs always, we’ll continue monitoring developments of Lumma’s capabilities to better understand exfiltration\r\ntrends and will share updates to our research when available.\r\nThe SpyCloud Post-Infection Remediation Guide offers an in-depth look at a critical addition to\r\nmalware infection response.\r\nhttps://spycloud.com/blog/lummac2-malware-stealthier-capabilities/\r\nPage 8 of 9\n\nSource: https://spycloud.com/blog/lummac2-malware-stealthier-capabilities/\r\nhttps://spycloud.com/blog/lummac2-malware-stealthier-capabilities/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://spycloud.com/blog/lummac2-malware-stealthier-capabilities/"
	],
	"report_names": [
		"lummac2-malware-stealthier-capabilities"
	],
	"threat_actors": [
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434373,
	"ts_updated_at": 1775792208,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c6957a9f9f170f07af82b5e1c3a1d93a6d37670b.pdf",
		"text": "https://archive.orkl.eu/c6957a9f9f170f07af82b5e1c3a1d93a6d37670b.txt",
		"img": "https://archive.orkl.eu/c6957a9f9f170f07af82b5e1c3a1d93a6d37670b.jpg"
	}
}