{"id":102897,"date":"2025-02-10T20:03:36","date_gmt":"2025-02-10T12:03:36","guid":{"rendered":"https:\/\/version-2.com\/?p=102897"},"modified":"2025-02-01T20:08:27","modified_gmt":"2025-02-01T12:08:27","slug":"lumma-stealer-a-fast-growing-infostealer-threat","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2025\/02\/lumma-stealer-a-fast-growing-infostealer-threat\/","title":{"rendered":"Lumma Stealer: A fast-growing infostealer threat"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

\u00a0<\/p>

\"\"<\/p>

In their biannual ESET Threat Report, ESET researchers have revealed a massive rise in detections of Lumma Stealer, which quietly threatens consumers and businesses alike.<\/em><\/p>

ESET Research is back with a frightening statistic \u2014 Detections of Lumma Stealer, an infostealer we previously reported as a threat to gamers<\/a>, increased 369% between H1 and H2 2024. This is problematic, as infostealers like Lumma continue to plague both consumer and business systems, usually without the knowledge of their owners.<\/p>

While infostealers are a sneaky lot, they are not without their vulnerabilities \u2014 which ESET products can capitalize on, to your security benefit.<\/p><\/div>

Let Lumma tell you a story<\/h3><\/header>

Also known as LummaC2 Stealer<\/a>, this malware-as-a-service mostly targets cryptocurrency wallets, user credentials and two-factor authentication browser extensions, but it also tries to exfiltrate various other data from compromised machines.<\/p>

What is malware-as-a-service (MaaS)?<\/strong><\/p>

Not unlike modern software offers, malware-as-a-service is a business model<\/a> that provides interested parties with ready-made and instantly deployable malware solutions. Typically offered on underground hacking forums found on the dark web, MaaS operators supply a variety of malware either as a one-time purchase or via a subscription. Ultimately, this easy access enables even those without advanced technical skills to launch cyberattacks, increasing their prevalence<\/a>.<\/p>

Lumma Stealer first appeared in August 2022 and is available for sale through a tiered pricing structure on hacking forums and Telegram. The cost ranges from $250 to $20,000, with the most expensive tier letting buyers access the infostealer\u2019s source code \u2014 enabling-would-be criminals to act as resellers.<\/p><\/div>

\"\"<\/div><\/div><\/div><\/div><\/div><\/div><\/div>

Because Lumma is a ready-made malware solution, it is easier for novice threat actors to share around. Its ease of use and breadth of functions alone make it an attractive choice for would-be attackers \u2014 but the fact that it can be spread through multiple vectors, unnoticed, makes it even more useful.<\/p><\/div>

Exploring attack vectors and ESET telemetry<\/h3><\/header>

While Lumma Stealer can spread through a variety of distribution vectors, some methods are more clever than others. One particularly sophisticated campaign discovered in October 2024 delivered Lumma Stealer through fake CAPTCHA sites<\/a>, which, after successful \u201cverification,\u201d delivered the infostealer onto the victim\u2019s device.<\/p>

Other avenues enabling Lumma Stealer\u2019s spread include cracked installations of popular open-source or paid apps such as ChatGPT<\/a> or Vegas Pro<\/a>. The infostealer can also spread via phishing emails or Discord messages, making it more likely to land in the inbox of even the youngest online users.<\/p>

Did you know?<\/strong><\/p>

Message boards like Discord can play a major role<\/a> in the spread of malicious software and scams. This is due to the way such places act as a kind of digital crossroads for online human activity, making them ripe for abuse. Moreover, threat actors can abuse the content delivery networks<\/a> of such online\/cloud platforms to distribute malware, as well.<\/p>

ESET also detected a campaign in which the Win\/Rozena.ADZ injector delivered Lumma Stealer via compromised videos on online marketplaces and websites with adult content. Likewise, Lumma Stealer was detected in KMS activators for pirated copies of Windows.<\/p>

Last but not least, in June 2024, ESET Research reported that players of the popular Hamster Kombat mobile clicker game were being targeted<\/a>, with cryptors containing Lumma Stealer hidden on GitHub repositories in the guise of helpful automation tools for the game.<\/p><\/div>

Just one of many infostealers on the loose<\/h3><\/header>

ESET telemetry for H2 2024 registered the highest number of Lumma Stealer attack attempts in Peru, Poland, Spain, Mexico and Slovakia. However, Lumma is not the only infostealer going around, and in general, the top five countries targeted by infostealer attacks in H2 2024 were Japan, Spain, Turkey, Poland and Italy.<\/p><\/div>

\"\"<\/div><\/div><\/div><\/div><\/div><\/div><\/div>
\u00a0<\/div>
\"\"<\/div><\/div><\/div><\/div><\/div><\/div><\/div>

Among other notable infostealers is Formbook, first discovered in 2016 and mainly spread through email phishing. This infostealer collects clipboard data, keystrokes, screenshots and cached browser data, and uses sophisticated obfuscation techniques to prevent deeper analysis. Moreover, it\u2019s been detected as part of large-scale ModiLoader<\/a> and AceCryptor<\/a> campaigns in Central and Eastern European states such as Poland, Romania, Czechia and Croatia.<\/p><\/div>

\"\"<\/div><\/div><\/div><\/div><\/div><\/div><\/div>

Spy another day<\/h3><\/header>

Infostealers are so damaging because being compromised even for a short time can be quite disastrous for both individuals and businesses. Once an infostealer gathers sufficient data to steal someone\u2019s credentials, funds, or identity, that individual can lose funds (crypto or cash), access to personal accounts, and more.\u00a0\u00a0 Compromised businesses can experience such costly cyber incidents as network infiltration, data breaches, extortion and ransomware attacks.<\/p>

Fortunately, there are many ways to prevent infostealers and similar threats from infiltrating our devices:<\/p>