LummaC2 (Lumma Stealer)

An independent re-analysis by Goldberg Security Research of a publicly-reported threat, drawn from open reporting (Microsoft, Red Canary, and others — see references). Not original discovery; indicators rotate, so consult current vendor IOCs.

Overview

LummaC2 has been one of the most prolific infostealers of 2024–2025. Sold as a subscription service, it lowers the bar for credential theft: operators with little skill can deploy it to harvest browser credentials, cookies and autofill, cryptocurrency wallets, and to drop follow-on malware. Its commercial model and rapid iteration are what make it a persistent ecosystem problem rather than a single campaign.

Delivery

LummaC2 spreads through many vectors, but the one worth highlighting is "ClickFix": a fake CAPTCHA or error page instructs the victim to paste and run a command (often via the Windows Run dialog), executing the loader by hand and side-stepping a malicious-download prompt entirely. Operators also abuse cracked-software lures, malvertising, GitHub-hosted payloads, and even YouTube and social posts.

Technical analysis

• Obfuscation: Windows API resolution via hashing and encoded strings, frustrating static triage.
• Collection: Chromium/Gecko credential stores, cookies, autofill, and wallet artifacts; some builds pull additional modules.
• Follow-on: acts as a loader, capable of pulling further payloads after the steal.

C2 & dead-drop resolvers

The most interesting tradecraft is C2 resilience. Builds ship with hardcoded C2 domains plus fallbacks, and notably use dead-drop resolvers on legitimate platforms — fetching updated C2 addresses from attacker-controlled Telegram channels or Steam profile pages. Encoding the live C2 inside a trusted, hard-to-block service keeps the operation alive when primary domains are sinkholed (mapping to ATT&CK T1102, Web Service).

Disruption & resurgence

In May 2025, Microsoft's Digital Crimes Unit and the US DOJ seized or sinkholed 2,300+ domains underpinning Lumma's infrastructure. The disruption was meaningful but not terminal: campaigns reappeared within weeks (June–July 2025), a reminder that MaaS economies absorb takedowns and rebuild.

Detection

• Behavioural: a process touching multiple browser credential stores then beaconing outbound is high-signal.
• Network: connections to Telegram/Steam used as resolver dead-drops, followed by traffic to freshly-registered C2.
• Delivery: monitor for "ClickFix"-style clipboard-to-Run executions (parent explorer.exe → powershell/mshta with encoded commands).

Remediation

• Treat all credentials on an infected host as compromised — rotate and invalidate sessions/cookies.
• Move crypto holdings to hardware wallets; reissue tokens.
• User awareness on ClickFix; restrict powershell/mshta from user contexts where possible.

References

• Microsoft — Lumma Stealer delivery & capabilities
• Red Canary — LummaC2 threat profile