Global operation disrupts Lumma Stealer
ESET collaborated with Microsoft and other partners in a global operation to disrupt Lumma Stealer, a prominent malware-as-a-service infostealer. ESET's contribution involved analyzing tens of thousands of malware samples to extract key data like C&C servers and affiliate identifiers. The operation targeted Lumma Stealer's infrastructure, aiming to render its exfiltration network nonoperational. Lumma Stealer had been actively developed and maintained by its operators, with regular updates to its code and network infrastructure. It employed various anti-analysis techniques and targeted a wide range of data, including credentials from browsers, cryptocurrency wallets, and other applications.
AI Analysis
Technical Summary
Lumma Stealer is a malware-as-a-service (MaaS) infostealer that has been actively developed and maintained by its operators, featuring regular updates to both its codebase and command-and-control (C&C) infrastructure. The malware specializes in credential theft, targeting a broad spectrum of sensitive data including browser-stored credentials, cryptocurrency wallets, and other application data. It employs various anti-analysis techniques to evade detection and hinder reverse engineering efforts, making it a persistent threat in the cybercrime ecosystem. The global operation, led by ESET in collaboration with Microsoft and other partners, focused on disrupting Lumma Stealer's infrastructure by analyzing tens of thousands of malware samples to extract critical intelligence such as C&C server addresses and affiliate identifiers. This intelligence was used to dismantle the exfiltration network, effectively rendering the malware's data theft capabilities nonoperational. The operation highlights the malware's reliance on a distributed affiliate model, where multiple actors leverage the Lumma Stealer platform to conduct credential theft campaigns. Although no known exploits in the wild are reported, the malware's continuous development and active use in credential theft campaigns pose ongoing risks to affected organizations and individuals. The disruption effort aims to significantly reduce the operational capacity of Lumma Stealer, but the threat remains relevant due to the potential for reconstitution or emergence of similar MaaS platforms.
Potential Impact
For European organizations, the Lumma Stealer threat primarily endangers the confidentiality of sensitive information, including user credentials and financial assets such as cryptocurrency wallets. Successful infections can lead to unauthorized access to corporate accounts, email systems, and financial platforms, potentially resulting in data breaches, financial fraud, and lateral movement within networks. The theft of credentials can also facilitate further attacks such as business email compromise (BEC) or ransomware deployment. Given the malware's targeting of widely used browsers and applications, organizations with remote workforces or those relying heavily on web-based services are particularly vulnerable. The disruption of Lumma Stealer's infrastructure reduces immediate risk but does not eliminate the threat of similar malware or reactivation by affiliates. The impact on integrity and availability is generally indirect but can escalate if stolen credentials are used to deploy destructive payloads or disrupt services. Overall, the threat poses a medium-level risk to European organizations, especially those in finance, technology, and sectors with high-value digital assets.
Mitigation Recommendations
