A common surgery performed by global Break (AKA Lummac or Lummac2), grabbing 2300 domains that acted as the basis of command and control (C2) for Windows Command Systems.
“Malicious software like Lummac2 is unfolding for theft of confidential information, such as logging credentials to use millions of victims to make it easier for many crimes, including fake transfers of banks and theft of cryptocurrency,” the US Department of Justice (DOJ) – Note In a statement.
The confiscated infrastructure was used to target millions worldwide via branches and other cyber -centers. The Lumma theft, which has been actively operating since the end of 2022, is estimated, has been used at least 1.7 million cases for theft of information such as browser data, auto -fill information, login credentials and cryptocurrency. The US Federal Bureau of Investigation (FBI) has attributed about 10 million infections Lumma.
The foothills affect five domains that serve as the Lumma Ctaler administrators and pay customers to deploy malicious software, preventing them from breaking computers and stealing information about the victim.
“Between March 16 and May 16, 2025 Microsoft identified more than 394,000 Windows computers worldwide, infected with malicious Lumma software,” Europol – NoteAdding the operation disables the link between the malicious tool and the victims. The agency described Luma as “the most significant threat of infustelir”.
Microsoft’s digital crimes department (DCU) in partnership with other ESET, Bitsight, Lumen, Cloudflare, Cleandns and GMO register stated that approximately 2300 malicious domains formed the basis of Lumma infrastructure.
 |
| Spread infections malware Lumma Ctyler on Windows devices |
“The main developer Lumma is in Russia and goes on the Internet -psycho” Shamy “,” Stephen Masada, Assistant General Lawyer in DCU, – Note. “Shamel Markets Different Service Levels for Lumma via Telegram and other Russian chat forums. Depending on what cybercrime service, they can create their own malware versions, add tools to hide and distribution, as well as track the stolen information through the Internet portal.”
The theft, which is sold as part of the malicious software (MAAS) model, is available on a $ 250 to $ 1,000. The developer also offers a $ 20,000 plan that provides customers to access the source code and the right to sell it to other criminals.
 |
| Weekly calculations of new domains C2 |
“Lower levels include basic filtering and magazine download options, while higher levels offer custom data collection, evasion tools and early access to new features,” ESET – Note. “The most expensive plan emphasizes stealth and adaptation, offering unique assembly generation and decreased detection.”
For many years Lumma has become something with a notorious threat, delivered through Different distribution vectorsincluding all the more popular Clickfix Method. The Windows manufacturer, which tracks the actor threatening for theft called Storm-2477, stated Prometheus.
 |
| Lumma C2 selection mechanism |
The report published on Wednesday shows that the suspicion of Russian threatening subjects use object objects Tigris, Oracle Cloud Infrastructure (OCI), and Scaleway facilities to place fake pages using the use Clickfix-Parbed in the style of fooling users in boot Theft of a lama.
“The latest company that uses object storage Tigris, storage of OCI facilities and storage of SCALEway objects, relies on earlier methods, introducing new delivery mechanisms aimed at evading and orientation to technically experienced users,” Guyl Dominga, Guy Vael and Timer Agaev. – Note.
 |
| Attack stream for Clickfix leading to theft of Lumma using Prometheus TDS |
Some of the notable aspects of malware are below –
- In it used multi -tiered infrastructure C2 consisting of a set of nine frequently changing domains Tier-1, firmly in the configuration of malicious programs and reserve C2 located on steam profiles and telegram
- Useful loads usually distribution Using networks Pay-PER-INSTALL (PPI) or traffic sellers that deliver installations as a service.
- Usually theft complete with fake software or hacked versions of popular commercial software, focusing on users seeking to avoid payment of legitimate licenses
- Operators created Market telegram With the rating system for affiliates for sale stolen data without intermediaries
- The core binary is embarrassed with expanded protection such as a low -level virtual machine (LLVM Core), smoothing control flow (CFF), exacerbation control flow, individual stack transcript, huge stacks and dead codes, among others, to make static analysis
- Was more than 21,000 market lists Sales of Lumma Thefts at several cybercriminals from April to June 2024, which is 71.7% compared to April to June 2023.
“Infrastructure Distribution Lumma is flexible and adapted,” Microsoft – Note. “Operators constantly clarify their methods, rotate malicious domains, using advertising networks and use legal cloud services to avoid detection and maintenance of promptness. To hide the real C2 servers even more, all C2 servers are hiding behind the proxy.”
“This dynamic structure allows the operators to maximize the success of the companies, while complicating the efforts to trace or dismantle their activities. The growth and resistance of the theft Lumma emphasize the broader evolution of cybercrime and emphasizes the need for layered protection and joint work to counteract threats.”
In an interview with G0NJXA security researcher in January 2025 developer for Lumma – Note They intended to stop operations until next fall. “We have done a lot of work for two years to achieve what we have now,” they said. “We are proud of this. It has become part of our daily life for us, not just work.”
