SecurityAnalyticsSecurityOperations

Lumma Stealer: Threat Landscape and Delivery Evolution (2024-2025) (Part 1)

Siddhant

Siddhant

Lumma Stealer has emerged as one of the most prolific infostealer threats in the cybercriminal ecosystem, with a 369% increase in infections from early to late 2024. This blog provides a comprehensive analysis of Lumma’s threat landscape, delivery vectors, and operational evolution based on observed telemetry and campaign analysis.

Over the past year, Lumma Stealer has grown into a prevalent infostealer threat observed across numerous campaigns worldwide, employed by diverse cybercriminal groups (from MaaS affiliates to ransomware crews) targeting both individuals and organizations. Its use is opportunistic and widespread – campaigns have impacted sectors ranging from government (U.S. state and local agencies) to telecom, healthcare, banking, and finance, with victims observed in regions including the United States, Latin America (e.g., Argentina, Colombia), and Asia (e.g., the Philippines). This broad targeting is enabled by Lumma’s Malware-as-a-Service model, where a developer (tracked by Microsoft as Storm-2477) sells subscriptions to affiliates who then deploy Lumma in their own operations. Notably, even well-resourced groups have incorporated Lumma; for example, ransomware actors (Octo Tempest and others) and APT actors (e.g., APT28, MuddyWater) have leveraged Lumma or its “fake CAPTCHA” delivery tricks in their campaigns. The result is a rapid surge in Lumma infections (a ~369% increase from early to late 2024) and a constant evolution of tactics aimed at stealing credentials, browser data, crypto wallets, and other sensitive information.

Distribution & Delivery Vectors (Last 12 Months)

Lumma Stealer’s delivery methods are diversified and continually adapted to maximize infections while evading defenses. Verified campaigns in the last year have utilized multiple initial access vectors and social engineering techniques:

  • Phishing Emails – Threat actors use malicious emails impersonating trusted brands or services to deliver Lumma. Campaigns have spoofed companies like with fake invoice/review notices, or even niche services with urgent lures. One April 2025 spear-phish targeted Canadian businesses with a “fitness plan” invoice theme, funneling victims through a Prometheus traffic distribution system to a fake CAPTCHA page. The final stage of that chain invoked an mshta.exe execution (via the ClickFix method described below) which launched a hidden PowerShell script, ultimately downloading Lumma (often alongside secondary malware like XWorm). These phishing campaigns frequently use email attachments or links (e.g., PDF with embedded URL) that lead to multi-stage download sequences, sometimes employing password-protected archives to evade scanners. In a recent case, attackers embedded a URL in a PDF which led to a chain of dropper URLs and finally a unique password-protected ZIP containing a large (>800 MB) installer; this installer, once run by the user, performed staged drops (creating temporary .accde files and an AutoIT script) to covertly execute the Lumma Stealer payload. Each archive used a one-time password, hindering signature-based detection and showcasing increasing sophistication in Lumma’s phishing delivery tactics.
  • Malvertising & SEO Poisoning – Lumma affiliates extensively abuse online advertising and search results to trick users into downloading the malware. In late 2024, a particularly sophisticated malvertising campaign placed malicious ads (e.g., fake download links for popular software like “Notepad++ update” or giveaways) that redirected users to attacker-controlled pages. Unsuspecting victims who clicked these poisoned ads were funneled through traffic distribution systems and ultimately landed on fake “I’m not a robot” CAPTCHA verification pages. After clicking the bogus CAPTCHA, the page would display unusual instructions (e.g., “Press Windows+R, paste a command, and hit Enter”) – a social engineering ploy that turned the victim into the installer. Following those instructions triggered execution of a malicious PowerShell one-liner that fetched and ran the Lumma Stealer payload. This ClickFix technique (abusing user trust in problem-solving prompts) became common in late 2024 and early 2025, as it requires no exploit – just user action – to achieve code execution. For instance, Sophos investigators in Sept 2024 found multiple cases of fake CAPTCHA sites instructing users to paste a base64-encoded PowerShell command into the Run dialog, which then launched a hidden PowerShell to download Lumma.) These malvertising-driven chains illustrate how attackers leverage web redirects and fake landing pages to achieve initial execution (ATT&CK T1189) purely through deceptive content, bypassing the need for traditional email phishing or exploits. Additionally, SEO poisoning has been used: in Jan 2025, researchers uncovered about 1,000 fake Reddit pages that surfaced in search results and linked to fake “WeTransfer” download pages hosting Lumma executables. Users thinking they were downloading legitimate files from popular sites were instead fetching the stealer.
  • Compromised Websites & Drive-by Downloads – Beyond ads, operators also hack legitimate websites to serve Lumma. Clusters of sites were compromised and injected with malicious JavaScript that either auto-downloads payloads or presents social engineering prompts on visiting browsers. A notable campaign in early April 2025 combined two advanced techniques – EtherHiding and ClickFix – to deliver Lumma. In this scheme, the injected JavaScript on legitimate but compromised websites fetched hidden payload code stored on the Binance Smart Chain blockchain (EtherHiding). Using blockchain smart contracts for hosting malicious code makes traditional domain/IP blocking ineffective, since the code is retrieved via blockchain calls rather than a static URL. Once the malicious smart contract code was loaded, the site showed a fake “I am not a robot” check with instructions for the user to copy a pre-filled command from their clipboard and run it via the Windows Run prompt. That command (delivered to the clipboard upon clicking the checkbox) invoked mshta.exe to execute further code from a remote server (e.g., mshta calling out to check.foquh[.]icu in Microsoft’s observation). This drive-by infection chain again relied on user action (copy-paste) rather than exploit, and the use of a blockchain-hosted payload plus living-off-the-land binaries made it highly resistant to blocking and detection. Other drive-by cases involved compromised sites directly initiating hidden downloads or using HTML/HTA droppers delivered via mshta when visited. In all these scenarios, Windows utilities like mshta.exe (for executing HTA/JS) and PowerShell are abused to run the malware in memory, minimizing the need for writing disk artifacts.
  • Trojanized Software Downloads – Lumma is also propagated through trojanized installers and software cracks. Many campaigns bundle the stealer with pirated or fake versions of popular applications and post them on file-sharing sites, forums, or torrent networks. Victims believe they are installing legitimate software (e.g., cracked VLC media player, fake ChatGPT clients, or game hacks), as the installer often functions normally or shows no obvious payload during setup. In reality, the modified installer drops and executes Lumma in the background (often with a delay or silent process) once the user launches the app. Recent telemetry shows this method continues to be popular – for example, Darktrace noted that throughout early 2023–2024 many Lumma infections originated from tools or updates users thought were benign (including fake software updates). Because the malware is packaged inside software users seek out, this vector exploits user trust and bypasses initial network protections (the user willingly runs the downloaded EXE). Defensive monitoring should focus on such installers spawning unusual processes or making network connections post-install.
  • Abuse of Legitimate Platforms – Lumma operators leverage trusted cloud services and developer platforms to host or distribute payloads, blending malicious traffic with legitimate usage. For instance, multiple campaigns in 2024–2025 were found using GitHub to host malicious binaries: attackers created fake GitHub repositories (sometimes filled with AI-generated innocuous content) and uploaded the Lumma payload in the Releases section, disguised as utilities or game cheats. Victims were led (via blog posts, comments, or redirect chains) to download these GitHub release packages (often a ZIP or EXE) and execute them, not realizing they contained malware. In some cases, the download link was given after a series of redirects and checks to ensure a human victim (for example, a compromised site would ultimately point to a GitHub URL where Lumma could be downloaded). Beyond GitHub, threat actors have also abused content delivery networks and file-sharing services: one campaign used Discord’s CDN to host Lumma payloads alongside other lures. Hosting malware on well-known domains (GitHub, Discord, Google Drive, AWS S3, Cloudflare, etc.) helps adversaries evade web filters and reputation-based blocking. In fact, Lumma’s own C2 infrastructure takes advantage of such services – the stealer’s communications are often Cloudflare-proxied or use other cloud fronting, so that outbound connections go to reputable endpoints (TLS traffic to Cloudflare) rather than obvious malicious IPs. This abuse of legitimate services makes detection more challenging, as it requires differentiating malicious vs. normal use of those platforms.
  • Secondary Malware Deployments – Lumma is sometimes delivered as a secondary payload by other malware strains, highlighting collaboration in the cybercriminal ecosystem. For example, Microsoft observed the DanaBot banking trojan dropping Lumma Stealer onto already-infected machines as an additional stage. In such cases, a system initially compromised by one malware ends up with Lumma being deployed to perform broad credential theft and data exfiltration, potentially to monetize the infection further or enable follow-on attacks. This tactic means that even if the initial vector is different (e.g., a user opened a malicious document that installed DanaBot), Lumma may appear afterward, amplifying the impact by harvesting passwords, cookies, and cryptocurrency wallets from the victim’s system. Security teams should be aware that Lumma infections can be a downstream effect of other malware incidents, and look for its telltale behaviors even when investigating seemingly unrelated malware alerts.

