Lumma Infostealer Steals Browser Data and Sells It as Logs on Underground Markets

Infostealers are specialized malware variants that routinely steal large amounts of sensitive data from compromised systems.

This includes session tokens, login credentials, cryptocurrency wallet information, personally identifiable information (PII), multifactor authentication (MFA) artifacts, and pretty much any data stored in a browser.

These threats propagate via phishing operations, social engineering tactics, malvertising, and SEO-manipulated campaigns, with stolen data commoditized as “logs” in subterranean marketplaces, valued based on their exploitability.

This proliferation exacerbates security challenges for both consumer and enterprise environments, where a compromised personal device might inadvertently expose corporate credentials, bypassing even advanced endpoint protections that detect credential reuse.

Lumma, a prominent infostealer attributed to the Russian-based threat actor Shamel (also known as lumma or HellsCoder), emerged on cybercriminal forums in 2022, rapidly capturing market share due to its efficacy, user-friendly interface, and evasion of security detections.

It even integrated its own marketplace for vending exfiltrated logs; between April and June 2024, over 21,000 listings were recorded, underscoring its scale.

Infections often stem from searches for pirated or cracked software, where adversaries deploy mislabeled executables or embed payloads within seemingly legitimate applications.

Recent analyses in late March 2025 revealed campaigns exploiting Google-hosted sites, with queries like “download free cracked software site:google.com” directing users to Lumma-laden downloads.

Victims clicking these results or malicious links on platforms like X (formerly Twitter) or Google Colab are funneled to secondary domains featuring “Download Now” buttons, leading to ZIP archives containing password-protected inner ZIPs.

Extraction yields an NSIS installer (e.g., setup.exe) that deploys Lumma, obfuscated via the CypherIT crypter a tool that polymorphically alters malware signatures to evade antivirus scrutiny.

Law Enforcement Disruption

In May 2025, a coordinated international effort disrupted Lumma’s infrastructure, targeting its command-and-control (C2) servers.

Microsoft secured a court order to seize or block 2,300 associated domains, while the U.S. Department of Justice commandeered Lumma’s control panel, and Europol’s EC3 alongside Japan’s J3C dismantled additional components.

This operation identified over 394,000 infected Windows systems globally, with remediation initiatives underway.

Post-disruption, Lumma operators acknowledged law enforcement’s exploitation of vulnerabilities, including disk erasures and a backup server compromise, and reported a domain takeover used to phish their clients’ IP addresses.

The FBI notably infiltrated a related Telegram channel, assuring users that “all your logs and account information are safe with us.”

Despite this, new C2 servers swiftly reemerged, signaling the malware’s ecosystem restoration and ongoing threat persistence.

Advanced Threat Hunting

Beyond static indicators like file hashes or domains which are unreliable due to crypter-induced polymorphism and frequent C2 rotations threat hunters focus on behavioral patterns.

Lumma variants, particularly those CypherIT-packed, employ living-off-the-land binaries (LOLBins) such as Tasklist.exe and Findstr.exe to enumerate running processes, identifying security tools like Bitdefender, ESET, Quick Heal, or Sophos for potential termination.

This reconnaissance begins with a cmd.exe instance spawning an obfuscated batch script that filters Tasklist output via Findstr, halting execution if defenses are detected.

Specialized hunt packages, compatible with tools like Splunk, CrowdStrike LogScale, and Microsoft Sentinel, detect such anomalies by querying Sysmon logs for suspicious command-line patterns.

For instance, a Splunk hunt might reveal rapid Findstr searches for “password”-containing files followed by Tasklist invocations, potentially indicating data collection or persistence efforts.

Distinguishing malicious from benign activity requires baselining historical patterns e.g., infrequent shadow copy deletions or atypical admin tool usage enabling investigators to correlate user roles, machine contexts, and command origins for accurate threat validation.

Such proactive hunting, informed by malware intelligence reports on campaigns leveraging cracked software for Lumma deployment, remains crucial for mitigating this resilient infostealer.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now