Malware

Lumma infostealer

Lumma Infostealer is an information-stealing malware family referenced in the provided reporting as “Lumma infostealer” and “Lumma Infostealer.” The content places it in the infostealer category and notes it in security-news coverage, including an item titled “Ninja Browser & Lumma Infostealer.” The strongest operational detail provided is that Lumma infostealer infrastructure was seized during an operation involving the United States, the European Union, and Microsoft. No additional high-confidence details on its infection vector, technical behavior, targeted industries, associated threat actor, supported platforms, or indicators of compromise are directly provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1133External Remote ServicesEvidence1

"...paying Americans to host hardware... part of a shady proxy network that redirects malicious traffic through US residential IP addresses."

Execution

5 techniques

T1059.001PowerShellEvidence1

"What the victims actually paste is a heavily encoded PowerShell command that kicks off..."

T1059.003Windows Command ShellEvidence1

"A second infection path uses a similarly encoded command to fetch a batch script..."

T1059.005Visual BasicEvidence1

"...drops a VBScript file and executes it..."

T1127.001MSBuildEvidence1

"...executes it using a mix of built-in Windows utilities, including MSBuild."

T1204User ExecutionEvidence1

"...tricking Windows users into launching Windows Terminal and pasting malware into it themselves..."

Persistence

2 techniques

T1133External Remote ServicesEvidence1

"...paying Americans to host hardware... part of a shady proxy network that redirects malicious traffic through US residential IP addresses."

T1547Boot or Logon Autostart ExecutionEvidence1

"...extracts further components that establish persistence..."

Privilege Escalation

2 techniques

T1055Process InjectionEvidence1

"...deploys Lumma Stealer... that injects itself into Chrome and Edge processes..."

T1547Boot or Logon Autostart ExecutionEvidence1

"...extracts further components that establish persistence..."

Stealth

2 techniques

T1055Process InjectionEvidence1

"...deploys Lumma Stealer... that injects itself into Chrome and Edge processes..."

T1127.001MSBuildEvidence1

"...executes it using a mix of built-in Windows utilities, including MSBuild."

Credential Access

1 technique

T1555.003Credentials from Web BrowsersEvidence1

"...injects itself into Chrome and Edge processes to siphon off stored login credentials..."

Collection

1 technique

T1560.001Archive via UtilityEvidence1

"The archive tool then extracts further components..."

Command and Control

2 techniques

T1102Web ServiceEvidence1

"...reaches out to cryptocurrency blockchain infrastructure – a trick sometimes dubbed 'EtherHiding'..."

T1105Ingress Tool TransferEvidence1

"...pulls down a renamed copy of the 7-Zip archive utility along with a compressed payload."

Other

1 technique

T1562.001Disable or Modify ToolsEvidence1

"...fiddle with Microsoft Defender exclusions..."

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

security affairsNews

Feb 22, 2026

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 85

Infostealer malware referenced in the newsletter roundup; typically associated with credential and data theft.

scworldNews

May 29, 2025

It’s A Trap! – PSW #876

Lumma Infostealer is a malware designed to steal sensitive information such as credentials and other data from infected systems. Its infrastructure was recently seized in a coordinated law enforcement operation.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.