Tactics, Techniques, and Evolution

Lumma Stealer’s tactics, techniques, and procedures (TTPs) have continuously evolved over the last 12 months, making it a moving target for defenders. Earlier infostealer campaigns often relied on single vectors (like mass spam emails), but Lumma’s operators shifted to multi-vector campaigns that combine phishing, malvertising, and social engineering in dynamic ways. This adaptation has allowed them to maintain high infection success rates despite users and defenders becoming wary of more common tactics. Each campaign iteration shows refinement in evasion and social engineering: from the wide adoption of fake CAPTCHA dialogs (the “ClickFix” technique) since August/September 2024, to creative abuse of infrastructure like blockchain contracts (EtherHiding) in 2025, and the use of polymorphic delivery (e.g., one-time passwords for each download as seen in recent campaigns) to defeat signature-based detection.

Notably, Lumma’s malware capabilities have also been upgraded by its developers to resist analysis and detection. According to threat reports, the stealer includes virtual machine and sandbox detection, refrains from running when user activity is high (to avoid tipping off the victim), and encrypts or packs its components (including using polyglot files that masquerade as other file types). Lumma heavily leverages “living-off-the-land” binaries (LOLBins) and OS utilities during execution – for example, it spawns or injects into trusted processes like mshta.exe, powershell.exe, regsvr32.exe, or WMI processes to execute malicious code under the radar. These techniques allow it to run largely in-memory and often clean up traces after exfiltration. Some variants even self-delete or remove their persistence once data theft is complete. When persistence is used, it’s usually via standard methods like setting an entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run for a dropped binary in the user profile – though many Lumma infections forego long-term persistence in favor of quick smash-and-grab data theft. On the network side, Lumma communications with its command-and-control are fully encrypted (TLS) and often proxied through content delivery networks (Cloudflare is commonly observed). The malware exfiltrates stolen data in small chunks (posting each credential or record separately with unique IDs) rather than one big transfer. This means defenders won’t see a single large upload that stands out, but rather a series of seemingly normal-sized HTTPS requests – a deliberate tactic to blend into ordinary web traffic patterns.

Overall, the current threat landscape for Lumma Stealer is one of high operational tempo and adaptation. Multiple threat actors are using it simultaneously, each adding their own techniques (from fake cloud storage sites, to novel loaders like “SmartLoader”, to injection of new payload modules). The malware’s success and profitability in underground markets drive this rapid innovation. For defenders, these trends underscore the need to focus on behavioral detections and anomaly-based monitoring. Traditional static IOCs (like file hashes or single C2 domains) are insufficient, as Lumma’s affiliates can recompile binaries per campaign and host them on new domains or legitimate platforms on the fly. Instead, detection strategies should capitalize on the telltale behaviors that Lumma exhibits when it operates, many of which are cross-variant:

  • Unusual LOLBin Usage – Monitor for processes like mshta.exe or rundll32.exe being launched by user-level contexts to fetch remote code. In monitored telemetry, Lumma campaigns repeatedly invoke mshta with a URL or script argument (often delivered via a user action). Legitimate use of mshta.exe to execute internet-hosted code is extremely rare in most environments, so this is a high-fidelity indicator. Similarly, PowerShell instances running encoded or long one-liner commands (especially containing Invoke-WebRequest and Invoke-Expression) are suspicious and have been seen in Lumma infection chains. Defenders can create rules to flag PowerShell child processes of browsers or Explorer that attempt network calls or decoding operations.
  • Clipboard/Run Prompt Activity – The fake CAPTCHA/ClickFix technique is user-interactive and may leave subtle traces: for instance, an Explorer.exe spawning PowerShell or mshta shortly after a user’s browser access could indicate the user was tricked into the Run prompt action. While endpoint logs typically do not capture clipboard text, correlating a browser event (visit to a known fake CAPTCHA page) with a subsequent suspicious process can reveal this pattern. If using EDR telemetry, look for sequences like a browser process (or PDF reader) launching another process that then spawns PowerShell/mshta. In one case, a victim’s Chrome spawned an mshta.exe process with a command line to a suspicious domain within seconds of a fake “Cloudflare check” page load. Tying such sequences together can confirm the social-engineering driven execution.
  • Persistence/Add-on Artifacts – Although Lumma often avoids persistence, any creation of Run key entries in the registry pointing to executables in unusual locations (e.g., %AppData%\\<random>.exe) should be scrutinized. Lumma has been observed adding itself to the HKCU\.\Run key for user persistence in some cases. Monitoring for registry events (Sysmon Event ID 13 or Windows Security Auditing events for registry modifications) that show new autoruns under user hive with suspicious file paths can catch this. Likewise, if the malware is packed in uncommon formats), those unusual file artifacts (large unexpected installer in temp, or .accde files creation outside of MS Office usage) can be triggers for investigation.
  • Network Exfiltration Patterns – Given Lumma’s encrypted, chunked exfiltration, defenders should baseline typical outbound HTTPS POST behavior per host. A Lumma-infected host often produces numerous small HTTPS POST requests to domains that may be new or not commonly accessed by that host. For example, rather than a single large upload, a host may suddenly make dozens of POST requests, each transferring a few kilobytes, to an atypical domain or an IP associated with Cloudflare or other CDN. Establishing a 15–30 day baseline of normal web upload activity for endpoints can help flag anomalies – e.g., if a machine that normally only makes <10 POST requests per day starts making 100+ POSTs overnight, or if the volume of data sent deviates significantly from historical patterns. These behavioral analytics can uncover stealthy exfiltration without relying on knowing the exact C2 domain. Coupling this with threat intel (e.g., monitoring for known Lumma C2 traffic patterns such as TLS User-Agent strings or periodic beaconing intervals) can further strengthen detection.

Below are example detection rules that security teams can operationalize immediately to catch Lumma Stealer behaviors observed in recent campaigns. Each rule is based on the specific telemetry and TTPs discussed above:

title: Suspicious mshta Executing Remote Content (Lumma Stealer TTP) 

id: efdc3c9e-0f47-4bfa-9b8d-mshta-remote-script 

status: experimental 

description: Detects mshta.exe executing a remote script or URL – a technique seen in Lumma Stealer fake CAPTCHA campaigns. 

author: ThreatDetectionTeam 

date: 2025/08/13 

references: 

 – “Lumma Stealer fake CAPTCHA mshta execution “

logsource: 

 category: process_creation 

 product: windows 

detection: 

 selection: 

 Image: ‘*\\mshta.exe’ 

 CommandLine: /http(s)?:\/\//i # mshta command line containing “http://&#8221; or “https://”&nbsp;

 condition: selection 

fields: [Image, ParentImage, CommandLine, User] 

falsepositives: 

 – Rare legitimate uses of mshta with remote URLs (e.g., some IT administration scripts) 

level: high

Pseudo Detection Logic: Unusual PowerShell Command (Invoke-WebRequest + Invoke-Expression) – possible Lumma infection chain

DeviceProcessEvents

| where FileName == “powershell.exe” 

 and ProcessCommandLine has_all (“Invoke-WebRequest”, “Invoke-Expression”) 

 and ProcessCommandLine contains “http”

| where InitiatingProcessFileName =~ “explorer.exe” or InitiatingProcessFileName =~ “chrome.exe” 

// filter to cases launched via Explorer or a browser, indicating user-initiated context

| project Timestamp, DeviceName, InitiatingProcessFileName, AccountName, ProcessCommandLine

// This query looks for one-line PowerShell execution that downloads and executes code, as seen in Lumma campaigns. 