European organizations should implement targeted measures beyond generic advice to mitigate Lumma Stealer risks. These include: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying anti-analysis techniques and behavioral indicators associated with infostealers. 2) Enforce strict credential hygiene policies, including the use of hardware-based multi-factor authentication (MFA) to protect access to critical systems and cryptocurrency wallets. 3) Regularly audit and restrict browser extensions and applications that can be exploited to harvest credentials. 4) Conduct frequent threat hunting exercises focusing on indicators of compromise related to Lumma Stealer's known C&C infrastructure and affiliate identifiers, leveraging threat intelligence feeds from partners like ESET and Microsoft. 5) Implement network segmentation to limit lateral movement in case of credential compromise. 6) Educate employees on phishing and social engineering tactics that often serve as infection vectors for MaaS infostealers. 7) Collaborate with cybersecurity communities and law enforcement to stay informed about ongoing disruptions and emerging threats related to MaaS platforms. These measures, combined with continuous monitoring and incident response readiness, will enhance resilience against Lumma Stealer and similar threats.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- domain: achievenmtynwjq.shop
- domain: advennture.top
- domain: appgridn.live
- domain: bashfulacid.lat
- domain: bassizcellskz.shop
- domain: beerishint.sbs
- domain: beevasyeip.bond
- domain: bellflamre.click
- domain: bemuzzeki.sbs
- domain: bigmouthudiop.shop
- domain: broadecatez.bond
- domain: brownieyuz.sbs
- domain: byteplusx.digital
- domain: caffegclasiqwp.shop
- domain: callosallsaospz.shop
- domain: carrtychaintnyw.shop
- domain: celebratioopz.shop
- domain: changeaie.top
- domain: chickerkuso.shop
- domain: clarmodq.top
- domain: climatologfy.top
- domain: codxefusion.top
- domain: complaintsipzzx.shop
- domain: condedqpwqm.shop
- domain: cooperatvassquaidmew.xyz
- domain: crisisrottenyjs.xyz
- domain: curverpluch.lat
- domain: deadtrainingactioniw.xyz
- domain: deallerospfosu.shop
- domain: ducksringjk.sbs
- domain: earthsymphzony.today
- domain: encirelk.cyou
- domain: equatorf.run
- domain: evoliutwoqm.shop
- domain: exemplarou.sbs
- domain: exilepolsiy.sbs
- domain: experimentalideas.today
- domain: explainvees.sbs
- domain: exuberanttjdkwo.xyz
- domain: frizzettei.sbs
- domain: froytnewqowv.shop
- domain: gadgethgfub.icu
- domain: grandcommonyktsju.xyz
- domain: granystearr.bond
- domain: hardrwarehaven.run
- domain: hardswarehub.today
- domain: hemispherexz.top
- domain: indexterityszcoxp.shop
- domain: invinjurhey.sbs
- domain: isoplethui.sbs
- domain: laddyirekyi.sbs
- domain: languagedscie.shop
- domain: lariatedzugspd.shop
- domain: latitudert.live
- domain: liernessfornicsa.shop
- domain: liftally.top
- domain: locatedblsoqp.shop
- domain: longitudde.digital
- domain: lunoxorn.top
- domain: manyrestro.lat
- domain: metallygaricwo.shop
- domain: milldymarskwom.shop
- domain: millyscroqwp.shop
- domain: nighetwhisper.top
- domain: opponnentduei.shop
- domain: outpointsozp.shop
- domain: piratetwrath.run
- domain: pixtreev.run
- domain: puredoffustow.shop
- domain: qualificationjdwko.xyz
- domain: quarrelepek.bond
- domain: quialitsuzoxm.shop
- domain: quietswtreams.life
- domain: quilltayle.live
- domain: quotamkdsdqo.shop
- domain: relalingj.sbs
- domain: repostebhu.sbs
- domain: rockemineu.bond
- domain: rottieud.sbs
- domain: salaccgfa.top
- domain: sectorecoo.live
- domain: shapestickyr.lat
- domain: shepherdlyopzc.shop
- domain: skynetxc.live
- domain: slipperyloo.lat
- domain: socialsscesforum.icu
- domain: sparkiob.digital
- domain: stagedchheiqwo.shop
- domain: stamppreewntnq.shop
- domain: starofliught.top
- domain: suggestyuoz.biz
- domain: sweetcalcutangkdow.xyz
- domain: talkynicer.lat
- domain: tamedgeesy.sbs
- domain: targett.top
- domain: techmindzs.live
- domain: techspherxe.top
- domain: tentabatte.lat
- domain: thinkyyokej.sbs
- domain: tolstoi.com
- domain: toppyneedus.biz
- domain: traineiwnqo.shop
- domain: tranuqlekper.bond
- domain: travewlio.shop
- domain: tripfflux.world
- domain: unseaffarignsk.shop
- domain: upknittsoappz.shop
- domain: usseorganizedw.shop
- domain: wickedneatr.sbs
- domain: wordingnatturedowo.xyz
- domain: wordyfindy.lat
- domain: writerospzm.shop
- domain: zestmodp.top
- domain: 1212tank.activitydmy.icu
- hash: 8326264cfcff215611c9890e985b80e6
- hash: 658550e697d9499db7821cbbbf59ffd39eb59053
- hash: d5b6cd18d84f4c8334b84745bc0603d7d7407aa7243ef945f8a3696c9d097f65
- hash: accdbd5044408c82c19c977829713e4f
- hash: 070a001ac12139cc1238017d795a2b43ac52770d
