{ "id": "b1819743-9f5c-4b2e-ac21-286801f7b375", "created_at": "2026-04-06T00:22:10.784475Z", "updated_at": "2026-04-10T03:33:24.289805Z", "deleted_at": null, "sha1_hash": "da9c79807b8ae4ea622e931bba531cf68e67581d", "title": "Lumma 2024: Dominating the Info-Stealer Market", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1571116, "plain_text": "Lumma 2024: Dominating the Info-Stealer Market\r\nBy Efstratios Lontzetidis\r\nPublished: 2024-12-28 · Archived: 2026-04-05 20:39:37 UTC\r\n10 min read\r\nDec 28, 2024\r\nIn this blog, we analyze the evolution of Lumma in 2024, based on the Diamond Model vertices.\r\nDisclaimer: Everything stated in this blog is for informational purposes only, with no intention of promoting the\r\nuse of these products.\r\nKey Points\r\nLumma is a professional-grade information stealer marketed as Malware-as-a-Service (MaaS), targeting\r\ncredentials, cryptocurrency wallets, browser data, and 2FA details, with advanced features like binary\r\nmorphing and server-side data decryption.\r\nThe malware’s subscription-based plans — Experienced, Professional, and Corporate — offer varying\r\nlevels of log management, data filtering, and customization, with the highest tier focusing on stealth and\r\nadvanced security bypass techniques.\r\nLumma’s developers enforce “anti-CIS” policies, refusing to target Russia or accept offers to bypass this\r\nrestriction, and maintain a strong presence on Russian-speaking forums while engaging with clients via\r\nTelegram and Gitbook resources.\r\nObservations reveal frequent campaigns throughout 2024 targeting sectors like manufacturing and\r\ntransportation, as well as individuals like gamers, cracked software users, and cryptocurrency enthusiasts,\r\nwith tactics including phishing and malvertising.\r\nThe article highlights Lumma’s dominance in the stealer market, noting its extensive distribution efforts,\r\npotential for law enforcement attention, and the benefit for defenders in focusing on well-known malware\r\nfor evolving detection strategies.\r\nAdversary\r\nLumma (aka LummaC2, Lummac and Lumma Stealer) is an advanced information-stealing Malware-as-a-Service (MaaS) with Russian origins, observed in the wild since 2022. It is marketed as a “professional-grade”\r\ntool that can extract sensitive data from Windows 7 x32 to Windows 11 x64 . Written in C and providing\r\ncustomizable functionality, it primarily targets cryptocurrency wallets, browser cookies \u0026 extensions, credentials,\r\ncredit card information and two-factor authentication (2FA) details, before ultimately stealing sensitive\r\ninformation from compromised machines.\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 1 of 14\n\nLightweight and stealthy, it avoids detection through techniques like binary morphing (changing its code to evade\r\nantivirus tools) and low-level system interactions. It is subscription-based, offering various plans with features\r\nsuch as bulk log downloads, data filtering, and custom data collection profiles. Lumma’s infrastructure relies on\r\npowerful servers with encryption and anti-DDoS protection, and updates are provided frequently to ensure it\r\nremains effective. The malware is managed via an easy-to-use interface, making it accessible even to less\r\ntechnically skilled users.\r\nLumma Panel\r\nIn just 2 years of existence Lumma has already managed to become the most tracked malware:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 2 of 14\n\nMalware Trends Tracker last 365 days (27/12/2024). Source: Any.run\r\nTop Malware Signatures Past 14 days (27/12/24). Source: MalwareBazaar\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 3 of 14\n\nTop Malware Tags Past 14 days (27/12/24). Source: MalwareBazaar\r\nLumma developers operate a usrlnk.io url providing links for their distinct services:\r\nPress enter or click to view image in full size\r\nLumma Links Reference on usrlnk.io\r\nA Telegram bot for selling their services.\r\nA Telegram bot for reporting bugs.\r\nA Telegram bot for selling/acquiring Lumma Logs.\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 4 of 14\n\nLumma Logs Market. Source: @g0njxa\r\nOf course, operators can still monetize the stolen logs on undergound forums or sell credentials with valid access\r\nto organizations (Initial Access Brokers - IABs):\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 5 of 14\n\nLumma Logs for Sale. Source: Breachforums\r\nA Gitbook (also available in telegra.ph) that offers detailed documentation and FAQs for their product,\r\ncontaining information regarding the stealer, its features and how-to-use guides.