Cloudflare’s Cloudforce One and Trust and Safety team participated in a coordinated disruption effort targeting the Lumma Stealer malware operation. Lumma Stealer (also known as LummaC2) is part of a broader class of information-stealing malware that poses a serious threat to both individuals and organizations. By exfiltrating credentials, cryptocurrency wallets, cookies, and other sensitive data from infected machines, Lumma facilitates a wide range of downstream criminal activity, including financial fraud, identity theft, and enterprise breaches that can lead to ransomware. Disrupting this ecosystem is critical to protecting users, undermining the cybercrime economy, and preventing further harm.
Lumma Stealer attempted to abuse numerous service providers’ infrastructure, including Cloudflare, to support their malware operations. Cloudflare detected Lumma Stealer’s abuse and participated in a Microsoft-led disruption effort. As part of this effort, Microsoft collaborated with other private industry partners, both those directly impacted and those providing intelligence and technical support, along with the U.S. Department of Justice, Europol’s European Cybercrime Center (EC3), and Japan’s Cybercrime Control Center (JC3).
In a Nutshell
- Lumma Stealer is Malware-as-a-Service offering that allows criminals to rent access to an administrative panel, where they can retrieve stolen data and generate customized builds of the malware payload for distribution to victims worldwide.
- Like most other information stealing malware, Lumma Stealer is spread primarily through social engineering campaigns that lure targets into following instructions that result in the download and execution of malware.
- The Lumma Stealer disruption effort denies the Lumma operators access to their control panel, marketplace of stolen data, and the Internet infrastructure used to facilitate the collection and management of that data. These actions impose operational and financial costs on both the Lumma operators and their customers, forcing them to rebuild their services on alternative infrastructure.
Mitigating Lumma Stealer activity
Properly defending against Lumma Stealer involves a layered security approach, since it’s a fast-evolving infostealer often delivered via malvertising, phishing, or compromised software. Enterprise defenders should carefully restrict access to new domains, as newly registered domains (NRDs) are a common tactic extensively used by LummaC2. Users outside of an enterprise may consider limiting or preventing the execution of PowerShell and other scripts if it is not required. Enterprise defenders should also consider the following:
- Endpoint protection and hardening
- Browser and credential hygiene
- Patch and update regularly
- DNS and network filtering
- Email and web filtering
- User training
- Detection and threat hunting