A broad coalition of technology partners and law enforcement agencies, spearheaded by Microsoft’s Digital Crimes Unit (DCU), has disrupted the dangerous Lumma Stealer malware-as-a-service (MaaS) operation, which played a key role in the arsenals of multiple cyber criminal gangs, including ransomware crews. Using a court order granted in the US District Court of the Northern District of Georgia earlier in May, the DCU and its posse seized and took down approximately 2,300 malicious domains that formed the core of the Lumma operation. “Lumma steals passwords, credit cards, bank accounts and cryptocurrency wallets, and has enabled criminals to hold schools to ransom, empty bank accounts and disrupt critical services,” said DCU assistant general counsel, Steven Masada. At the same time, the US Department of Justice (DoJ) seized the MaaS central command structure and targeted the underground marketplaces where access was sold, while elsewhere, Europol’s European Crime Centre (EC3) and Japan’s Cybercrime Control Centre (JC3) went after locally hosted infrastructure. Europol EC3 head Edvardas Šileris, said: “This operation is a clear example of how public-private partnerships are transforming the fight against cyber crime. By combining Europol’s coordination capabilities with Microsoft’s technical insights, a vast criminal infrastructure has been disrupted. Cyber criminals thrive on fragmentation – but together, we are stronger.” In a blog post detailing the takedown, Masada said that over a two-month period, Microsoft had identified more than 394,000 Windows computers that had been infected by Lumma. These machines have now been “freed”, with communications between Lumma and its victims severed. This joint action is designed to slow the speed at which [threat] actors can launch their attacks, minimise the effectiveness of their campaigns, and hinder their illicit profits by cutting a major revenue stream Steven Masada, Microsoft Digital Crimes Unit At the same time, about 1,300 domains seized by or transferred to Microsoft – including 300 actioned by Europol – are now redirecting to Microsoft-operated sinkholes. “This will allow Microsoft’s DCU to provide actionable intelligence to continue to harden the security of the company’s services and help protect online users,” said Masada. “These insights will also assist public- and private-sector partners as they continue to track, investigate and remediate this threat. “This joint action is designed to slow the speed at which these actors can launch their attacks, minimise the effectiveness of their campaigns, and hinder their illicit profits by cutting a major revenue stream.” The Lumma Stealer MaaS first appeared on the underground scene about three years ago and has been under near-continuous development since then. Based out of Russia, and run by a primary developer who goes by the handle “Shamel”, Lumma offers four tiers of service, starting from $250 (£186) and rising to an eye-popping $20,000, for which buyers receive access to Lumma’s style and panel source code, the source code for plugins, and the right to act as a reseller. In conversation with a cyber researcher in 2023, Shamel claimed to have approximately 400 active users. When deployed, the goal is typically to monetise stolen data or conduct further exploitation. Like a chameleon, it is difficult to spot and can slip by many security defences unseen. To lure its victims, Lumma spoofs trusted brands – including Microsoft – and spreads through phishing and malvertising. As such, it has become something of a go-to tool for many, and is known to have been used by many of the world’s more notorious cyber crime collectives, including ransomware gangs. Its customers likely included, at one time, Scattered Spider, the group thought to be behind the ransomware attack on Marks & Spencer in the UK, although there is no public evidence to suggest it was used in this incident. Blake Darché, head of Cloudforce One at Cloudflare, which provided key support during the takedown, said: “Lumma goes into your web browser and harvests every single piece of information on your computer that could be used to access either dollars or accounts – with the victim profile being everyone, anywhere, at any time. “The threat actors behind the malware target hundreds of victims daily, grabbing anything they can get their hands on. This disruption worked to fully set back their operations by days, taking down a significant number of domain names and ultimately blocking their ability to make money by committing cyber crime. “While this effort threw a sizeable wrench into the largest global infostealer’s infrastructure, like any threat actor, those behind Lumma will shift tactics and reemerge to bring their campaign back online,” said Darché. Read more about malware Mobile malware can come in many forms, but users might not know how to identify it. Understand the signs to be wary of on Android devices, as well as what to do to remove malware. Malware operators are further monetising their malicious software by selling it to other attackers on a subscription basis. Learn how to detect and mitigate the threat. A wiperware cyber attack can change the game for organisations because it causes complete destruction of data and systems. Find out how to protect your business.

