\nThe US Department of Justice (DOJ) and Microsoft have disrupted the infrastructure of the Lumma information stealer (infostealer).<\/p>\n
Lumma Stealer, also known as LummaC or LummaC2, first emerged in late 2022 and quickly established itself as one of the most prolific infostealers. Infostealers is the name we use for a group of malware that collects sensitive information from infected devices and sends the data to an operator. Depending on the type of infostealer and the goals of the operator, infostealers can be interested in taking anything from usernames and passwords to credit card details, and cryptocurrency wallets.<\/p>\n
Lumma operates under a malware-as-a-service (MaaS) model, meaning its creators sell access to the malware on underground marketplaces and platforms like Telegram. This model allows hundreds of cybercriminals worldwide to deploy Lumma for their own malicious campaigns.<\/p>\n
What makes Lumma particularly dangerous is its wide range of targets and its evolving sophistication. It doesn\u2019t just grab browser-stored passwords or cookies. It\u2019s also capable of extracting autofill data, email credentials, FTP client data, and even two-factor authentication tokens and backup codes, which enables attackers to bypass additional security layers.<\/p>\n
As Matthew R. Galeotti, head of the Justice Department\u2019s Criminal Division put it:<\/p>\n
> \u201cMalware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft.\u201d<\/p>\n
Over the last few months alone, Microsoft identified over 394,000 Windows computers infected with Lumma worldwide. The FBI estimates that Lumma has been involved in around 10 million infections globally.<\/p>\n
Using a court order from the US District Court for the Northern District of Georgia, Microsoft\u2019s DCU seized and facilitated a takedown, suspension, and blocking of approximately 2,300 malicious domains that were part of the infostealer\u2019s backbone.<\/p>\n
Most of the seized domains served as user panels, where Lumma customers are able to access and deploy the infostealer, so this will stop the criminals from being able to to access Lumma in order to compromise computers and steal victim information.<\/p>\n
Government agencies and researchers sometimes alter DNS addresses to lead the traffic to their own servers (called sinkholes). By redirecting the seized domains to Microsoft-controlled sinkholes, investigators can now monitor ongoing attacks and provide intelligence to help defend against similar threats in the future. This takedown slows down cybercriminals, disrupts their revenue streams, and buys time and knowledge for defenders to strengthen security.<\/p>\n
## How to protect yourself<\/p>\n
Even with the Lumma infrastructure disrupted, the threat of information stealers remains very real and evolving. Here are some practical steps to reduce your risk:<\/p>\n
* **Use strong, unique passwords** for every account and consider a reputable password manager to keep track of them.
* **Enable multi-factor authentication (MFA)** wherever possible. Although Lumma tries to bypass 2FA, having it still adds a crucial layer of defense.
* **Be cautious with emails and downloads.** Lumma often spreads through phishing emails and malicious downloads, sometimes disguised as legitimate CAPTCHAs or antivirus software.
* **Keep your software and operating system updated** to patch vulnerabilities that malware can exploit.
* **Regularly monitor your financial and online accounts** for suspicious activity.
* **Educate yourself about phishing and social engineering tactics** to avoid falling victim to trickery.
* **Use an up-to-date real-timeanti-malware solution **to block install attempts and detect active information stealers.<\/p>\n
By understanding how threats like Lumma operate and by taking the necessary steps to protect ourselves, we can reduce the risk of falling prey to these invisible thieves.<\/p>\n
You can use Malwarebytes\u2019 free Digital Footprint Portal to see if any of your data has been stolen by a Lumma infostealer. We have many millions of stolen records stemming from Lumma stealers that are being traded on the Dark Web in our database.<\/p>\n
SCAN NOW<\/p>\n
* * *<\/p>\n
**We don ‘t just report on threats – we help safeguard your entire digital identity**<\/p>\n
Cybersecurity risks should never spread beyond a headline. Protect your\u2014and your family’s\u2014personal information by using identity protection.\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Lumma information stealer infrastructure disrupted Update ID MALWAREBYTES:873E3259A45A1338B30FF0BE9D82FE46 Type malwarebytes Published 2025-05-22T12:17:34 Last Updated 2025-05-22T12:17:34 Security Impact CVSS Score…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,34,12,115,13,33,7,11,5],"class_list":["post-5686","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Lumma information stealer infrastructure disrupted - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=5686\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Lumma information stealer infrastructure disrupted - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Lumma information stealer infrastructure disrupted Update ID MALWAREBYTES:873E3259A45A1338B30FF0BE9D82FE46 Type malwarebytes Published 2025-05-22T12:17:34 Last Updated 2025-05-22T12:17:34 Security Impact CVSS Score...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=5686\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-22T09:44:07+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5686#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5686\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Lumma information stealer infrastructure disrupted\",\"datePublished\":\"2025-05-22T09:44:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5686\"},\"wordCount\":709,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"malwarebytes\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5686#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5686\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5686\",\"name\":\"Lumma information stealer infrastructure disrupted - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-22T09:44:07+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5686#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5686\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5686#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Lumma information stealer infrastructure disrupted\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Lumma information stealer infrastructure disrupted - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=5686","og_locale":"en_US","og_type":"article","og_title":"Lumma information stealer infrastructure disrupted - zero redgem","og_description":"Security Update News Update Information Title Lumma information stealer infrastructure disrupted Update ID MALWAREBYTES:873E3259A45A1338B30FF0BE9D82FE46 Type malwarebytes Published 2025-05-22T12:17:34 Last Updated 2025-05-22T12:17:34 Security Impact CVSS Score...","og_url":"https:\/\/zero.redgem.net\/?p=5686","og_site_name":"zero redgem","article_published_time":"2025-05-22T09:44:07+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=5686#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=5686"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Lumma information stealer infrastructure disrupted","datePublished":"2025-05-22T09:44:07+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=5686"},"wordCount":709,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","malwarebytes","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=5686#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=5686","url":"https:\/\/zero.redgem.net\/?p=5686","name":"Lumma information stealer infrastructure disrupted - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-22T09:44:07+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=5686#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=5686"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=5686#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Lumma information stealer infrastructure disrupted"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5686","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5686"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5686\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5686"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5686"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5686"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}