- Vulnerable U
- Posts
- World’s Largest Infostealer Malware Disrupted: Lumma Stealer Crackdown
World’s Largest Infostealer Malware Disrupted: Lumma Stealer Crackdown
Microsoft Seizes 2,300 Lumma Stealer Domains in Global Takedown. Here's what you need to know.
Matt Johansen
May 21, 2025
tl;dr
Microsoft’s Digital Crimes Unit and a caravan of global partners just seized 2,300 domains and yanked Lumma’s C2 backbone offline. Nice win. But the stealer’s operators have already proven they can pivot across ads, phish kits, traffic-direction systems (TDS), and even smart-contract hosting. Treat this takedown as a timeout, not check-mate. (The Official Microsoft Blog)
Splash page displayed on 900+ domains seized by Microsoft.
what microsoft actually did
Legal whack-a-mole: A Northern District of Georgia court order let Microsoft pull the plug on domains hosting payloads, TDS nodes, and marketplaces. Europol, JC3, Cloudflare, and a half-dozen others helped vacuum up the rest.
Sinkholing 1,300+ endpoints: Infected boxes now beacon to Microsoft instead of Storm-2477 (Microsoft’s tracker name for the dev crew). That gives telemetry to defenders and starves affiliates of fresh logs. (Microsoft)
394 k implants cut off: That’s just the Windows-only count for the last two months. Expect overlap with macOS and Linux stealer ecosystems Microsoft didn’t measure.
Good stuff, but the infra rebuild is cheap when your affiliates pay the bill.
why lumma keeps beating signature-based detection
layer | how lumma dodges you |
|---|---|
Delivery | Phish lures, malvertising, ClearFake/ClickFix fake CAPTCHAs, and Prometheus TDS funnels. |
Hosting | EtherHiding stashes second-stage JS in Binance Smart Chain contractsbullet-proof hosting with instant swap-outs. (EtherHiding explanation: Medium) |
Loader | Obfuscated C++/ASM protected by LLVM IR flattening, custom stack decryption, and garbage API calls that nuke static analysis. |
C2 | Primary HTTPS tunnels hide behind Cloudflare; fall-backs hide in Steam profile descriptions and Telegram channel bios. |
Cash-out | Instant log resale in Telegram markets; baked-in clipper grabs crypto addresses on the fly. |
inside a 2025 kill-chain
SEO-poisoned Google Ad for a popular open-source package drops you on a fake download site.
Site drops ClearFake JS → fake Cloudflare Turnstile. Click = PowerShell that fetches a loader from a Binance Smart Chain contract (EtherHiding). (The Hacker News)
Loader unpacks Lumma, phones home through Cloudflare, and siphons browsers, wallets, VPN configs, and Telegram sessions. Then wipes itself.
Stolen cookies and refresh tokens get replayed by ransomware crews (hello Octo Tempest) hours later.
what blue teams should do this week
Don’t block Microsoft’s sinkhole list. Those domains now resolve to Microsoft-controlled IPs that serve a static seizure banner. Keep DNS/HTTP traffic alive so you can surface infected hosts in your SIEM and feed the IOCs into threat-intel pipelines. (Microsoft Blog)
Harden browser-credential controls: Lumma lives and dies on token theft. Enforce hardware-bound WebAuthn for internal apps and ditch long-term auth cookies.
EDR in aggressive block mode: yes, it breaks one legacy app a quarter; it also nukes most stealers on write.
LSA & LSASS protections: still boring, still stops credential dumper side-modules bundled with some Lumma variants.
Educate devs first. Recent Lumma lures masquerade as GitHub “security advisories” or fake CI build alerts aimed squarely at developers because their browsers store cloud-service refresh tokens. Fix the workflow (short-lived tokens, browser isolation) rather than blame the click. (Picus Security)
the bigger picture
Taking 2,300 domains off-line dents resale pipelines and forces affiliates to retool, but MaaS crews treat disruption like scheduled maintenance. Expect Storm-2477 to:
spin up fresh infrastructure on bullet-proof VPS resellers,
lean harder on blockchain hosting (EtherHiding 2.0 on Solana is my bet), and
bundle Lumma inside loaders with AI-generated packers to dodge ML classifiers.
The win matters, but multi-vector delivery is the new normal. Build defenses that assume every endpoint can fetch malicious code from a place we can’t blacklist because the next payload might live on-chain, in a CDN worker, or inside an imgur comment.
indicators & hunting notes
Read the bottom of the intel report - https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/
Sinkholed domains: Grab Microsoft’s CSV, pipe into a lookup against your proxy logs for outbound “204 No Content” responses.
Process chain:
msedge.exe → powershell.exe -EncodedCommand → rundll32.exespawning unknown DLL in%Public%with no Authenticode signature.Steam Profile C2: Regex
https://steamcommunity\.com/profiles/[0-9]{17}/\?xml=1in egress logs.Telemetry spike: look for EDGE/Chrome DevTools Protocol disabled warnings, it’s what Lumma flips to bypass “—headless” detection.
bottom line
Microsoft dropped a hammer, not a coffin lid. Lumma’s devs treat infrastructure like cattle, not pets, and their affiliates still have campaigns ready to roll. Keep your detections layered, assume your browsers leak, and if you see a fake CAPTCHA asking you to run PowerShell don’t copy-paste it.
Check out my run through of a few threat intel reports on this ClickFix technique: