WithSecure Detection and Response Team researchers have published a new technical analysis of the Lumma information stealer, revealing the malware’s sophisticated multi-stage infection chain and its resilience following primary international law enforcement operations in 2025.
Persistent Threat Despite Law Enforcement Action
The analysis comes as Lumma continues to operate despite a coordinated global takedown effort.
In May 2025, the U.S. Department of Justice, Europol, and Japan’s Cybercrime Center seized over 2,300 domains and disrupted Lumma’s control panel infrastructure worldwide.
Microsoft’s investigation revealed that between March and May 2025, the company identified more than 394,000 Windows computers globally infected with Lumma stealer.
However, security researchers note that threat actors behind Lumma remain active, demonstrating the challenge of permanently disrupting malware-as-a-service operations.
“Based on how the threat landscape shifts in general, Lumma will recover, or the same threat actor(s) will sprout back up in some form,” WithSecure researchers warned.
Technical Sophistication and Market Presence
Lumma, written in C++, has established itself as a prominent player in the information stealing landscape.
The malware consistently ranks among the top 10 most reported malware families on Bazaar Abuse.ch’s statistics page, indicating its widespread deployment by cybercriminals.
The stealer operates as a malware-as-a-service platform distributed through Telegram channels with multiple service tiers.
According to an interview with the malware’s developer, Lumma had approximately 400 active users within its first year of operation, with the user base appearing to grow significantly since then.
Advanced Evasion Techniques
The analyzed sample demonstrates sophisticated packing and obfuscation techniques designed to evade detection systems.
The infection begins with a NET/C# loader that performs extensive validation of PE file structures, including verification of the DOS and PE headers, before proceeding with payload extraction.
The loader employs position-independent code techniques and process environment block (PEB) parsing to dynamically resolve Windows API functions without revealing them in the import address table.
This approach helps the malware avoid static analysis detection methods.
Information Theft Capabilities
Lumma targets a broad range of sensitive information, including browser databases containing user credentials, browsing history, and cryptocurrency wallet data.
The malware can also exfiltrate documents and other user files, potentially leading to persistent access on infected personal devices.
Security researchers emphasize that information stealers like Lumma pose significant risks not only to organizations but also to individual users, whose stolen credentials often enable Initial Access Brokers to facilitate broader attack campaigns.
The European Union Agency for Cybersecurity (ENISA) has acknowledged that Initial Access Brokers “are now an essential component of attack chains” in the modern threat landscape.
