US, international and industry partners topple infrastructure of popular info-stealer malware
Shalitha Ranathunge
The collaborative effort worked to seize the takedown of some 2,300 domains that backed the web infrastructure of Lumma Stealer, sold to help hackers steal passwords and deploy ransomware around the world.
The Justice Department, with the aid of Microsoft and other global partners in government and industry, seized the central command structure and marketplaces used to facilitate and sell a powerful information-stealing malware, the tech giant’s Digital Crimes Unit said Wednesday.
The info-stealer, known as Lumma, has been seen since 2022 and is used extensively by cybercrime gangs to steal account passwords, banking info and cryptocurrency wallets. The malware can be built to impersonate popular web-facing brands and is easy to distribute, making it “a go-to tool for cybercriminals and online threat actors,” Microsoft said in a blog post that coincided with take-down announcements from the DOJ and others.
Firms including Lumen, Cloudflare and Bitsight also contributed to the takedowns and seizures. The court order authorizing the moves was granted in the U.S. District Court of the Northern District of Georgia. Europol and Japan’s respected cybercrime centers also suspended Lumma structure based in their local geographies.
One recent phishing campaign used the Lumma stealer to impersonate travel agency Booking.com, a prior Microsoft threat intelligence report said. The tool has also been deployed at educational institutions, often target-rich environments for hackers that can then use pilfered personal data to conduct further fraud schemes.
Microsoft said it found some 394,000 Windows computers around the world infected with Lumma between March 16 and May 16. Hundreds of the nearly 2,300 seized Lumma domains will be redirected back to “sinkholes” so the infrastructure can be further studied, the company said.
“This joint action is designed to slow the speed at which these actors can launch their attacks, minimize the effectiveness of their campaigns, and hinder their illicit profits by cutting a major revenue stream,” said Steven Masada, assistant general counsel in Microsoft’s Digital Crimes Unit.
A heat map provided by Microsoft showed high concentrations of the info-stealer in parts of the eastern United States, as well as eastern cities across South America. The map also showed a high concentration in Europe, as well as major infection clusters in Japan, India and nations across Southeast Asia.
Once covertly brought onto a victim machine, the malware operates silently in the background, combing through browsers, applications and system files for valuable data. It can collect passwords stored in internet browsers and extract cookies that allow attackers to hijack online accounts.
Lumma’s easy accessibility to hackers has made it a particularly dangerous tool that is often sold on dark web forums as a malware-as-a-service product, allowing cybercriminals — even those with limited technical skills — to purchase access and use it in their own campaigns.
Lumma’s primary developer is based in Russia and goes by the internet alias “Shamel,” who markets different tiers of the malware on Telegram and other Russian chat forums. In a 2023 interview with the security researcher known as “g0njxa,” Shamel claimed to have around 400 active clients.
Editor's note: This article has been updated to clarify that g0njxa is a security researcher.