Lumma Infostealer Operators Continue Malicious Campaign Despite Setbacks

On May 21, 2025, a coordinated takedown operation by Europol, the FBI, Microsoft, and various public and private partners targeted the notorious Lumma infostealer a prevalent Malware-as-a-Service (MaaS) that has plagued organizations globally with credential theft.

The crackdown, initiated on May 15, saw law enforcement agencies seize nearly 2,500 Lumma domains, disrupting command and control (C2) servers and taking down management dashboards.

Lumma, a stealer marketed on dark web forums, has been crucial to the operations of cybercriminal syndicates such as Scattered Spider, Angry Likho, and CoralRaider.

Its infrastructure, however, proved resilient; while numerous domains were confiscated, law enforcement could not seize the malware’s primary C2 server because it was hosted in Russia.

The server was nonetheless infiltrated through a previously unknown vulnerability in Dell’s Integrated Remote Access Controller (iDRAC), allowing authorities to wipe the server and its backups.

Technical Focus: Exploiting Server Vulnerabilities

The technical highlight of the operation was the exploitation of an unknown iDRAC vulnerability, which provided law enforcement remote access to Lumma’s core server environment.

This move underscores the persistent risk posed by misconfigured or vulnerable remote management hardware in server environments. The following is a hypothetical code excerpt that illustrates how such an access vector might be exploited for unauthorized access (purely for educational purposes):

python# Hypothetical Python code snippet exploiting a generic remote management port
import socket

target_ip = '192.168.1.100'
idrac_port = 443
exploit_payload = b"EXPLOIT_PAYLOAD"

# Connect to iDRAC interface
sock = socket.create_connection((target_ip, idrac_port))
sock.sendall(exploit_payload)
response = sock.recv(4096)
print('Received:', response)
sock.close()

Law enforcement’s use of this access not only wiped crucial Lumma infrastructure but also enabled them to set up phishing login pages that harvested credentials and digital footprints from Lumma customers.

Additionally, a basic JavaScript snippet was planted on the hijacked Lumma dashboard, purportedly to access users’ webcams—more a psychological tactic than an effective technical surveillance tool.

Lumma’s Immediate Response and Persistent Presence

In the days following the operation, customers and affiliates of Lumma crowded dark web forums, reporting inaccessible dashboards and C2 servers.

The Lumma developer swiftly responded, admitting the domain takedown but assuring users that the “core infrastructure” had been restored.

Telegram chats shared by cybercriminals indicated that the operators suffered no arrests and were “working normally” once again. Furthermore, Russian registered Lumma C2 servers escaped disruption and continued to function.

Despite the takedown, fresh logs containing stolen credentials from Lumma infections appeared on Telegram bots and Russian-language cybercrime markets within days, signaling the malware’s persistent threat.

On May 29, a single Telegram bot offered 406 logs from 41 countries for sale a clear sign that the Lumma operation, while disrupted, remained active.

Psychological Warfare and Industry Implications

Law enforcement agencies didn’t stop at technical disruption. In a move reminiscent of Operation Cronos (which targeted LockBit ransomware), they posted messages on Lumma’s main Telegram channel, warning affiliates that admins might be cooperating.

The planted JavaScript was also publicized, likely to inject suspicion among Lumma’s criminal clientele.

However, online forums remain divided. Some users speculate that the damage may push Lumma underground, switching to a private business model and ending open recruitment.

Others predict only short-term effects, given the operators’ technical resilience and the continued operation of Russia based servers.

The takedown of Lumma infostealer’s infrastructure represents a significant technical achievement for global law enforcement, leveraging rare vulnerabilities in server hardware and deploying psychological tactics.

Despite these efforts, the Lumma operators’ ability to restore services and maintain active campaigns especially via Russia-hosted assets highlights the challenges in eradicating well-resourced cybercrime groups.

As always, reputational damage and psychological pressure may prove more decisive than technical blows alone, with the future of Lumma hinging on whether its criminal network can restore trust among its user base.