US, European, and Japanese authorities, along with tech companies including Microsoft and Cloudflare, say they’ve disrupted Lumma, an infostealer popular with criminal gangs, according to ”wired.com” .
A consortium of global law enforcement agencies and tech companies announced on Wednesday that they have disrupted the infostealer malware known as Lumma. One of the most popular infostealers worldwide, Lumma has been used by hundreds of what Microsoft calls “cyber threat actors” to steal passwords, credit card and banking information, and cryptocurrency wallet details. The tool, which officials say was developed in Russia, has provided cybercriminals with the information and credentials they needed to drain bank accounts, disrupt services, and carry out data extortion attacks against schools, among other things.
Microsoft’s Digital Crimes Unit (DCU) obtained an order from a United States district court last week to seize and take down about 2,300 domains underpinning Lumma’s infrastructure. At the same time, the US Department of Justice seized Lumma’s command-and-control infrastructure and disrupted cybercriminal marketplaces that sold the Lumma malware. All of this was coordinated, too, with disruption of regional Lumma infrastructure by Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center.
Microsoft lawyers wrote on Wednesday that Lumma, which is also known as LummaC2, has spread so broadly because it is “easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses.”
Microsoft says that more than 394,000 Windows computers were infected with the Lumma malware between March 16 and May 16 this year. And Lumma was mentioned in more than 21,000 listings on cybercrime forums in the spring of 2024, according to figures cited in a notice published today by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). The malware has been spotted bundled in fake AI video generators and fake “deepfake” generation websites, and distributed by fake captcha pages.
Law enforcement’s collaboration with Microsoft’s DCU and other tech companies like Cloudflare focused on disrupting Lumma’s infrastructure in multiple ways, so its developers could not simply hire new providers or create parallel systems to rebuild.
“Cloudflare’s role in the disruption included blocking the command-and-control server domains, Lumma’s Marketplace domains, and banning the accounts that were used to configure the domains,” the company wrote in a blog post on Wednesday. “Microsoft coordinated the takedown of Lumma’s domains with multiple relevant registries in order to ensure that the criminals could not simply change the name servers and recover their control.”
While infostealing malware has been around for years, its use by cybercriminals and nation-state hackers has surged since 2020. Typically, infostealers find their way onto people’s computers through downloads of pirated software or through targeted phishing attacks that impersonate established companies and services, like Microsoft itself, to trick victims. Once on a computer it is able to grab sensitive information—such as usernames and passwords, financial information, browser extensions, multifactor authentication details, and more—and send it back to the malware’s operators.
Some infostealer operators bundle and sell this stolen data. But increasingly the compromised details have acted as a gateway for hackers to launch further attacks, providing them with the details needed to access online accounts and the networks of multibillion-dollar corporations.
The Lumma infostealer first emerged on Russian-language cybercrime forums in 2022, according to the FBI and CISA. Since then its developers have upgraded its capabilities and released multiple different versions of the software.
Since 2023, for example, they have been working to integrate AI into the malware platform, according to findings from the security firm Trellix. Attackers want to add these capabilities to automate some of the work involved in cleaning up the massive amounts of raw data collected by infostealers, including identifying and separating “bot” accounts that are less valuable for most attackers.
One administrator of Lumma told 404Media and WIRED last year that they encouraged both seasoned hackers and new cybercriminals to use their software. “This brings us good income,” the administrator said, referring to the resale of stolen login data.
Among other tools, the Scattered Spider hacking group—which has attacked Caesars Entertainment, MGM Resorts International, and other victims—has been spotted using the Lumma stealer. Meanwhile, according to a report from TechCrunch, the Lumma malware was allegedly used in the buildup to the December 2024 hack of education tech firm PowerSchool, in which more than 70 million records were stolen.
Ian Gray, director of analysis and research at the security firm Flashpoint, says that while infostealers are only one tool that cybercriminals will use, their prevalence may make it easier for cybercriminals to hide their tracks. “Even advanced threat actor groups are leveraging infostealer logs, or they risk burning sophisticated tactics, techniques, and procedures,” Gray says.
Lumma isn’t the first infostealer to be targeted by law enforcement. In October last year, the Dutch National Police, along with international partners, took down the infrastructure linked to the RedLine and MetaStealer malware.
Despite the international crackdown, infostealers have proven too useful and effective for attackers to abandon. As Flashpoint’s Gray puts it, “Even if the landscape ultimately shifts due to the evolution of defenses, the growing prominence of infostealers over the past few years suggests they are likely here to stay for the foreseeable future. Usage of them has exploded.”
Read the full art. on ”wired.com” .
Related art.:
– 02.05.2025: Amenințarea malware de tip infostealer (sustragere de informații) – ”stiridigitale.ro”
– 28.04.2025: $16.6 Billion in Cybercrime Losses in 2024 – FBI Internet Crime Report – ”stiridigitale.ro”
– 05.03.2025: Alertă DNSC: ”Amenințări avansate asupra portofelelor digitale” – ”stiridigitale.ro”
– 23.02.2025: Record-Breaking $1.5 Billion Crypto Heist in Sophisticated Cold Wallet Attack – ”stiridigitale.ro”
– 12.12.2024: Hackuirea instalațiilor fotovoltaice – o modalitate de a perturba rețeaua electrică a Europei – ”stiridigitale.ro”
– 10.12.2024: Compania Electrica a fost atacată cibernetic – ”romania-actualitati.ro”
– 05.12.2024: DNSC: ”Atenție la reduceri false și investiții miraculoase! Cum să evitați capcanele digitale în sezonul cadourilor” – ”stiridigitale.ro”
– 18.06.2024: DNSC a publicat recomandări pentru protejarea datelor personale şi financiare în sezonul estival – ”stiridigitale.ro”
– 01.04.2024: DNSC a lansat un ghid pentru identificarea materialelor de tip Deepfake – ”stiridigitale.ro”
– 28.03.2024: Wi-Fi Hacking Happens! Here Are 10 basic actions to secure your home Wi-Fi network – ”stiridigitale.ro”
– 11.01.2024: Directoratul Național de Securitate Cibernetică lansează un ghid de protejare și recuperare conturi social media – ”stiridigitale.ro”
Foto: ”freepik.com”
