Lumma Banner

1. Background

Lumma Stealer surfaced in mid-2022 as a small-scale info-stealer sold through Telegram. Initially dismissed as a RedLine clone, it rapidly matured into a modular, subscription-based platform. By late 2024, Lumma had displaced RedLine and Raccoon v2 as one of the most traded log-theft services across underground markets.

Lumma’s appeal lies in its simplicity: a tiny loader, a single encrypted config, and a robust C2 ecosystem using Telegram bots for instant log delivery. It’s inexpensive, constantly maintained, and integrates natively with underground “log shops” that resell stolen credentials to other actors.

2. Infection Chain Overview

Typical Lumma campaigns follow a multi-stage loader chain:

  1. Initial lure — malvertising or “software update” pages hosting fake installers.
  2. Stage 1 dropper — a small .NET or C++ loader obfuscated with Crypto-Obfuscator or ConfuserEx.
  3. Stage 2 payload retrieval — downloads Lumma’s encrypted binary from Discord CDN, Bitbucket, or a compromised WordPress.
  4. Execution — payload unpacks in memory, establishes mutex, and begins data enumeration.
  5. Exfiltration — zipped credential package sent via HTTPS POST to a rotating panel domain or through Telegram API.

Each sample uses a randomized folder and filename, e.g. %AppData%\Roaming\Microsoft\Update\<GUID>\updater.exe.

3. Technical Breakdown

3.1 Core Capabilities

  • Browser data theft: Chromium-based browsers (Chrome, Edge, Brave, Opera) — cookies, autofills, history, and password DBs (Login Data, Cookies SQLite).
  • Crypto-wallet grabbing: MetaMask, Exodus, Binance Wallet, Atomic, and others via direct file path targeting.
  • Session token theft: Discord, Steam, Telegram Desktop, Minecraft launchers.
  • System reconnaissance: hostname, OS version, installed AV, timezone, public IP (via ip-api.com/json).
  • Screenshot capture: GDI 32 API calls with auto-save to temp folder before exfil.
  • Loader functions: capability to fetch secondary payloads (ClipBanker, RATs, or ransomware stagers).

3.2 Persistence & Anti-Analysis

Lumma avoids registry autoruns to remain stealthy. Instead, it employs:

  • Scheduled Task creation under random GUID names (visible in C:\Windows\System32\Tasks).
  • Shortcut planting in Startup with hidden attribute.
  • Self-deletion routines if running under sandbox artifacts (check for vboxservice.exe, vmtoolsd.exe, wireshark.exe).
  • Delayed execution (up to 120 seconds) to bypass quick sandbox detonation.

3.3 Configuration Storage

The binary contains an AES-256-encrypted JSON blob at the end of the file. Config includes:

{
  "C2": ["https://cdn-cdn[.]bitbucket[.]org/lumma/panel"],
  "TG_BOT": "@lumma_bot_api",
  "BUILD_ID": "6.4b-pro",
  "MODULES": ["browser","crypto","telegram"]
}

Decryption key is generated from machine-specific hash during build to prevent sample reuse.

4. Network Behavior

  • C2 Protocol: simple HTTPS POST with Base64 body containing ZIP archive.
  • Domain Fluxing: daily domain rotation pattern derived from date-based seed (YYYYMMDD.lumma[.]cc).
  • Beacon: heartbeat every 600 seconds if persistence active.
  • Exfil packet signature: requests to /upload.php with User-Agent: Lumma-Client/<ver>.

A DFIR network trace typically shows the host performing a series of TLS handshakes with unfamiliar CDN endpoints followed by POST bursts ~200–800 KB.

5. Code Traits

  • Compiled in C++/Assembly hybrid, occasionally wrapped in .NET stubs.
  • Heavy use of string obfuscation with single-byte XOR keys (0x41–0x5F range).
  • API hashing using CRC32 tables (same implementation reused across builds > 6.0).
  • Memory allocation via VirtualAllocEx + shellcode staging for reflective loading.

6. Forensic Indicators

Artefact Location Notes
update.log %Temp%\ Execution trace, build ID
Scheduled Task XML C:\Windows\System32\Tasks\<GUID> Timestamp = infection time
Registry Key HKCU\Software\Lumma Config remnant
ZIP Package %AppData%\Local\Temp\<GUID>.zip Pre-exfil log set
C2 domains *.lumma[.]cc, cdn-lumma[.]xyz, etc. 24-hour rotation

Memory dumps show injected threads in explorer.exe or chrome.exe.

7. Defensive & Detection Strategies

7.1 Endpoint Detection

  • YARA rule targeting AES key scheduling + string “Lumma-Client”.
  • Monitor schtasks.exe /create with random GUID names.
  • Flag outbound HTTPS POSTs to uncommon TLDs (.cc, .xyz) within 120 seconds of process start.
  • Detect credential store access from non-browser processes.

7.2 Network Layer

  • TLS inspection or JA3 fingerprints: Lumma uses ja3 = 72a589da586844d7f0818ce684948eea.
  • Block Telegram API tokens exfil from endpoints without legitimate use.

7.3 Blue-Team Playbook

  1. Isolate the host; acquire volatile memory immediately.
  2. Search for Lumma artefacts and extract persistence tasks.
  3. Parse logs for initial lure domain.
  4. Quarantine any Discord/Bitbucket download paths.
  5. Rotate all harvested credentials (especially crypto-wallets).
  6. Review outbound Telegram traffic for 24 hours prior.

8. Remediation — For Teams & Users

For Security Teams

  • Revoke OAuth sessions, rotate browser-stored passwords.
  • Check for scheduled tasks under hidden GUID names.
  • Block outbound traffic to known C2 domains and Telegram API IPs.
  • Implement endpoint DLP rules preventing browser DB access by untrusted processes.

For Average Users

  • Never download “updates” from pop-ups or random sites.
  • Use a password manager, not browser autofill.
  • Enable MFA for every service.
  • Run weekly malware scans with browser cache clearing.

9. Outlook

Lumma Stealer continues to evolve. In 2025, its authors added webhook-based delivery and stealth loader modules compatible with malware as a service (MaaS) frameworks. The constant updates and flexible infrastructure make it the de-facto successor to RedLine.

Lumma isn’t sophisticated by code — it’s effective because it exploits human trust in “legit-looking installers.”
And that’s exactly why it’s not going anywhere.