- hash: 09734d99a278b3cf59fe82e96ee3019067af2ac5
- hash: 0d744811cf41606deb41596119ec7615ffeb0355
- hash: 1435d389c72a5855a5d6655d6299b4d7e78a0127
- hash: 1fd806b1a0425340704f435cbf916b748801a387
- hash: 2cccea9e1990d6bc7755ce5c3b9b0e4c9a8f0b59
- hash: 2e3d4c2a7c68de2dd31a8e0043d9cf7e7e20fde1
- hash: 5fa1edc42abb42d54d98fee0d282da453e200e99
- hash: 6f94cfaabb19491f2b8e719d74ad032d4beb3f29
- hash: 8f58c4a16717176dfe3cd531c7e41bef8cdf6cfe
- hash: c5d3278284666863d7587f1b31b06f407c592ac4
- hash: f4840c887caaff0d5e073600aec7c96099e32030
- hash: dfa2ab0714c9f234b63fd1295ce468bd247465701a90b8a9ab9eb3d6d032d258
Global operation disrupts Lumma Stealer
Description
ESET collaborated with Microsoft and other partners in a global operation to disrupt Lumma Stealer, a prominent malware-as-a-service infostealer. ESET's contribution involved analyzing tens of thousands of malware samples to extract key data like C&C servers and affiliate identifiers. The operation targeted Lumma Stealer's infrastructure, aiming to render its exfiltration network nonoperational. Lumma Stealer had been actively developed and maintained by its operators, with regular updates to its code and network infrastructure. It employed various anti-analysis techniques and targeted a wide range of data, including credentials from browsers, cryptocurrency wallets, and other applications.
AI-Powered Analysis
Technical Analysis
Lumma Stealer is a malware-as-a-service (MaaS) infostealer that has been actively developed and maintained by its operators, featuring regular updates to both its codebase and command-and-control (C&C) infrastructure. The malware specializes in credential theft, targeting a broad spectrum of sensitive data including browser-stored credentials, cryptocurrency wallets, and other application data. It employs various anti-analysis techniques to evade detection and hinder reverse engineering efforts, making it a persistent threat in the cybercrime ecosystem. The global operation, led by ESET in collaboration with Microsoft and other partners, focused on disrupting Lumma Stealer's infrastructure by analyzing tens of thousands of malware samples to extract critical intelligence such as C&C server addresses and affiliate identifiers. This intelligence was used to dismantle the exfiltration network, effectively rendering the malware's data theft capabilities nonoperational. The operation highlights the malware's reliance on a distributed affiliate model, where multiple actors leverage the Lumma Stealer platform to conduct credential theft campaigns. Although no known exploits in the wild are reported, the malware's continuous development and active use in credential theft campaigns pose ongoing risks to affected organizations and individuals. The disruption effort aims to significantly reduce the operational capacity of Lumma Stealer, but the threat remains relevant due to the potential for reconstitution or emergence of similar MaaS platforms.
Potential Impact
For European organizations, the Lumma Stealer threat primarily endangers the confidentiality of sensitive information, including user credentials and financial assets such as cryptocurrency wallets. Successful infections can lead to unauthorized access to corporate accounts, email systems, and financial platforms, potentially resulting in data breaches, financial fraud, and lateral movement within networks. The theft of credentials can also facilitate further attacks such as business email compromise (BEC) or ransomware deployment. Given the malware's targeting of widely used browsers and applications, organizations with remote workforces or those relying heavily on web-based services are particularly vulnerable. The disruption of Lumma Stealer's infrastructure reduces immediate risk but does not eliminate the threat of similar malware or reactivation by affiliates. The impact on integrity and availability is generally indirect but can escalate if stolen credentials are used to deploy destructive payloads or disrupt services. Overall, the threat poses a medium-level risk to European organizations, especially those in finance, technology, and sectors with high-value digital assets.
