Yesterday I reported on a takedown of the Lumma Stealer network which is a big deal as this infostealer is a huge threat to computer users everywhere. Today ESET announced that has taken part in this takedown. The operation, spearheaded by Microsoft and supported by BitSight, Lumen, Cloudflare, CleanDNS, GMO Registry, and ESET, has successfully disrupted key elements of Lumma Stealer’s infrastructure, significantly impeding its ability to exfiltrate sensitive data from victims worldwide.
Key Contributions by ESET:
ESET contributed to the disruption by analyzing and processing tens of thousands of Lumma Stealer samples, identifying C&C servers, affiliate identifiers, and tracking the malware’s evolution in real time. Our automated telemetry enabled continuous monitoring of Lumma Stealer’s activities, supporting the takedown of over 3,000 malicious domains used since mid-2024.
ESET provided in-depth technical analysis and statistical breakdowns, helping cluster threat actors and understand the malware’s changing tactics.
The Threat of Lumma Stealer
Lumma Stealer (also known as LummaC or LummaC2) has been one of the most active infostealers in the cybercrime landscape over the past two years. Operated on a subscription-based MaaS model, it allowed cybercriminals to steal browser data, credentials, cryptocurrency wallets, and more, which are frequently sold on underground marketplaces to ransomware groups and other threat actors.
The malware’s infrastructure included Telegram-based dead-drop resolvers, weekly domain updates, and an elaborate affiliate tracking system through unique LID and UID identifiers. Its modular design and advanced anti-analysis techniques like control flow flattening and encrypted stack strings made detection and mitigation difficult—until now.
Global Disruption Impact
The collaborative disruption effort has rendered large portions of Lumma Stealer’s command-and-control network inoperable, striking a major blow to its ability to continue operations. While the actors behind Lumma Stealer are likely to attempt to regroup or pivot, this intervention marks a significant disruption to one of the most pervasive infostealer operations in recent years.
What Comes Next
ESET will continue to monitor the cybercrime ecosystem for signs of Lumma Stealer’s return or rebranding and remains committed to disrupting infostealer malware families that put organizations and individuals at risk.
Read the Full Technical Report
To explore the complete in-depth technical analysis, infrastructure breakdowns, sample statistics, and obfuscation techniques used by Lumma Stealer, visit the ESET We Live Security Blog: https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-lumma-stealer/
Related
This entry was posted on May 22, 2025 at 9:49 am and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
ESET Participates In Lumma Stealer Takedown
Yesterday I reported on a takedown of the Lumma Stealer network which is a big deal as this infostealer is a huge threat to computer users everywhere. Today ESET announced that has taken part in this takedown. The operation, spearheaded by Microsoft and supported by BitSight, Lumen, Cloudflare, CleanDNS, GMO Registry, and ESET, has successfully disrupted key elements of Lumma Stealer’s infrastructure, significantly impeding its ability to exfiltrate sensitive data from victims worldwide.
Key Contributions by ESET:
ESET contributed to the disruption by analyzing and processing tens of thousands of Lumma Stealer samples, identifying C&C servers, affiliate identifiers, and tracking the malware’s evolution in real time. Our automated telemetry enabled continuous monitoring of Lumma Stealer’s activities, supporting the takedown of over 3,000 malicious domains used since mid-2024.
ESET provided in-depth technical analysis and statistical breakdowns, helping cluster threat actors and understand the malware’s changing tactics.
The Threat of Lumma Stealer
Lumma Stealer (also known as LummaC or LummaC2) has been one of the most active infostealers in the cybercrime landscape over the past two years. Operated on a subscription-based MaaS model, it allowed cybercriminals to steal browser data, credentials, cryptocurrency wallets, and more, which are frequently sold on underground marketplaces to ransomware groups and other threat actors.
The malware’s infrastructure included Telegram-based dead-drop resolvers, weekly domain updates, and an elaborate affiliate tracking system through unique LID and UID identifiers. Its modular design and advanced anti-analysis techniques like control flow flattening and encrypted stack strings made detection and mitigation difficult—until now.
Global Disruption Impact
The collaborative disruption effort has rendered large portions of Lumma Stealer’s command-and-control network inoperable, striking a major blow to its ability to continue operations. While the actors behind Lumma Stealer are likely to attempt to regroup or pivot, this intervention marks a significant disruption to one of the most pervasive infostealer operations in recent years.
What Comes Next
ESET will continue to monitor the cybercrime ecosystem for signs of Lumma Stealer’s return or rebranding and remains committed to disrupting infostealer malware families that put organizations and individuals at risk.
Read the Full Technical Report
To explore the complete in-depth technical analysis, infrastructure breakdowns, sample statistics, and obfuscation techniques used by Lumma Stealer, visit the ESET We Live Security Blog: https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-lumma-stealer/
Share this:
Like this:
Related
This entry was posted on May 22, 2025 at 9:49 am and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.