May 22, 2025Ravie LakshmananMalware / Cybercrime A sprawling operation undertaken by global law enforcement agencies and a consortium of private sector firms has disrupted the online infrastructure associated with a commodity information stealer known as Lumma (aka LummaC or LummaC2), seizing 2,300 domains that acted as the command-and-control (C2) backbone to commandeer infected Windows systems. "Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft," the U.S. Department of Justice (DoJ) said in a statement. The confiscated infrastructure has been used to target millions across the world through affiliates and other cyber criminals. Lumma Stealer, active since late 2022, is estimated to have been used in at least 1.7 million instances to steal information, such as browser data, autofill information, login credentials, and cryptocurrency seed phrases. The U.S. Federal Bureau of Investigation (FBI) has attributed around 10 million infections to Lumma. The seizure impacts five domains that serve as login panels for Lumma Stealer's administrators and paying customers to deploy the malware, thereby preventing them from compromising the computers and stealing victim information. "Between March 16 and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware," Europol said, adding the operation cuts off communications between the malicious tool and victims. The agency described Lumma as the "world's most significant infostealer threat." Microsoft's Digital Crimes Unit (DCU), in partnership with other cybersecurity companies ESET, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, said it took down approximately 2,300 malicious domains that formed the backbone of Lumma's infrastructure. Spread of Lumma Stealer malware infections across Windows devices "The primary developer of Lumma is based in Russia and goes by the internet alias 'Shamel,'" Steven Masada, assistant general counsel at DCU, said. "Shamel markets different tiers of service for Lumma via Telegram and other Russian-language chat forums. Depending on what service a cybercriminal purchases, they can create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal." The stealer, marketed under a malware-as-a-service (MaaS) model, is available on a subscription basis for anywhere between $250 to $1,000. The developer also offers a $20,000 plan that grants customers access to source code and the right to sell it to other criminal actors. Weekly counts of new C2 domains "Lower tiers include basic filtering and log download options, while higher tiers offer custom data collection, evasion tools, and early access to new features," ESET said. "The most expensive plan emphasizes stealth and adaptability, offering unique build generation and reduced detection." Over the years, Lumma has become something of a notorious threat, being delivered via various distribution vectors, including the increasingly popular ClickFix method. The Windows maker, which is tracking the threat actor behind the stealer under the name Storm-2477, said its distribution infrastructure is both "dynamic and resilient," leveraging a combination of phishing, malvertising, drive-by download schemes, abuse of trusted platforms, and traffic distribution systems like Prometheus. Lumma C2 selection mechanism Cato Networks, in a report published Wednesday, revealed that suspected Russian threat actors are leveraging Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scaleway Object Storage to host fake reCAPTCHA pages that make use of ClickFix-style lures to trick users into downloading Lumma Stealer. "The recent campaign leveraging Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage builds upon earlier methods, introducing new delivery mechanisms aimed at evading detection and targeting technically proficient users," researchers Guile Domingo, Guy Waizel, and Tomer Agayev said. Attack flow for ClickFix leading to Lumma Stealer using Prometheus TDS Some of the notable aspects of the malware are below - It employs a multi-tiered C2 infrastructure consisting of a set of nine frequently changing tier-1 domains hard-coded into the malware's configuration and fallback C2s hosted on Steam profiles and Telegram channels that point to tier-1 C2s The payloads are typically spread using pay-per-install (PPI) networks or traffic sellers that deliver installs-as-a-service. The stealer is typically bundled with spoofed software or cracked versions of popular commercial software, targeting users looking to avoid paying for legitimate licenses The operators have created a Telegram marketplace with a rating system for affiliates to sell stolen data without intermediaries The core binary is obfuscated with advanced protection such as low-level virtual machine (LLVM core), Control Flow Flattening (CFF), Control Flow Obfuscation, customized stack decryption, huge stack variables, and dead codes, among others to make static analysis difficult There were more than 21,000 market listings selling Lumma Stealer logs on multiple cybercriminal forums from April through June of 2024, a 71.7% increase from