Mitigation Recommendations
European organizations should implement targeted measures beyond generic advice to mitigate Lumma Stealer risks. These include: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying anti-analysis techniques and behavioral indicators associated with infostealers. 2) Enforce strict credential hygiene policies, including the use of hardware-based multi-factor authentication (MFA) to protect access to critical systems and cryptocurrency wallets. 3) Regularly audit and restrict browser extensions and applications that can be exploited to harvest credentials. 4) Conduct frequent threat hunting exercises focusing on indicators of compromise related to Lumma Stealer's known C&C infrastructure and affiliate identifiers, leveraging threat intelligence feeds from partners like ESET and Microsoft. 5) Implement network segmentation to limit lateral movement in case of credential compromise. 6) Educate employees on phishing and social engineering tactics that often serve as infection vectors for MaaS infostealers. 7) Collaborate with cybersecurity communities and law enforcement to stay informed about ongoing disruptions and emerging threats related to MaaS platforms. These measures, combined with continuous monitoring and incident response readiness, will enhance resilience against Lumma Stealer and similar threats.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-lumma-stealer/"]
- Adversary
- Lumma Stealer
- Pulse Id
- 6834309a12aef87c250009b1
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainachievenmtynwjq.shop | — | |
domainadvennture.top | — | |
domainappgridn.live | — | |
domainbashfulacid.lat | — | |
domainbassizcellskz.shop | — | |
domainbeerishint.sbs | — | |
domainbeevasyeip.bond | — | |
domainbellflamre.click | — | |
domainbemuzzeki.sbs | — | |
domainbigmouthudiop.shop | — | |
domainbroadecatez.bond | — | |
domainbrownieyuz.sbs | — | |
domainbyteplusx.digital | — | |
domaincaffegclasiqwp.shop | — | |
domaincallosallsaospz.shop | — | |
domaincarrtychaintnyw.shop | — | |
domaincelebratioopz.shop | — | |
domainchangeaie.top | — | |
domainchickerkuso.shop | — | |
domainclarmodq.top | — | |
domainclimatologfy.top | — | |
domaincodxefusion.top | — | |
domaincomplaintsipzzx.shop | — | |
domaincondedqpwqm.shop | — | |
domaincooperatvassquaidmew.xyz | — | |
domaincrisisrottenyjs.xyz | — | |
domaincurverpluch.lat | — | |
domaindeadtrainingactioniw.xyz | — | |
domaindeallerospfosu.shop | — | |
domainducksringjk.sbs | — | |
domainearthsymphzony.today | — | |
domainencirelk.cyou | — | |
domainequatorf.run | — | |
domainevoliutwoqm.shop | — | |
domainexemplarou.sbs | — | |
domainexilepolsiy.sbs | — | |
domainexperimentalideas.today | — | |
domainexplainvees.sbs | — | |
domainexuberanttjdkwo.xyz | — | |
domainfrizzettei.sbs | — | |
domainfroytnewqowv.shop | — | |
domaingadgethgfub.icu | — | |
domaingrandcommonyktsju.xyz | — | |
domaingranystearr.bond | — | |
domainhardrwarehaven.run | — | |
domainhardswarehub.today | — | |
domainhemispherexz.top | — | |
domainindexterityszcoxp.shop | — | |
domaininvinjurhey.sbs | — | |
domainisoplethui.sbs | — | |
domainladdyirekyi.sbs | — | |
domainlanguagedscie.shop | — | |
domainlariatedzugspd.shop | — | |
domainlatitudert.live | — | |
domainliernessfornicsa.shop | — | |
domainliftally.top | — | |
domainlocatedblsoqp.shop | — | |
domainlongitudde.digital | — | |
