Lumma Stealer
Also known as: LummaC2, LummaC2 Stealer, Lummac
Lumma Stealer is an information stealer written in C, sold as a Malware-as-a-Service on Russian-speaking forums since August 2022. The developer, known as "Shamel", offers tiered pricing from $250/month up to $20,000 for a full source license. It shares a common codebase with the Mars, Arkei, and Vidar stealers.
Lumma targets browser credentials, session cookies, cryptocurrency wallets, 2FA tokens, and local documents. It bypasses Chrome's App-Bound Encryption by scraping Chromium process memory for the CookieMonster library and dumping cookies directly. All C2 traffic runs over HTTPS using ChaCha20 encryption, with a dead drop resolver fallback that pulls backup C2 URLs from Steam profile names and Telegram channel titles using ROT+11 obfuscation.
The stealer is best known for its trigonometry-based sandbox evasion. It tracks 5 consecutive cursor positions and calculates Euclidean vector angles between movements, only executing if the pattern looks like a real person moving a mouse. Version 4.0 added control flow indirection that breaks IDA Pro and Ghidra static analysis.
In May 2025, Microsoft, the DOJ, Europol, and ESET coordinated a takedown that seized roughly 2,300 domains and identified 394,000 infected machines. The FBI attributed around 10 million total infections to Lumma. ESET tracked 3,353 unique C2 domains over 11 months before the takedown, averaging 74 new domains per week. Operators rebuilt within weeks, moving to bulletproof hosting and partnering with CastleLoader for in-memory delivery.
The main delivery method is ClickFix fake CAPTCHA pages, which accounted for 47% of observed initial access in Microsoft's telemetry. Other vectors include malvertising, cracked software bundles, and GitHub repository abuse.
Linked Threat Actors
C2 Infrastructure
Last 7 days
| Date | C2 Hosts |
|---|---|
| Apr 14, 2026 | 20 |
| Apr 13, 2026 | 43 |
| Apr 12, 2026 | 9 |
| Apr 11, 2026 | 35 |
| Apr 10, 2026 | 50 |
| Apr 9, 2026 | 79 |
| Apr 8, 2026 | 16 |
Further Reading
Microsoft's analysis published alongside the May 2025 takedown. Covers delivery chains, C2 protocol, MITRE mapping, and telemetry showing 394,000 infected machines.
Mandiant's deep dive into the v4.0 obfuscation engine. Details the dispatcher block architecture and presents an automated deobfuscation method using Triton symbolic execution.
Original research on the trigonometry-based sandbox evasion. Walks through the math: 5 cursor positions, Euclidean vector angles, 45-degree threshold.
Official government advisory with IOCs, TTPs, and detection rules covering activity from November 2023 through May 2025.
Covers the Chrome App-Bound Encryption bypass (CookieMonster interaction), Steam dead drop resolver (ROT+11 cipher), and infrastructure scale (1,000+ tier-1 C2 domains).
Hands-on reverse engineering of v4.0 internals. Chromium browser theft mechanics, XOR string encryption, API hashing with MurmurHash2.
ESET's takedown role with statistical data: 3,353 unique C2 domains over 11 months, 74 new domains per week, affiliate identifier tracking.
Post-takedown resurgence analysis from January 2026. Documents the CastleLoader partnership, in-memory execution chains, and migration to bulletproof hosting.
Infrastructure-focused analysis quantifying the dead drop resolver network: 63 primary domains, 17 fallback domains, 4 Steam profiles, 93 Telegram channels.
Detailed analysis of the ClickFix fake CAPTCHA infection chain with JavaScript injection mechanics, clipboard manipulation, and PowerShell payload staging.