April through June of 2023 "The Lumma Stealer distribution infrastructure is flexible and adaptable," Microsoft said. "Operators continually refine their techniques, rotating malicious domains, exploiting ad networks, and leveraging legitimate cloud services to evade detection and maintain operational continuity. To further hide the real C2 servers, all the C2 servers are hidden behind the Cloudflare proxy." "This dynamic structure enables operators to maximize the success of campaigns while complicating efforts to trace or dismantle their activities. The growth and resilience of Lumma Stealer highlights the broader evolution of cybercrime and underscores the need for layered defenses and industry collaboration to counter threats." In an interview with security researcher g0njxa in January 2025, the developer behind Lumma said they intended to cease operations by next fall. "We have done a lot of work over two years to achieve what we have now," they said. "We are proud of this. It has become a part of our daily life for us, and not just work." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Microsoft, in partnership with the U.S. Department of Justice (DOJ), took a major step in dismantling one of the most prolific cybercrime tools currently in circulation. Microsoft’s Digital Crimes Unit (DCU) collaborated with the DOJ, Europol, and several global cybersecurity firms to disrupt the Lumma Stealer malware network — a malware-as-a-service (MaaS) platform implicated in hundreds of thousands of digital breaches worldwide. According to Microsoft, Lumma Stealer infected over 394,000 Windows machines between March and mid-May 2025. The malware has been a favored tool amongst cybercriminals for stealing login credentials and sensitive financial information including cryptocurrency wallets. It’s been used for extortion campaigns against schools, hospitals, and infrastructure providers. According to the DOJ website, “the FBI has identified at least 1.7 million instances where LummaC2 was used to steal this type of information.” Recommended Videos With a court order from the U.S. District Court for the Northern Districts of Georgia, Microsoft took down roughly 2,300 malicious domains associated with Lumma’s infrastructure. The DOJ simultaneously took down five critical LummaC2 domains, which acted as command-and-control centers for cybercriminals deploying the malware. These domains now redirect to a government seizure notice. International assistance came from Europol’s European Cybercrime Centre (EC3) and Japan’s JC3, who coordinated efforts to block regional servers. Cybersecurity firms like Bitsight, Cloudflare, ESET, Lumen, CleanDNS, and GMO Registry assisted in identifying and dismantling web infrastructure. Inside the Lumma operation Lumma, also known as LummaC2, has been operating since 2022, possibly earlier, and makes its info-stealing malware available for sale through encrypted forums and Telegram channels. The malware is designed for ease of use and is often bundled with obfuscation tools to help it bypass antivirus software. Distribution techniques include spear-phishing emails, spoofed brand websites, and malicious online ads known as “malvertising.” Cybersecurity researchers say Lumma is particularly dangerous because it allows criminals to rapidly scale attacks. Buyers can customize payloads, track stolen data, and even get customer support via a dedicated user panel. Microsoft Threat Intelligence previously linked Lumma to notorious Octo Tempest gang, also known as “Scattered Spider.” In one phishing campaign earlier this year, hackers were able to spoof Booking.com and used Lumma to harvest financial credentials from unsuspecting victims. Who’s behind it? Authorities believe the developer of Lumma goes by the alias “Shamel” and operates out of Russia. In a 2023 interview, Shamel claimed to have 400 active clients and even bragged about branding Lumma with a dove logo and the slogan: “Making money with us is just as easy.” Long-term disruption, not a knockout Image used with permission by copyright holder While the takedown is significant, experts warn that Lumma and tools like it are rarely eradicated for good. Still, Microsoft and the DOJ say these actions severely hinder and disrupt criminal operations by cutting off their infrastructure and revenue streams. Microsoft will use the seized domains as sinkholes to gather intelligence and further protect victims. This situation highlights the need for international cooperation in cybercrime enforcement. DOJ officials emphasized the value of public-private partnerships, while the FBI noted that court-authorized disruptions remain a critical tool in the government’s cybersecurity playbook. As Microsoft’s DCU continues its work, this Lumma crackdown sets a strong precedent for what can be accomplished when industry and government specialists collaborate to eliminate threats. As more of these organizations are uncovered and disrupted, remember to protect yourself by changing your passwords frequently and avoid clicking links from unknown senders.