domainlunoxorn.top | — | |
domainmanyrestro.lat | — | |
domainmetallygaricwo.shop | — | |
domainmilldymarskwom.shop | — | |
domainmillyscroqwp.shop | — | |
domainnighetwhisper.top | — | |
domainopponnentduei.shop | — | |
domainoutpointsozp.shop | — | |
domainpiratetwrath.run | — | |
domainpixtreev.run | — | |
domainpuredoffustow.shop | — | |
domainqualificationjdwko.xyz | — | |
domainquarrelepek.bond | — | |
domainquialitsuzoxm.shop | — | |
domainquietswtreams.life | — | |
domainquilltayle.live | — | |
domainquotamkdsdqo.shop | — | |
domainrelalingj.sbs | — | |
domainrepostebhu.sbs | — | |
domainrockemineu.bond | — | |
domainrottieud.sbs | — | |
domainsalaccgfa.top | — | |
domainsectorecoo.live | — | |
domainshapestickyr.lat | — | |
domainshepherdlyopzc.shop | — | |
domainskynetxc.live | — | |
domainslipperyloo.lat | — | |
domainsocialsscesforum.icu | — | |
domainsparkiob.digital | — | |
domainstagedchheiqwo.shop | — | |
domainstamppreewntnq.shop | — | |
domainstarofliught.top | — | |
domainsuggestyuoz.biz | — | |
domainsweetcalcutangkdow.xyz | — | |
domaintalkynicer.lat | — | |
domaintamedgeesy.sbs | — | |
domaintargett.top | — | |
domaintechmindzs.live | — | |
domaintechspherxe.top | — | |
domaintentabatte.lat | — | |
domainthinkyyokej.sbs | — | |
domaintolstoi.com | — | |
domaintoppyneedus.biz | — | |
domaintraineiwnqo.shop | — | |
domaintranuqlekper.bond | — | |
domaintravewlio.shop | — | |
domaintripfflux.world | — | |
domainunseaffarignsk.shop | — | |
domainupknittsoappz.shop | — | |
domainusseorganizedw.shop | — | |
domainwickedneatr.sbs | — | |
domainwordingnatturedowo.xyz | — | |
domainwordyfindy.lat | — | |
domainwriterospzm.shop | — | |
domainzestmodp.top | — | |
domain1212tank.activitydmy.icu | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash8326264cfcff215611c9890e985b80e6 | MD5 of 658550e697d9499db7821cbbbf59ffd39eb59053 | |
hash658550e697d9499db7821cbbbf59ffd39eb59053 | — | |
hashd5b6cd18d84f4c8334b84745bc0603d7d7407aa7243ef945f8a3696c9d097f65 | SHA256 of 658550e697d9499db7821cbbbf59ffd39eb59053 | |
hashaccdbd5044408c82c19c977829713e4f | MD5 of 070a001ac12139cc1238017d795a2b43ac52770d | |
hash070a001ac12139cc1238017d795a2b43ac52770d | — | |
hash09734d99a278b3cf59fe82e96ee3019067af2ac5 | — | |
hash0d744811cf41606deb41596119ec7615ffeb0355 | — | |
hash1435d389c72a5855a5d6655d6299b4d7e78a0127 | — | |
hash1fd806b1a0425340704f435cbf916b748801a387 | — | |
hash2cccea9e1990d6bc7755ce5c3b9b0e4c9a8f0b59 | — | |
hash2e3d4c2a7c68de2dd31a8e0043d9cf7e7e20fde1 | — | |
hash5fa1edc42abb42d54d98fee0d282da453e200e99 | — | |
hash6f94cfaabb19491f2b8e719d74ad032d4beb3f29 | — | |
hash8f58c4a16717176dfe3cd531c7e41bef8cdf6cfe | — | |
hashc5d3278284666863d7587f1b31b06f407c592ac4 | — | |
hashf4840c887caaff0d5e073600aec7c96099e32030 | — | |
hashdfa2ab0714c9f234b63fd1295ce468bd247465701a90b8a9ab9eb3d6d032d258 | SHA256 of 070a001ac12139cc1238017d795a2b43ac52770d |
Threat ID: 683432cd0acd01a24928497e
Added to database: 5/26/2025, 9:22:21 AM
Last enriched: 6/25/2025, 9:45:45 AM
Last updated: 8/8/2025, 1:43:51 PM
Views: 39
Related Threats
From ClickFix to Command: A Full PowerShell Attack Chain
MediumNorth Korean Group ScarCruft Expands From Spying to Ransomware Attacks
MediumMedusaLocker ransomware group is looking for pentesters
MediumThreatFox IOCs for 2025-08-10
MediumThreatFox IOCs for 2025-08-09
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.