\r\nPress enter or click to view image in full size\r\nLumma Gitbook (Translated)\r\nLumma offers three subscription plans catering to different levels of usage:\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 6 of 14\n\n1. Experienced ($250/month): This basic plan allows users to set up to 10 filters for log management,\r\ndownload logs in bulk, and search logs by specific queries (e.g., wallets or specific websites). It includes\r\ntools to analyze logs by country, currency, or custom filters, and lets users clear logs and track log quality.\r\nUsers can tag up to three custom builds.\r\n2. Professional ($500/month): This intermediate plan includes all features of the Experienced plan, but with\r\nunlimited filters and more advanced tools. It enables bulk deletion of logs, statistics sharing, and access to\r\nwidgets for log quality and filtering. Users can create and customize profiles for data collection, adding or\r\nremoving browsers, extensions, or file paths. It allows real-time editing of collection rules, the use of\r\nmasks or variable paths, and deeper customization of the data collection process. The plan also includes a\r\nnon-residential loader for loading various files with the stealer.\r\n3. Corporate ($1,000/month): This premium plan provides all the Professional features with added benefits\r\nfor better stealth and reliability. Builds are cleaned more frequently and include improved bypass\r\ntechniques for security defenses, like avoiding detection when accessing password stores. Google account\r\nsession validity is enhanced through specialized cookies. Builds are morphed into unique variations for\r\nbetter survivability. This plan is ideal for highly targeted operations requiring advanced security and\r\ncustomization.\r\nLumma Log Format\r\nLumma is believed to have been developed by the threat actor persona “Shamel”, under the the alias “Lumma”.\r\nLumma has a strong presence on Russian-speaking forums such as RAMP and XSS, to promote their product and\r\nits updates:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 7 of 14\n\nLumma Product Updates. Source: XSS\r\nThe researcher\r\n, on November 2023 conducted a notable HUMINT collection by interviewing Lumma. The following points were\r\nnotable:\r\n1. Overview of Lumma\r\nLumma describes itself as one of the most technologically advanced stealers, claiming its innovations are\r\noften emulated by competitors.\r\nContinuous product improvement is a key focus, with steady client growth since its launch on December\r\n21, 2022.\r\n2. Client Base:\r\nLumma boasts approximately 400 active clients, which is considered a significant customer base for\r\nmalware projects. (Lumma and its logs have been used by threat actors such as the Stargazers Ghost\r\nNetwork, UNC5537, UNC4536 and Water Hydra APT)\r\nMany clients reportedly migrate from competitors like Redline and Meta stealers.\r\n3. June 2023 Update\r\nA major update including 25 enhancements in June 2023 marked a turning point, significantly increasing\r\nLumma’s use and recognition.\r\n4. Unique Features and Branding\r\nLumma incorporates cultural elements, such as Russian and Western poetry, into its infrastructure (e.g.,\r\nYesenin and Baudelaire poems on C2 domains), though these have since been removed.\r\n5. Market Trends and Future Plans\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 8 of 14\n\nLumma’s developers acknowledge ongoing demand in the stealer market, with plans to remain active for at\r\nleast the next 2–3 years.\r\n6. Anti-CIS Policies\r\nLumma enforces strict “anti-CIS” policies, refusing to target Russians and rejecting lucrative offers to\r\nbypass this restriction.\r\nThe architecture is designed to prevent modification that could enable targeting CIS countries, contrasting\r\nwith incidents like the WhiteSnake Stealer breach.\r\n7. Response to Tracking Efforts\r\nDevelopers are aware of security researchers tracking Lumma and see it as beneficial publicity,\r\nhighlighting a nonchalant stance toward monitoring.\r\nCapability\r\nLumma’s capabilities have been well documented by their telegra.ph website and other credible organizations (i.e.\r\nany.run, CYFIRMA, SOCRadar, TrendMicro). However, some key TTPs include:\r\nDistribution Methods: Infected email attachments, malicious online advertisements, social engineering,\r\nsoftware ‘cracks’.\r\nData log collection: Lumma collects detailed data logs from compromised endpoints, including\r\ninformation extracted from browsers and cryptocurrency wallets.\r\nData exfiltration: The malware effectively gathers sensitive information from targeted applications,\r\nincluding login credentials, financial data, and personal details. The data are exfiltrated to the C2 server\r\nover an encrypted channel. Can also support exfiltration to a Telegram bot.\r\nServer Side Decryption of Stolen data: All data transmitted by the stealer is decrypted on the server side,\r\nwhich makes it more difficult to analyze the malware’s traffic during the exfiltration process.