- ESET took part in a globally coordinated operation to disrupt Lumma Stealer.
- The operation, led by Microsoft, targeted Lumma Stealer infrastructure, including all known C&C servers from the past year, making the botnet, in large part, inoperative.
- Lumma Stealer has been one of the most prevalent infostealers over the past two years.
- ESET provided both technical analysis and statistical information, and extracted essential data from tens of thousands of samples, as Lumma Stealer developers had been actively developing and maintaining the malware.
PRAGUE and BRATISLAVA, Slovakia, May 21, 2025 (GLOBE NEWSWIRE) -- ESET has collaborated with Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry in a global disruption operation against Lumma Stealer, an infamous Malware-as-a-Service infostealer. The operation targeted Lumma Stealer infrastructure, specifically all known C&C servers of the past year, making the botnet, in large part, inoperative.
“ESET automated systems processed tens of thousands of Lumma Stealer samples, dissecting them to extract key elements, such as C&C servers and affiliate identifiers. This allowed us to continuously monitor Lumma Stealer’s activity, cluster affiliates, keep track of development updates, and more,” says ESET researcher Jakub Tomanek, who monitors and investigates Lumma Stealer. “Infostealer malware families, like Lumma Stealer, are typically just a foreshadowing of future, much more devastating attacks. Harvested credentials are a valued commodity in the cybercrime underworld, sold by initial access brokers to various other cybercriminals, including ransomware affiliates,” adds Tomanek. Lumma Stealer has been one of the most prevalent infostealers over the past two years, leaving no part of the world untouched.
Lumma Stealer developers had been actively developing and maintaining the malware. ESET has regularly spotted code updates ranging from minor bugfixes to complete replacement of string encryption and updates to the network protocol. The operators of the botnet also actively maintained the shared network infrastructure. Between 17 June 2024 and 1 May 2025, ESET observed a total of 3,353 unique C&C domains, with an approximate average of 74 new domains emerging each week, including occasional updates to Telegram-based dead drop resolvers. This ongoing evolution underscores the significant threat posed by Lumma Stealer and highlights the importance of the disruption efforts.
Lumma Stealer adopts the concept of malware as a service, where affiliates pay a monthly fee based on their tier to receive the latest malware builds and the network infrastructure necessary for data exfiltration. The tiered subscription model features price ranges from $250 to $1000 per month, each with increasingly sophisticated features. The operators of Lumma Stealer have also created a Telegram marketplace for affiliates, with a rating system to sell stolen data without intermediaries. Common distribution methods include phishing, cracked software, and other malware downloaders. Lumma Stealer employs a few, but effective, anti-emulation techniques that make analysis as complicated as possible. These techniques are designed to evade detection and hinder the efforts of security analysts.
Microsoft’s Digital Crimes Unit has facilitated the takedown, suspension, seizure, and blocking of the malicious domains that formed the backbone of Lumma Stealer’s infrastructure via a court order granted by the United States District Court of the Northern District of Georgia. In coordination, the U.S. Department of Justice simultaneously also seized the Lumma Stealer control panel, targeting the Lumma Stealer marketplace – and in turn the purchasers of Lumma Stealer malware. This was coordinated with Europol’s European Cybercrime Center (EC3) as well as Japan’s Cybercrime Control Center (JC3), which facilitated the suspension of locally based Lumma Stealer infrastructure.
“This global disruption operation was made possible by our long-term tracking of Lumma Stealer. The disruption operation led by Microsoft aimed to seize all known Lumma Stealer C&C domains, making the exfiltration infrastructure of Lumma Stealer non-functional. However, ESET will continue to track other infostealers while closely monitoring for Lumma Stealer activity following this disruption operation,” concludes Tomanek.
For an overview of the Lumma Stealer ecosystem and both a technical analysis and look at the evolution of Lumma Stealer's key static and dynamic properties critical to the disruption effort, check out the latest ESET Research blogpost, “ESET takes part in global operation to disrupt Lumma Stealer” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), Bluesky, and Mastodon for the latest news from ESET Research.
Lumma Stealer detection rate based on ESET telemetry (data since July 2024)
About ESET
ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts, and blogs.
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/3e248b2b-dcbf-42cb-93ac-a4b4668bbc31
Media contact: Jessica Beffa jessica.beffa@eset.com 720-413-4938
