Lumma Infostealers Developers Trying Hard To Conduct Business As Usual

In the high-stakes world of cybercrime, few tools have garnered as much attention as Lumma Infostealer.

Emerging as a powerful malware-as-a-service (MaaS) offering, Lumma achieved notoriety for its wide-reaching impact on both individuals and enterprises.

Its main function is to harvest sensitive information—ranging from browser credentials to cryptocurrency wallet data—making it a favored weapon not only among low-level cybercriminals but also in the arsenals of advanced persistent threat (APT) groups like Scattered Spider and CoralRaider.

The infostealer’s distribution channels are typical of modern malware: malicious email attachments, cracked software downloads, and underground forum advertisements.

In May 2025, hope glimmered on the horizon as Europol, the FBI, Microsoft, and partners orchestrated a large-scale operation to dismantle Lumma’s infrastructure.

The effort led to the confiscation of almost 2,500 associated domains and the temporary outage of Lumma’s command and control (C2) servers and management dashboards.

Users flocked to dark web forums, reporting lost access and accusing the operators of abandoning ship.

However, as Check Point analysts soon identified, the campaign did not completely eradicate Lumma’s core capabilities.

Much of its infrastructure—especially Russian-hosted C2 servers—remained intact, allowing the operation’s masterminds to rapidly begin recovery efforts.

Perhaps most telling, Check Point researchers observed that within days of the takedown operation, Lumma’s developers had issued public statements and reassured affiliates via Telegram that normal operations were being restored.

No major arrests were confirmed, and access to the infostealer’s backend was quickly re-established. Nevertheless, the incident dealt a significant blow to Lumma’s reputation, with many in the cybercrime community questioning its future and reliability.

Despite these setbacks, evidence suggests that Lumma is far from defeated. Stolen credentials continued to appear on automated Telegram bot markets, growing in number from 95 logs to more than 400 within a week after the takedown.

Russian-language management panels for Lumma remained accessible and functional, signaling a determined push by developers to “conduct business as usual,” regardless of reputational or operational damage.

Infection and Recovery Mechanisms

A core factor behind Lumma’s resilience is its robust infection and recovery mechanism. While the infrastructure was targeted, Check Point’s analysis highlights the malware’s ability to rapidly adapt and redeploy.

Lumma’s infection process begins with a straightforward dropper: a malicious executable, typically disguised as legitimate software or bundled in spear-phishing campaigns, is delivered to the target system.

Upon execution, it exploits standard Windows API calls to enumerate browsers, locate credential stores, and exfiltrate data—often with minimal system footprint.

What sets Lumma apart, however, is its fallback strategy. The malware’s configuration enables it to cycle through multiple C2 endpoints, often hard-coded within the binary and encrypted for evasion.

Should one C2 server go down, Lumma can establish new communication channels with minimal delay.

A snippet of relevant code, decompiled by Check Point analysts, demonstrates this rotating C2 logic:-

import random

def get_active_c2(servers):
    random.shuffle(servers)
    for server in servers:
        if is_reachable(server):
            return server
    return None

This approach ensures persistent connectivity, significantly complicating takedown efforts.

Furthermore, following the law enforcement action, Lumma’s operators reportedly removed external management interfaces like iDRAC—previously used for remote administration and, in this case, exploited for compromise—hardening the system against future infiltration.

The malware’s ability to swiftly restore and reconfigure its backend aligns with its status as a commercially operated service, promising uptime and ongoing support to its clientele.

In summary, while law enforcement struck a significant blow to Lumma Infostealer’s operations, the technical sophistication and operational agility of its developers have allowed them to resume business rapidly.

As Check Point’s ongoing monitoring shows, the fight between threat actors and defenders is far from over—particularly when reputation, rather than just infrastructure, is at stake.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests