Lumma Infostealer Steal All Data Stored in Browsers and Selling Them in Underground Markets as Logs

The cybersecurity landscape continues to face significant threats from sophisticated information stealers, with Lumma emerging as one of the most prevalent and dangerous malware families targeting both consumer and enterprise environments.

This malicious software systematically harvests enormous volumes of sensitive data from infected machines, including login credentials, cryptocurrency wallet information, personally identifiable information, session tokens, and multifactor authentication tokens—essentially any data stored within web browsers becomes vulnerable to extraction.

Developed by the threat actor known as Shamel, also operating under aliases lumma and HellsCoder, this Russian-based malware first surfaced on cybercriminal forums in 2022 and rapidly gained market dominance due to its effectiveness and stealth capabilities.

The malware’s reach is staggering, with Lumma’s dedicated marketplace hosting over 21,000 listings between April and June 2024, where stolen data packages called “logs” are sold to the highest bidder.

Intel 471 analysts identified widespread distribution campaigns where victims are lured through searches for pirated software, with attackers leveraging search engine optimization techniques and malicious advertising.

The infection chain typically begins when users search for cracked applications using queries such as “download free cracked software site:google.com,” leading them to compromised Google-hosted sites that ultimately deliver the malware payload.

Technical Infection Mechanism and Evasion Tactics

The malware employs a sophisticated multi-stage deployment process that begins with users downloading ZIP archives containing password-protected secondary archives.

Upon extraction, victims encounter a Nullsoft Scriptable Install System (NSIS) installer, typically named setup.exe or set-up.exe, which executes the Lumma payload packed with the CypherIT crypter—a tool designed to obfuscate malware signatures and evade security detection.

Once active, Lumma implements advanced evasion techniques using legitimate Windows utilities. The malware creates a command.exe instance that executes heavily obfuscated batch scripts, conducting environment reconnaissance through Tasklist and Findstr commands.

This living-off-the-land approach searches for active security processes including Bitdefender, ESET, Quick Heal, and Sophos—immediately terminating execution if detected.

Despite law enforcement disruption efforts in May 2025 that seized over 2,300 domains and affected 394,000 infected machines globally, Lumma operators quickly restored infrastructure, demonstrating the persistent nature of this threat.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now