lumma

Lumma is a Russia-based malware-as-a-service threat actor active since 2022 and associated with the Lumma Stealer / LummaC2 information stealer. The actor is also linked in the provided content to the developer/operator name Shamel (also "Lumma") and has advertised on Telegram and Russian-language underground forums including RAMP and XSS. Lumma has been described as operating an affiliate-driven MaaS ecosystem and remained active after major 2025 law-enforcement disruption, rebuilding infrastructure and resuming operations. The group’s primary capability is operation of the Lumma infostealer, which steals browser credentials and cookies, cryptocurrency wallet data, browser extension data including MetaMask, 2FA-related data, password manager and remote access tool credentials including KeePass and AnyDesk, credit card data, and broader system and application information. Reported Lumma samples and campaigns used encrypted HTTP POST exfiltration, WinHTTP-based C2 communications, ZIP-compressed data theft, and staged delivery chains. Observed delivery and execution techniques in the provided content include phishing and social engineering, malicious attachments or links, trojanized applications, exploit kits, compromised websites, fake CAPTCHA / ClickFix-style lures that trick victims into pasting malicious PowerShell into Windows Run, mshta execution of JavaScript hidden in disguised media files, NSIS installers, AutoIt loaders, DLL sideloading, overlay injection into legitimate software, in-memory execution, persistence via HKCU Run keys, and anti-analysis or evasion measures such as AMSI-aware decryption logic, anti-debugging, CPUID and RDTSC checks, Heaven’s Gate WoW64 syscall bypass, and mouse-movement-based anti-sandboxing. The content states Lumma targets individuals, organizations, and governments, with common lures involving pirated media, cracked software, adult-content sites, fake Telegram channels, and cryptocurrency-themed verification flows. The broader Lumma ecosystem is supported by affiliates and operational enablers such as proxy services, VPNs, anti-detect browsers, exploit and crypting services, malware-scanning evasion tools, virtual phone/SMS services, offshore or bulletproof hosting, and underground forums and carding shops. Affiliates were also observed using other malware families including Vidar, Stealc, Meduza Stealer, and possibly CraxsRAT. Known aliases directly mentioned in the content include LummaC2 and Water Kurita. The content also references Lumma infrastructure disruption during Operation Endgame and a later underground doxxing campaign ("Lumma Rats") that reportedly exposed core members and disrupted Telegram accounts.