Executive summary
Lumma Stealer is a prolific, Windows‑focused infostealer offered under a malware‑as‑a‑service (MaaS) model since 2022. It targets browser credentials, cookies, crypto‑wallets and 2FA browser extensions, while employing strong anti‑analysis (anti‑VM, anti‑debug, unhooking/indirect syscalls) and resilient C2 rotation to sustain operations. Recent reporting shows active Lumma campaigns through 2024–2025 and a large‑scale disruption in May 2025 followed by a quick resurgence. [1][2][3][4]
Key findings
· Family overview & business model. Lumma is a MaaS sold to affiliates who build custom payloads and manage logs via a web panel; stolen data is monetized directly and through initial access brokers. [1][6]
· Distribution. Common delivery includes phishing/malvertising, fake CAPTCHA/“ClickFix” pages, abuse of trusted platforms, and PPI/traffic sellers. [2][3]
· Targets. Credentials/cookies from Chromium/Firefox‑based browsers, crypto‑wallets, and 2FA extensions are priority collections. [7][8]
· Anti‑analysis. Heavy anti‑VM (VirtualBox/BIOS/Wine), anti‑debug (window checks like OLLYDBG), control‑flow obfuscation, API hashing, unhooking/indirect syscalls and long sleeps were observed across our run and public reporting. [9]
· C2 & exfiltration. The sample used HTTPS to multiple .su domains with POST to the path /sawo, aligning with rotating Lumma infrastructures seen in the wild. [2]
· Operational status (2025). After a multi‑stakeholder action that seized ≈2,300 domains in May 2025, Lumma activity resumed with stealthier infrastructure and delivery. [2][4]
Anti‑analysis & evasion (high confidence)
· Virtualization & emulation checks. Registry and hardware probes for VirtualBox ACPI keys, BIOS/system/VideoBIOS strings, and Wine presence.
· Debugger detection. Window checks for OLLYDBG/GBDYLLO (reverse string), API‑based checks (IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess), and thread hiding (NtSetInformationThread).
· Unhooking & indirect syscalls. Removal targeting CommandLineToArgvW hooking and indirect syscalls for NtOpenFile, NtMapViewOfSection, NtSetInformationProcess, NtUnmapViewOfSection, among others—consistent with EDR evasion.
· Packing/obfuscation. Unknown/atypical PE section names, high entropy, and YARA hits (e.g., Themida/shellcode patterns); control‑flow tampering and long sleeps (>5 minutes) noted.
These evasion behaviors are characteristic of recent Lumma builds, which adopt code‑flow obfuscation, API hashing, ETW/telemetry tampering, and anti‑sandbox logic. [9]
Discovery & collection
· System/user discovery. Queries for computer and user names; process enumeration with “process interest” filters.
· Credential & wallet harvesting. Extensive access to Chromium profiles and Chrome/Edge “Local Extension Settings” for dozens of extensions, together with wallet directories (e.g., Coinomi, Bitcoin), mirroring Lumma’s wallet/2FA focus.
· Security tooling reconnaissance. Numerous reads under Windows Security Health and Windows Defender center registry hives (observed in process context during browser child activity)—typical of environment profiling.
Command‑and‑control & exfiltration
· Protocol. HTTPS to rotating .su domains; repeated POST to /sawo with Content-Type: application/x-www-form-urlencoded or multipart boundaries; JA3/JA4 fingerprints recorded.
· Infrastructure examples (observed). consnbx.su → 134.209.165.152 and a cluster of sibling domains including sirhirssg.su, prebwle.su, cerasatvf.su, averiryvx.su, acrislegt.su, diadtuky.su, rhussois.su, todoexy.su.
· Packaging. Behavior aligns with Lumma “logs”—bundled credentials/cookies/system artifacts for resale and broker operations. [6]
Delivery ecosystem
Lumma affiliates employ phishing, malvertising, abuse of trusted platforms (e.g., cloud/CDN/code sharing), traffic distribution systems (TDS), and fake CAPTCHA/ClickFix flows that trick users into executing payloads (e.g., a prompt to Win+R then paste clipboard). [2][3]
Objectives & targeting
The stealer automates collection of browser credentials/cookies, crypto‑wallet artifacts, and 2FA extension data, directly undermining account takeovers and enabling ransomware partners through initial access resale. [7][6]
Evolution & resilience
Microsoft tracks at least six Lumma versions with iterative changes to URIs, POST formats, domains and evasion; after the May 2025 disruption (≈2,300 domains seized), activity reappeared with stealthier infra and quieter distribution. [2][4]
MITRE ATT&CK® mapping (representative)
|
Tactic
|
Technique
|
|
Initial Access
|
Phishing: Spearphishing Attachment/Link (T1566.001/.002) [3]
|
|
Execution
|
PowerShell/Script (T1059.001/.010/.011) and User Execution (T1204) in some chains [9]
|
|
Defense Evasion
|
Virtualization/Sandbox Evasion (T1497.*), Debugger Evasion (T1622), Unhooking/Modify Native Functions (T1562.001), Obfuscated/Compressed Files (T1027/T1027.002), Indirect Syscalls (mapped under defense evasion) [9]
|
|
Discovery
|
System Information (T1082), Process Discovery (T1057), Browser Discovery (T1217)
|
|
Credential Access
|
Credentials from Password Stores/ Browsers (T1555.003) [1]
|
|
Collection
|
Automated Collection (T1119) of wallet/extension artifacts [1]
|
|
Exfiltration & C2
|
Exfiltration over Web/HTTPS (T1041/T1071.001, T1573.002) to rotating domains; Data Staging (T1074.001) [2][1]
|
Indicators of Compromise (from the analyzed sample)
Network & protocol
Domains (HTTPS SNI / HTTP Host):
consnbx.su
sirhirssg.su
prebwle.su
cerasatvf.su
averiryvx.su
acrislegt.su
diadtuky.su
rhussois.su
todoexy.su
Resolved IP (point-in-time):
consnbx.su → 134.209.165.152
URIs / Methods:
POST /sawo (application/x-www-form-urlencoded or multipart/form-data)
Selected TLS/JA3/JA4 (observed):
JA3: a0e9f5d64349fb13191bc781f81f42e1 (client)
JA4: t12d190800_d83cc789557e_7af1ed941c26 (client)
Anti‑analysis signals (runtime)
· VM checks: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__, BIOS string reads; Wine checks in HKCU\Software\Wine.
· Debugger checks: window classes OLLYDBG / GBDYLLO; API checks (IsDebuggerPresent, NtQueryInformationProcess, CheckRemoteDebuggerPresent).
· Unhook/EDR evasion: attempt to remove hooks (e.g., CommandLineToArgvW) and indirect syscalls (NtOpenFile, NtMapViewOfSection, NtSetInformationProcess, NtUnmapViewOfSection, NtReadFile, NtOpenSection, NtClose).
Collection activity (filesystem/registry touchpoints)
· Chromium/Edge profiles and Local Extension Settings for numerous extensions; wallet paths (e.g., Coinomi, Bitcoin).
Detection & hunting guidance
Network
· Flag outbound HTTPS to new/ephemeral .su domains—especially where POST /sawo appears in HTTP telemetry (proxy/MITM). Combine with JA3 a0e9f5d6... and short‑lived domain age for stronger confidence.
· Monitor for rapid rotation across look‑alike .su domains tied to the same ASN/hosting clusters; this mirrors Lumma’s resilient distribution infra. [2]
Host/EDR
· Creation of RWX memory from an unsigned process in a user context that subsequently makes indirect syscalls is a strong heuristic.
· Sequences: process enumeration → anti‑debug APIs → VM registry checks → HTTPS POST within the same process lifetime.
· High‑volume reads of %LOCALAPPDATA%\Google\Chrome\User Data\**\Local Extension Settings\** and known wallet directories from a non‑browser process.
Mitigations & hardening
· Block known IOCs and consider policy to inspect/deny newly registered .su domains at egress until vetted. [2]
· Browser hygiene: disable storing high‑value credentials in browsers; prefer FIDO2 hardware keys (phishing‑resistant MFA) for admin and finance accounts. [3]
· Attachment/link controls: strip macros, block executable downloads from untrusted TLDs, and educate users about fake CAPTCHA/ClickFix lures. [3][2]
· EDR hardening: detect unhooking/indirect syscalls and long sleeps, and alert on non‑browser access to Chrome/Edge “Local Extension Settings” at scale. [9]
· Credential monitoring: continuously check for your domains in Lumma log markets and reset exposed passwords/tokens. [6]
Threat outlook
Despite coordinated actions that dismantled a large slice of its infrastructure in May 2025, Lumma’s affiliate ecosystem and rapid infra rotation allowed it to rebound within weeks, and defenders should expect continued experimentation with delivery (e.g., malvertising, GitHub abuse, fake CAPTCHAs) and evasion (indirect syscalls, unhooking). [4][2]
Appendix A — Observed indicators (from the analyzed run)
Network
· consnbx.su → 134.209.165.152 (HTTPS), repeated POST /sawo (form‑encoded / multipart).
· Additional .su domains referenced by configuration/memory patterns: sirhirssg.su, prebwle.su, cerasatvf.su, averiryvx.su, acrislegt.su, diadtuky.su, rhussois.su, todoexy.su.
Host behaviors
· Anti‑VM: HKLM\HARDWARE\ACPI\DSDT\VBOX__, BIOS/VideoBIOS reads; Wine: HKCU\Software\Wine.
· Anti‑debug: Window checks (OLLYDBG, GBDYLLO), API checks (IsDebuggerPresent, NtQueryInformationProcess).
· EDR evasion: Unhook attempt on CommandLineToArgvW; indirect syscalls to NtOpenFile/NtMapViewOfSection/NtUnmapViewOfSection/NtSetInformationProcess/NtReadFile/NtOpenSection/NtClose.
· Collection: Access to ...Chrome\User Data\*\Local Extension Settings\*; wallet paths (Coinomi, Bitcoin).
References
[1] Lumma Stealer, Software S1213 | MITRE ATT&CK®
[2] Lumma Stealer: Breaking down the delivery techniques and capabilities ...
[3] Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from ...
[4] Back to Business: Lumma Stealer Returns with Stealthier Methods
[6] Loot, load, repeat: dissecting the Lumma Stealer playbook
[7] Lumma Stealer: A fast-growing infostealer threat - ESET
[8] LummaC2 Stealer: A Potent Threat To Crypto Users | CSA
[9] Lumma Stealer Analysis - trellix.com
#Juniper