Lumma Password Stealer Attack Infection Chain and Its Escalation Tactics Uncovered

The cybersecurity landscape has witnessed a significant surge in information-stealing malware, with Lumma emerging as one of the most prevalent and sophisticated threats targeting Windows systems globally.

This C++-based information stealer has rapidly gained traction in underground markets, establishing itself as a formidable malware-as-a-service (MaaS) operation that has infected hundreds of thousands of computers worldwide.

The malware’s sophisticated multi-stage infection chain and advanced evasion techniques have made it a persistent challenge for security researchers and organizations alike.

Lumma’s rise to prominence can be attributed to its comprehensive data theft capabilities and robust distribution network.

The malware systematically targets browser databases, cryptocurrency wallets, user credentials, and sensitive documents, making it particularly dangerous for both individual users and corporate environments.

Its operators have leveraged various attack vectors, including phishing campaigns, malicious attachments, and compromised websites, to achieve widespread distribution across different geographical regions.

WithSecure analysts identified Lumma during their analysis of open source samples between February and March 2025, revealing the malware’s sophisticated three-stage infection process.

The researchers encountered this threat multiple times during their investigations, noting its increasing prevalence in the threat landscape.

Their comprehensive analysis uncovered the malware’s complex infection chain, beginning with a .NET/C# loader that serves as the initial entry point for the attack sequence.

The scale of Lumma’s impact became evident when Microsoft’s Threat Intelligence team reported that between March and May 2025, they identified over 394,000 Windows computers globally infected by this stealer.

This massive infection rate prompted coordinated international law enforcement action, with the US Department of Justice, Europol, and Japan’s Cybercrime Center successfully seizing Lumma’s control panel and infrastructure worldwide, though threat actors have shown signs of continued activity despite this disruption.

Advanced Evasion and Infection Mechanisms

Lumma’s technical sophistication lies in its multi-layered approach to evading detection and analysis.

The malware employs a three-stage infection process that begins with a packed .NET executable serving as the initial loader.

This first stage performs critical system checks, including DOS and PE header validation through specific byte comparisons:-

// Stage 1 validation checks
BitConverter.ToInt16(fileBytes, 0) == 23117  // MZ header check
BitConverter.ToUInt32(fileBytes, 60) == 17744  // PE header validation

The loader then extracts and decrypts the second stage payload from a specific section (.CODE) using a custom decryption routine, before utilizing the Windows API function CallWindowProcA as an execution vector to transfer control to the decrypted shellcode.

The second stage demonstrates advanced process hollowing techniques, creating a suspended process of itself and systematically replacing its memory contents.

The malware resolves critical Windows APIs dynamically by parsing the Process Environment Block (PEB) and Export Address Tables, avoiding static import dependencies that could trigger security solutions.

Perhaps most notably, Lumma implements the “Heaven’s Gate” technique in its third stage, transitioning between 32-bit and 64-bit execution modes to execute system calls directly.

This sophisticated approach involves far jumps to different code segments and direct syscall invocation, particularly using NtRaiseHardError to display deceptive warning dialogs.

The malware incorporates multiple anti-analysis features, including a self-integrity check that compares 20 bytes of its running process memory against the original file to detect unpacking attempts.

Additionally, it performs a language check specifically targeting non-Russian systems by calling GetUserDefaultUILanguage and comparing the result against the Russian language identifier (0x419), demonstrating its targeted nature and potential attribution to Russian-speaking threat actors.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches