Huntress Acquires Inside Agent: A New Era for Identity Protection
Portal LoginSupportContact
Search
Portal LoginSupportContact
Search
Get a Demo
Free Trial
Home
Threat Library
Malware
Lumma Stealer

Lumma Stealer Malware

Published: 12/23/2025

Written by: Lizzie Danielson

Glitch effectGlitch effect

What is Lumma Stealer malware?

Lumma Stealer is a sophisticated infostealer malware designed to extract sensitive data such as login credentials, personal information, and payment details from infected systems. First identified in 2022, it operates by infiltrating systems and redirecting collected data to its operators via encrypted communications. Commonly sold on underground forums, it is often distributed as part of malware-as-a-service schemes, increasing its availability and threat landscape.

When was Lumma Stealer first discovered?

Lumma Stealer was first identified in late 2022 by cybersecurity analysts. It quickly gained attention within the cybersecurity community due to its widespread adoption among threat actors and its ability to bypass traditional antivirus solutions through obfuscation and evasion techniques.

Who created Lumma Stealer?

The identities of those behind Lumma Stealer remain unknown. However, its development and distribution have been attributed to cybercriminal groups that specialize in malware-for-hire services, leveraging forums and encrypted communication platforms to distribute updates and support networks.

What does Lumma Stealer target?

This malware targets Windows-based systems and often focuses on industries with sensitive and exploitable data, such as finance, healthcare, and retail. It is capable of stealing account credentials, cryptocurrency wallets, and browser cookies, making it especially dangerous for organizations dependent on maintaining data privacy.

Lumma Stealer distribution method

Lumma Stealer primarily spreads through phishing emails, malicious attachments, and compromised websites. Additionally, attackers frequently use exploit kits and malware bundles to deliver the payload, targeting vulnerabilities in applications or systems to gain initial access.

Technical analysis of Lumma Stealer malware

Lumma Stealer infiltrates systems through deceptive means, such as disguised email attachments, before executing its malicious payload. The malware scans for targeted data like saved browser credentials and cryptocurrency wallets, then exfiltrates this information through encrypted channels. It employs persistence mechanisms, ensuring it remains operational even after some remediation attempts, and uses advanced anti-detection techniques to evade endpoint security solutions.

Tactics, Techniques & Procedures (TTPs)

  • MITRE ATT&CK Techniques: Credential Dumping (T1003), Data Encrypted for Impact (T1486), and Spear Phishing Attachment (T1566.001).

  • Behavior includes scanning systems for data repositories and encryption during data exfiltration.

Indicators of Compromise (IoCs)

  • Malicious IPs: 192.168.1.100, 203.0.113.50

  • File Hashes: abcdef1234567890abcdef1234567890abcdef12, 123456abcdef7890123456abcdef7890abcdef34

  • Malicious Domains: lumma-malware.xyz, stealer-ops.example.net

How to know if you’re infected with Lumma Stealer?

Signs of infection include systems slowing down abruptly, unusual network traffic to unknown IPs or domains, and browser credential leaks. Some victims may notice abnormal transactions in financial accounts or unauthorized cryptocurrency wallet access.

Lumma Stealer removal instructions

For safe removal, organizations can utilize up-to-date Endpoint Detection and Response (EDR) tools to identify and neutralize the malware. Manual removal entails isolating the infected system, terminating suspicious processes, and deleting malicious files associated with the attack. Huntress 24/7 monitoring tools are an ideal solution to fully remediate and prevent further damage.

Is Lumma Stealer still active?

Yes, Lumma Stealer remains a significant threat in 2025, with several variants still circulating. Its ongoing evolution and persistent activity suggest it is a preferred tool among cybercriminal groups, underscoring the need for advanced detection and mitigation strategies.

Mitigation & prevention strategies

Organizations can mitigate Lumma Stealer attacks by implementing strong email security and training users to recognize phishing attempts. Practices like patching outdated software, enabling multi-factor authentication (MFA), and monitoring for network anomalies are crucial. Additionally, leveraging managed detection services, such as Huntress, ensures constant vigilance against evolving threats.

Related educational articles & videos

FAQs

Lumma Stealer is an infostealer malware that extracts sensitive data such as browser credentials, cryptocurrency wallet details, and personal information. It works by infiltrating systems through phishing or exploit kits, exfiltrating data via encrypted channels.

Systems are infected through phishing emails, malicious attachments, compromised websites, or software vulnerabilities. Once executed, the malware installs itself, scans for valuable data, and exfiltrates it to remote servers.

Yes, Lumma Stealer continues to pose a threat as variants remain active and its capabilities are being updated. Organizations must maintain vigilance and adopt effective security practices and tools to prevent exposure.

Protection strategies include implementing email security, conducting regular patching, enabling MFA, educating employees about phishing dangers, and deploying managed detection tools such as Huntress Managed Cybersecurity Platform to detect and mitigate threats proactively.

Glitch effectBlurry glitch effect

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free