\r\nLoader capability: The stealer can drop additional malware onto compromised machines, expanding its\r\nmalicious capabilities and potential impact.\r\nDefense Evasion: Event-controlled write operations, encryption, process injection, anti-debugging\r\nNeighbor Detection: Lumma notifies operators about other instances of the malware running on the same\r\nsystem.\r\nHowever, it is of great importance to mention that Lumma receives updates \u0026 features on a regular basis that\r\nimprove and expand its functionality:\r\nDecember 2024\r\nCryptocurrencies clipper module\r\nNovember 2024\r\nMultiple updates \u0026 bug fixes\r\nOctober 2024\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 9 of 14\n\nBypass of app-bound encryption on cookies implemented by popular browsers\r\nSinged Lumma payload in the wild\r\nAugust 2024\r\nNew config delivery method for C2 addresses via user names of Steam\r\naccounts. The C2 address is obtained by ROT-15 decrypting the user name\r\nJuly 2024\r\nAdded Any.run sandbox check\r\nMay 2024\r\nCollection of valuable information from Mozilla-based browsers extensions\r\nAdded support for Windows XP on their builds — ref\r\nApril 2024\r\nImplemented a “bot” (researchers, sandboxes, etc) protection system using artificial intelligence and deep\r\nlearning, pre-trained on screenshots of known virtual machines\r\nFebruary 2024\r\nPartnership with “GhostSocks”, a SOCKS5 manager\r\nNovember 2023\r\nAbility to restore dead cookies using a key from restore files (applies only to Google cookies)\r\nAll these benefits of ease to use, fair prices along with advanced and customizable features, seemed to push actors\r\nto highly utilize this information stealer. This can be depicted from the high volume of campaigns publicly\r\nreported delivering Lumma throughout the year:\r\nGet Efstratios Lontzetidis’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nDecember 2024\r\nThreat actors are abusing community platforms like YouTube and Discord to promote fake cheats and\r\nspread NodeLoader that delivers Lumma\r\nLumma Campaign targeting the Manufacturing sector in North America\r\nNovember 2024\r\nEmmenhtal Loader Uses Scripts to Deliver Lumma and Other Malware\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 10 of 14\n\nLumma is Spread in Youtube descriptions impersonating Game Cheats\r\nFake AI image and video generators infect Windows with Lumma\r\nLumma Campaign targeting the Transportation sector in North America\r\nOctober 2024\r\nMalicious ads push Lumma infostealer via fake CAPTCHA pages\r\nClearFake variant (without using the EtherHiding technique) is spreading Lumma via the ClickFix tactic\r\non compromised websites\r\nFake crypto game “Cosmo Whales” spotted hosting Lumma and using social engineering to spread\r\nthroughout Discord communities\r\nLumma is pushed from fake (typosquatted) websites impersonating legitimate software vendors such as\r\nPostman\r\nSeptember 2024\r\nFake League of Legends Download Ads Spread Lumma\r\nTelegram Group promoting cracked software infected with Lumma\r\nLumma spread by phishing notification of false security vulnerability on GitHub projects\r\nMalvertising Spreading Lumma and targeting Users of Outdated Windows in Europe\r\nOn a hacking forum, a user offered a tool to “check” OnlyFans accounts which was in fact a delivery\r\nmethod for Lumma\r\nAugust 2024\r\nGitHub comments abused to push Lumma masked as fixes to issues\r\nMalvertising spreads NUMOZYLOD delivering Lumma\r\nJuly 2024\r\nExploitation of CVE-2024–21412 (a security bypass vulnerability in Microsoft Windows SmartScreen) to\r\ndeliver Lumma\r\nLumma Packed with CypherIt Distributed Using Falcon Sensor Update Phishing Lure\r\nPhishing campaign by WaterHydra APT impersonating Medicare Australia\r\nJune 2024\r\nInjecting Lumma to Python Package “crytic-compilers”\r\nPopup text instructs victims to paste copied script that delivers Lumma into window for administrative\r\nPowerShell terminal\r\nClick-Fix Lumma campaign targeting Chile\r\nMay 2024\r\nFake Browser Updates delivering BitRAT and Lumma\r\nApril 2024\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 11 of 14\n\nMultiple fake AV sites hosting Lumma payloads\r\nThreat Actors Deliver Lumma via YouTube Video Game Cracks\r\nMarch 2024\r\nNo public reports\r\nFebruary 2024\r\nA vibrator (USB enabled) was infected with Lumma\r\nJanuary 2024\r\nYouTube Videos Promoting Cracked Software Distribute Lumma\r\nLumma Campaigns Line Graph\r\nInfrastructure\r\nLumma’s operators demonstrate a dynamic approach to adapting their infrastructure, frequently modifying their\r\nTactics, Techniques, and Procedures (TTPs) to bypass restrictions and maintain operational effectiveness.