May 21, 2025Ravie LakshmananCyber Espionage / Vulnerability Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022. The activity has been assessed to be orchestrated by APT28 (aka BlueDelta, Fancy Bear, or Forest Blizzard), which is linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, Military Unit 26165. Targets of the campaign include companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine, according to a joint advisory released by agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States. "This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors' wide scale targeting of IP cameras in Ukraine and bordering NATO nations," the bulletin said. The alert comes weeks after France's foreign ministry accused APT28 of mounting cyber attacks on a dozen entities including ministries, defense firms, research entities, and think tanks since 2021 in an attempt to destabilize the nation. Then last week, ESET took the wraps off a campaign dubbed Operation RoundPress that it said has been ongoing since 2023 by exploiting cross-site scripting (XSS) vulnerabilities in various webmail services like Roundcube, Horde, MDaemon, and Zimbra to single out governmental entities and defense companies in Eastern Europe, as well as governments in Africa, Europe, and South America. According to the latest advisory, cyber attacks orchestrated by APT28 are said to have involved a combination of password spraying, spear-phishing, and modifying Microsoft Exchange mailbox permissions for espionage purposes. The primary targets of the campaign include organizations within NATO member states and Ukraine spanning defense, transportation, maritime, air traffic management, and IT services verticals. No less than dozens of entities in Bulgaria, Czechia, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States are estimated to have been targeted. Initial access to targeted networks is said to have been facilitated by leveraging seven different methods - Brute-force attacks to guess credentials Spear-phishing attacks to harvest credentials using fake login pages impersonating government agencies and Western cloud email providers that were hosted on free third-party services or compromised SOHO devices Spear-phishing attacks to deliver malware Exploitation of Outlook NTLM vulnerability (CVE-2023-23397) Exploitation of Roundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026) Exploitation of internet-facing infrastructure such as corporate VPNs using public vulnerabilities and SQL injection Exploitation of WinRAR vulnerability (CVE-2023-38831) Once the Unit 26165 actors gain foothold using one of the above methods, the attacks proceed to the post-exploitation phase, which involves conducting reconnaissance to identify additional targets in key positions, individuals responsible for coordinating transport, and other companies cooperating with the victim entity. The attackers have also been observed using tools like Impacket, PsExec, and Remote Desktop Protocol (RDP) for lateral movement, as well as Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. "The actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection," the agencies pointed out. "The actors used manipulation of mailbox permissions to establish sustained email collection at compromised logistics entities." Another notable trait of the intrusions is the use of malware families like HeadLace and MASEPIE, to establish persistence on compromised hosts and harvest sensitive information. There is no evidence that malware variants like OCEANMAP and STEELHOOK have been used to directly target logistics or IT sectors. During data exfiltration, the threat actors have relied on different methods based on the victim environment, often utilizing PowerShell commands to create ZIP archives to upload the collected data to their own infrastructure, or employing Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) to siphon information from email servers. "As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine's territorial defense, Unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid," the agencies said. "These actors have also targeted internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments." The disclosure comes as Cato Networks revealed that suspected Russian threat actors are leveraging Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scaleway Object Storage to host fake reCAPTCHA pages that make use of ClickFix-style lures to trick users into downloading Lumma Stealer. "The recent campaign leveraging Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage builds upon earlier methods, introducing new delivery mechanisms aimed at evading detection and targeting technically proficient users," researchers Guile Domingo, Guy Waizel, and Tomer Agayev said. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

US, European, and Japanese authorities, along with tech companies including Microsoft and Cloudflare, say they’ve disrupted Lumma, an infostealer popular with criminal gangs.