// Tune as needed to your logs (e.g., include other parent processes or use SecurityEvent 4688 if EDR data not available).

Pseudo Detection Logic: Potential Lumma C2 Exfiltration via multiple small HTTPS POSTs (baseline threshold example)

index=proxy OR index=firewall “HTTP POST”

| stats count AS req_count, avg(bytes_out) AS avg_out, sum(bytes_out) AS total_out by src_ip, dest_domain

| where req_count > 50 and avg_out < 50000 and total_out > 1000000

| sort – req_count

| rename src_ip AS Suspected_Host, dest_domain AS Destination_Domain, req_count AS Post_Request_Count, total_out AS Total_Bytes_Sent

Detection Logic Explanation: The Sigma/Pseudo rules above will alert on any instance of mshta.exe running with an HTTP/HTTPS URL in its command line, which is highly indicative of the mshta-based script execution used by Lumma’s web delivery campaigns. The KQL query hunts for PowerShell processes launched by Explorer or browsers that contain both Invoke-WebRequest and Invoke-Expression – this combination (download + execute in one line) is characteristic of the PowerShell payload stage in fake CAPTCHA/ClickFix attacks. The Splunk query is an example looking for hosts that generate an unusually large number of small HTTP POST requests (e.g., more than 50 posts with an average size <50KB, and totaling >1MB of data). This pattern aligns with Lumma’s chunked data uploads over HTTPS. Security teams should adjust these thresholds to their environment’s baseline (consider typical web app behavior) – the intent is to find hosts that suddenly exhibit a spike in outbound posts, possibly indicating a stealthy exfiltration in progress. All these detection techniques focus on behavioral indicators rather than static IOCs, making them more resilient to variations; they should be combined with continuous baseline monitoring (15–30 day periods) to distinguish malicious outliers from normal operations. Each alert from such detections should be investigated in context (e.g., checking if a flagged mshta was spawned by a user clicking a link, or if the PowerShell command connected to known Lumma infrastructure) to confirm a Lumma Stealer infection and initiate response.

Key Insights for Defenders

1. Multi-Vector Delivery Strategy

Lumma’s success stems from its diversified delivery approach, combining:

  • Social Engineering: Fake CAPTCHA pages and ClickFix techniques
  • Infrastructure Abuse: Leveraging legitimate platforms (GitHub, Discord CDN)
  • Polymorphic Delivery: One-time passwords and polyglot files
  • Secondary Deployment: Integration with other malware families

2. Evolution of Evasion Techniques

Recent campaigns demonstrate sophisticated evasion:

  • Blockchain-based payload hosting (EtherHiding)
  • Living-off-the-land binary abuse (mshta.exe, PowerShell)
  • Process hollowing into trusted Windows binaries
  • ETW callback removal to blind security monitoring

3. Operational Impact

  • Broad targeting: Government, healthcare, finance, telecom sectors
  • Geographic spread: United States, Latin America, Asia
  • MaaS model: Enables rapid deployment by multiple threat actors
  • APT integration: Used by sophisticated groups like APT28 and MuddyWater

Defensive Recommendations

Immediate Actions

  1. Implement behavioral baselines for LOLBin usage patterns
  2. Monitor for fake CAPTCHA page visits and subsequent suspicious process spawns
  3. Deploy network anomaly detection for chunked HTTPS exfiltration
  4. Enable comprehensive logging for process creation and registry modifications

Strategic Considerations

  • Focus on cross-variant behavioral indicators over static IOCs
  • Implement 15-30 day baselines for normal user behavior
  • Deploy defense-in-depth with multiple detection layers
  • Prepare for rapid TTP evolution and infrastructure rotation

Conclusion

Lumma Stealer represents a significant threat that requires adaptive defensive strategies. Its success stems from combining sophisticated social engineering with technical evasion techniques, making traditional signature-based detection insufficient. Defenders must focus on behavioral analysis and anomaly detection to effectively counter this threat.

This is part 1 of a 3-part series on Lumma Stealer detection engineering.