\r\nExample observations of infrastructure preferences included:\r\nPayload Delivery\r\nBitbucket hosting— December 2024\r\nDigital Ocean S3 buckets and CDN hosting — October 2024\r\nDouble Extension pdf.lnk files— October 2024\r\nPaste services such as rentry.co to host URL payloads— August 2024\r\nGithub repositories \u0026 FileZilla Servers — January 2024\r\nC2 Servers\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 12 of 14\n\n.cyou, .shop, .biz, .sbs, .click, .lat, .com, .xyz, .store, .icu TLDs — December 2024\r\nDynadot \u0026 Namecheap Registrars — October 2024\r\n.cfd, .store, .biz, .buzz, .site TLDs — October 2024\r\nSteam Profiles ROT-15 encrypted text to retrieve C2 domain — August 2024\r\nHosting with Cloudflare — March 2024\r\nVictim\r\nLumma developers and operators are motivated by financial gain, meaning everyone is a potential target. Besides\r\nthat, as mentioned earlier, Lumma developers enforces strict “anti-CIS” policies, refusing to target Russians and\r\nrejecting lucrative offers to bypass this restriction.\r\nAdditionally, distinct Lumma campaigns have been reported:\r\nCampaign targeting the Manufacturing sector in North America - December 2024\r\nCampaign targeting the Transportation sector in North America — November 2024\r\nPhishing emails impersonating Github reaching users as part of security vulnerabilities requiring their\r\nattention in Italy — September 2024\r\nMalvertising targetting French and Polish Users — September 2024\r\nPhishing campaign by WaterHydra APT impersonating Medicare Australia — July 2024\r\nExploitation of CVE-2024–21412 to deliver Lumma in North America, Spain, Thailand — July 2024\r\nClick-Fix campaign targeting Chile — June 2024\r\nAlso, based on campaigns themes described in the Capabilities section, the following groups of individuals seems\r\nto be targeted:\r\nGamers\r\nCracked Software users\r\nCrypto users\r\nOnlyFans users\r\nDevelopers\r\nAI enthousiasts\r\nObservations/Questions\r\nIs Lumma so effective that threat actors devote significant time and tradecraft only to design distribution\r\nmethods? It seems so, given the volume of different campaigns spreading Lumma throughout the year.\r\nWill Lumma continue to rise in 2025? We’ll see. Being a leader in the cybercrime sector usually attracts\r\nlaw enforcement actions.\r\nCan we track distinct threat actor groups that utilize Lumma? Possibly, by focusing on distribution efforts\r\nand themes, along with build and feature clustering per payload observed. We can leave that to the big\r\nplayers with bigger volumes of telemetry.\r\nIs it beneficial for defenders that a single malware is so popular among attackers? Probably, since the\r\ncommunity is familiar with this malware, and hunting/detection mechanisms are in place and constantly\r\nevolving.\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 13 of 14\n\nAny predictions for 2025? Similar MaaS could emerge, extremely focused and professional, with regular\r\nupdates and unique features to compete with other strong players like Lumma and Vidar.\r\nAppendix — Diamond Model\r\nPress enter or click to view image in full size\r\nLumma — Diamond Model\r\nSource: https://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nhttps://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/@s.lontzetidis/lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6" ], "report_names": [ "lumma-2024-dominating-the-info-stealer-market-070e7d8fa3d6" ], "threat_actors": [ { "id": "a5bd315b-6220-441f-8ed1-39e194dcd0e3", "created_at": "2023-12-01T02:02:33.667762Z", "updated_at": "2026-04-10T02:00:04.641333Z", "deleted_at": null, "main_name": "DarkCasino", "aliases": [ "Water Hydra" ], "source_name": "ETDA:DarkCasino", "tools": [ "CloudEyE", "DarkMe", "GuLoader", "PikoloRAT", "vbdropper" ], "source_id": "ETDA", "reports": null }, { "id": "358432a9-d927-43c7-9201-b7aa7d184c26", "created_at": "2024-06-20T02:02:10.317536Z", "updated_at": "2026-04-10T02:00:05.043265Z", "deleted_at": null, "main_name": "UNC5537", "aliases": [], "source_name": "ETDA:UNC5537", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3c24777-7c0f-4772-b273-2163ac5a6b67", "created_at": "2024-06-19T02:00:04.373472Z", "updated_at": "2026-04-10T02:00:03.651748Z", "deleted_at": null, "main_name": "UNC5537", "aliases": [], "source_name": "MISPGALAXY:UNC5537", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "630987b6-1240-486a-ad47-bb63d6573e6b", "created_at": "2024-09-20T02:00:04.579123Z", "updated_at": "2026-04-10T02:00:03.697899Z", "deleted_at": null, "main_name": "UNC4536", "aliases": [], "source_name": "MISPGALAXY:UNC4536", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434930, "ts_updated_at": 1775792004, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/da9c79807b8ae4ea622e931bba531cf68e67581d.pdf", "text": "https://archive.orkl.eu/da9c79807b8ae4ea622e931bba531cf68e67581d.txt", "img": "https://archive.orkl.eu/da9c79807b8ae4ea622e931bba531cf68e67581d.jpg" } }