A sophisticated information-stealing malware known as Lumma Infostealer is making a significant return as a cybersecurity threat. This malicious software specifically targets valuable credentials and sensitive data stored on Windows operating systems. Utilizing a Malware-as-a-Service (MaaS) model, Lumma Infostealer allows even those with limited technical skills to conduct advanced data theft operations by subscribing to the service. The malware is often distributed through phishing campaigns that masquerade as cracked or pirated software, frequently hosted on reputable platforms like MEGA Cloud to avoid detection. Once launched, Lumma executes a multi-stage decryption process and performs process injection to activate its malicious payload while hiding its activities from conventional antivirus programs.
Technical Breakdown of Lumma Operations
Researchers from Genians Security Center (GSC) have found that the most recent samples of Lumma utilize the Nullsoft Scriptable Install System (NSIS) as a deceptive installer package. When a victim runs the downloaded “setup.exe,” it extracts harmful payloads into the %Temp% directory and opens a counterfeit “Contribute.docx” file using cmd.exe. This document then triggers a sequence of commands that reconstruct a concealed AutoIt-based loader to deploy Lumma’s encrypted core. The AutoIt script employs shellcode injection and process hollowing techniques to embed the Lumma payload within a seemingly harmless process, effectively camouflaging its actions. The compromised process subsequently decrypts command-and-control (C2) domain addresses and establishes a connection with remote attacker servers such as rhussois[.]su, diadtuky[.]su, and todoexy[.]su.
Once connected, Lumma Infostealer systematically gathers stored browser credentials, session cookies, Telegram data, remote access (VPN/RDP) configuration files, and information related to cryptocurrency wallets. The exfiltrated data is sent to C2 servers for further exploitation, where it can be used for identity theft, corporate breaches, or reselling credentials on dark web marketplaces. To evade detection, the malware monitors running processes to prevent premature termination and disables its functions if it identifies security software such as Sophos, Norton, ESET, Bitdefender, or Avast. Its modular design and regular updates significantly hamper signature-based detection efforts.
EDR-Based Detection and Response
Experts stress that effective detection of Lumma Infostealer necessitates behavior-based Endpoint Detection and Response (EDR) systems. These systems must be capable of monitoring command chains, file drops, and process relationships. For instance, Genian EDR provides a visual representation of Lumma’s attack narrative, offering real-time insights into shellcode injection, AutoIt script execution, and network communication activities. To reduce exposure to such threats, cybersecurity professionals recommend avoiding the storage of credentials in web browsers, implementing multi-factor authentication (MFA), and keeping an eye on suspicious child processes that may arise from installer files. As Lumma continues to adapt within the MaaS framework, this campaign highlights the increasing professionalization of cybercrime and underscores the urgent need for sophisticated, correlational threat monitoring.
Indicators of Compromise (IoCs) associated with Lumma Infostealer include E6252824BE8FF46E9A56993EEECE0DE6, E1726693C85E59F14548658A0D82C7E8, 19259D9575D229B0412077753C6EF9E7, 2832B640E80731D229C8068A2F0BCC39, as well as the domains diadtuky[.]su, rhussois[.]su, and todoexy[.]su.