May 16, 2025Ravie LakshmananMalware / Cyber Attack Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. "Threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents," Qualys security researcher Akshay Thorve said in a technical report. "The attack chain leverages mshta.exe for proxy execution during the initial stage." The latest wave of attacks, as detailed by Qualys, employs tax-related lures to entice users into opening a malicious ZIP archive containing a Windows shortcut (LNK) file, which, in turn, makes use of mshta.exe, a legitimate Microsoft tool used to run HTML Applications (HTA). The binary is used to execute an obfuscated HTA file named "xlab22.hta" hosted on a remote server, which incorporates Visual Basic Script code to download a PowerShell script, a decoy PDF, and another HTA file similar to xlab22.hta called "311.hta." The HTA file is also configured to make Windows Registry modifications to ensure that "311.hta" is automatically launched upon system startup. Once the PowerShell script is executed, it decodes and reconstructs a shellcode loader that ultimately proceeds to launch the Remcos RAT payload entirely in memory. Remcos RAT is a well-known malware that offers threat actors full control over compromised systems, making it an ideal tool for cyber espionage and data theft. A 32-bit binary compiled using Visual Studio C++ 8, it features a modular structure and can gather system metadata, log keystrokes, capture screenshots, monitor clipboard data, and retrieve a list of all installed programs and running processes. In addition, it establishes a TLS connection to a command-and-control (C2) server at "readysteaurants[.]com," maintaining a persistent channel for data exfiltration and control. This is not the first time fileless versions of Remcos RAT have been spotted in the wild. In November 2024, Fortinet FortiGuard Labs detailed a phishing campaign that filelessly deployed the malware by making use of order-themed lures. What makes the attack method attractive to threat actors is that it allows them to operate undetected by many traditional security solutions as the malicious code runs directly in the computer's memory, leaving very few traces on the disk. "The rise of PowerShell-based attacks like the new Remcos RAT variant demonstrates how threat actors are evolving to evade traditional security measures," J Stephen Kowski, Field CTO at SlashNext, said. "This fileless malware operates directly in memory, using LNK files and MSHTA.exe to execute obfuscated PowerShell scripts that can bypass conventional defenses. Advanced email security that can detect and block malicious LNK attachments before they reach users is crucial, as is real-time scanning of PowerShell commands for suspicious behaviors." The disclosure comes as Palo Alto Networks Unit 42 and Threatray detailed a new .NET loader that's used to detonate a wide range of commodity information stealers and RATS like Agent Tesla, NovaStealer, Remcos RAT, VIPKeylogger, XLoader, and XWorm. The loader features three stages that work in tandem to deploy the final-stage payload: A .NET executable that embeds the second and third stages in encrypted form, a .NET DLL that decrypts and loads the next stage, and a .NET DLL that manages the deployment of the main malware. "While earlier versions embedded the second stage as a hardcoded string, more recent versions use a bitmap resource," Threatray said. "The first stage extracts and decrypts this data, then executes it in memory to launch the second stage." Unit 42 described the use of bitmap resources to conceal malicious payloads a a steganography technique that can bypass traditional security mechanisms and evade detection. The findings also coincide with the emergence of several phishing and social engineering campaigns that are engineered for credential theft and malware delivery - Use of trojanized versions of the KeePass password management software – codenamed KeeLoader – to drop a Cobalt Strike beacon and steal sensitive KeePass database data, including administrative credentials. The malicious installers are hosted on KeePass typosquat domains that are served via Bing ads. Use of ClickFix lures and URLs embedded within PDF documents and a series of intermediary dropper URLs to deploy Lumma Stealer. Use of booby-trapped Microsoft Office documents that are used to deploy the Formbook information stealer protected using a malware distribution service referred to as Horus Protector. Use of blob URIs to locally loads a credential phishing page via phishing emails, with the blob URIs served using allow-listed pages (e.g., onedrive.live[.]com) that are abused to redirect victims to a malicious site that contains a link to a threat actor-controlled HTML page. Use of RAR archives masquerading as setup files to distribute NetSupport RAT in attacks targeting Ukraine and Poland. Use of phishing emails to distribute HTML attachments that contain malicious code to capture victims' Outlook, Hotmail, and Gmail credentials and exfiltrate them to a Telegram bot named "Blessed logs" that has been active since February 2025 The developments have also been complemented by the rise in artificial intelligence (AI)-powered campaigns that leverage polymorphic tricks that mutate in real-time to sidestep detection efforts. These include modifying email subject lines, sender names, and body content to slip past signature-based detection. "AI gave threat actors the power to automate malware development, scale attacks across industries, and personalize phishing messages with surgical precision," Cofense said. "These evolving threats are increasingly able to bypass traditional email filters, highlighting the failure of perimeter-only defenses and the need for post-delivery detection. It also enabled them to outmaneuver traditional defenses through polymorphic phishing campaigns that shift content on the fly. The result: deceptive messages that are increasingly difficult to detect and even harder to stop." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    