{ "id": "cfabecbf-6fac-4f4f-bb13-93f2f0f4908a", "created_at": "2026-04-23T02:55:31.786638Z", "updated_at": "2026-04-25T02:18:09.981974Z", "deleted_at": null, "sha1_hash": "ca7952fd19294e4ddc87647dc371d85797a42828", "title": "Lumma Infostealer – Down but Not Out?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58936, "plain_text": "Lumma Infostealer – Down but Not Out?\r\nBy rohann@checkpoint.com\r\nPublished: 2025-05-29 · Archived: 2026-04-23 02:11:20 UTC\r\nKey Findings:\r\nThe takedown achieved a significant disruption to Lumma infostealers’ infrastructure, but likely didn’t\r\npermanently affect most of its Russia-hosted infrastructure.\r\nLumma’s developers are undertaking significant efforts to reinstate the activity and to conduct business as\r\nusual.\r\nThere seems to be a significant reputational damage to the Lumma infostealer, and the key factor for the\r\ninfostealer to resume regular activity will be the reputational factors (rather than the technological).\r\nOn May 21, 2025, Europol, FBI, and Microsoft, in collaboration with other public and private sector partners,\r\nannounced an operation to dismantle the activity of the Lumma infostealer. The malware, considered to be one of\r\nthe most prolific infostealers, is distributed through a malware-as-a-service model. In addition to its use by\r\ncommon cyber criminals for stealing credentials, Lumma was observed to be part of the arsenal of several\r\nprominent threat actor groups, including Scattered Spider, Angry Likho, and CoralRaider.\r\nThe Takedown on the Dark Web\r\nAccording to the reports, the takedown operation began on May 15. On that day, Lumma customers flooded dark\r\nweb forums that advertise the stealer, complaining they were unable to access the malware’s command and control\r\n(C2) servers and management dashboards.\r\nhttps://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/\r\nPage 1 of 10\n\nFigure 1 – Threat actor complaints about server access.\r\nThe Lumma developer publicly responded on Friday, May 23. He confirmed that almost 2,500 of Lumma’s\r\ndomains were confiscated/taken down by law enforcement agencies.\r\nAccording to Lumma’s developer, the agencies were not able to seize Lumma’s main server due to its geographic\r\nlocation. However, they successfully infiltrated it by exploiting an unknown vulnerability in Integrated Dell\r\nRemote Access Controller (iDRAC). This allowed them to wipe the server and its backups. While the developer\r\ndid not log his customers’ IP addresses, the law enforcement agencies created a phishing login page to the harvest\r\ncredentials and digital footprints of Lumma customers. They also planted a JavaScript snippet that tried to access\r\nthe customers’ web cameras.\r\nhttps://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/\r\nPage 2 of 10\n\nFigure 2 – The developer’s response to the operation.\r\nFigure 3 – JavaScript script planted on the Lumma dashboard server.\r\nThe Future of Lumma\r\nOn cyber crime forums, opinions regarding the future of the Lumma infostealer are mixed. Some believe the\r\ndamage done by the operation will lead to the shutdown of Lumma services or at least make them go private, i.e.\r\nending public advertisement, and returning to word-of-mouth for marketing and vetting customers. Others believe\r\nthat the takedown operation won’t have any long-lasting effect.\r\nhttps://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/\r\nPage 3 of 10\n\nFigure 4 – Threat actors respond to the Lumma servers shutdown.\r\nLumma’s developers already claim to be operational once more. Several cyber criminals published their Telegram\r\nconversations in which the developer claimed that no one related to Lumma was arrested and that “everything has\r\nbeen restored, and we are working normally.”\r\nFigure 5 – Threat actors sharing chats with the Lumma developer.\r\nhttps://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/\r\nPage 4 of 10\n\nFigure 5.2 – Threat actors sharing chats with the Lumma developer.\r\nIn addition, a closer look at the malware’s infrastructure reveals that the C2 servers registered in Russia were not\r\ndisabled.\r\nhttps://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/\r\nPage 5 of 10\n\nFigure 6 – Online Russian-language Lumma panels after the operation.\r\nhttps://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/\r\nPage 6 of 10\n\nFigure 6.2 – Online Russian-language Lumma panels after the operation.\r\nIn another sign that the Lumma infostealer is down but not out, information stolen from compromised computers\r\ncontinues to appear on the online market. For example, two days after the operation, an automated Telegram bot\r\nthat sells stolen credentials obtained by Lumma offered 95 logs from 41 countries for sale. As of May 29, the same\r\nbot contains 406 logs, showing a steady increase.\r\nhttps://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/\r\nPage 7 of 10\n\nFigure 7 – Stolen logs for sale.\r\nIn addition, a centralized shop for the Russian market that sells infostealer logs online contains data from Lumma-infected computers after the takedown operation date.\r\nFigure 8 – Lumma logs for sale on the Russian Market.\r\nAs seen in Operation Cronos, which took down LockBit ransomware, law enforcement battling cyber crime often\r\nutilize psychological pressure against threat actors to sow distrust among them. The authorities compromised\r\nLockBit’s leak site and planted a countdown timer teasing disclosing the identity of LockBit’s leader.\r\nhttps://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/\r\nPage 8 of 10\n\nIn the operation against Lumma, law enforcement published messages on Lumma’s main Telegram channel,\r\nclaiming that the admins and affiliates were already sharing information with them. The JavaScript snippet that\r\nwas planted in the hijacked panels, which allegedly took photos with users’ webcams, can also be viewed as a\r\npsychological trick. After close inspection of the JavaScript code, threat actors claim that the code is very basic\r\nand would not execute properly.\r\nFigure 9 – FBI message shared in the Lumma Telegram group.\r\nFigure 10 – Threat actors responding to claims that admins shared information about Lumma.\r\nFigure 11 – Threat actors discussing the JavaScript snippet.\r\nhttps://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/\r\nPage 9 of 10\n\nSummary\r\nDespite the successful takedown operation against the Lumma infostealer, Check Point Research observed\r\nsignificant efforts by the Lumma developer to fully reinstate its infostealer activities and conduct business as\r\nusual. Beyond the damage to Lumma’s technical capabilities, the real question is how much damage was sustained\r\nin terms of Lumma’s brand and reputation. Law enforcement agencies’ attempts to sow distrust among Lumma’s\r\naffiliates and customers may not be as easily overcome, as was observed in previous cases.\r\nSource: https://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/\r\nhttps://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/" ], "report_names": [ "lumma-infostealer-down-but-not-out" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-25T02:00:04.619154Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-25T02:00:04.123631Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-25T02:00:03.265669Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Swine", "Scatter Swine", "Octo Tempest", "Storm-0971", "DEV-0971", "0ktapus", "Starfraud", "UNC3944", "Muddled Libra", "Oktapus" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-25T02:00:04.600349Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "6b8c5ea0-a654-4b5c-b817-9e67b115059e", "created_at": "2024-04-19T02:00:03.625955Z", "updated_at": "2026-04-25T02:00:03.518683Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "MISPGALAXY:CoralRaider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a894c24-6f51-4863-9efb-7f1b3133c848", "created_at": "2024-06-20T02:02:10.260154Z", "updated_at": "2026-04-25T02:00:04.825679Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "ETDA:CoralRaider", "tools": [ "AsyncRAT", "LOLBAS", "LOLBins", "Living off the Land", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "RotBot", "XClient" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-25T02:00:04.433753Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "c6d22751-e854-47de-a33d-2adf0058683e", "created_at": "2025-03-03T02:02:00.191696Z", "updated_at": "2026-04-25T02:00:04.435431Z", "deleted_at": null, "main_name": "Angry Likho", "aliases": [], "source_name": "ETDA:Angry Likho", "tools": [ "Lumma Stealer", "LummaC2" ], "source_id": "ETDA", "reports": null }, { "id": "ce6c9df9-bf82-4e6c-b355-9285463a37c8", "created_at": "2025-03-07T02:00:03.792481Z", "updated_at": "2026-04-25T02:00:03.658681Z", "deleted_at": null, "main_name": "Angry Likho", "aliases": [ "Sticky Werewolf" ], "source_name": "MISPGALAXY:Angry Likho", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-25T02:00:03.388754Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1776912931, "ts_updated_at": 1777083489, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ca7952fd19294e4ddc87647dc371d85797a42828.pdf", "text": "https://archive.orkl.eu/ca7952fd19294e4ddc87647dc371d85797a42828.txt", "img": "https://archive.orkl.eu/ca7952fd19294e4ddc87647dc371d85797a42828.jpg" } }