Latest news with #LummaC2
TECHx
26-05-2025
- TECHx
Cloudflare Helps Disrupt Lumma Stealer Malware Network
Home » Emerging technologies » Cyber Security » Cloudflare Helps Disrupt Lumma Stealer Malware Network Cloudflare has announced its participation in a coordinated effort to disrupt the Lumma Stealer malware operation. The company's Cloudforce One and Trust and Safety teams worked alongside Microsoft and other partners to target Lumma Stealer, also known as LummaC2. This malware is part of a growing category of information-stealing tools posing serious risks to individuals and organizations. Lumma Stealer exfiltrates credentials, cryptocurrency wallets, cookies, and other sensitive data from infected systems. The stolen data often fuels downstream criminal activities, including financial fraud, identity theft, and ransomware attacks. Reportedly, the malware abused multiple infrastructure providers, including Cloudflare. In response, Cloudflare identified the abuse and joined a Microsoft-led takedown operation. This disruption involved several private partners, including those impacted and those offering intelligence support. It also included cooperation from the U.S. Department of Justice, Europol's European Cybercrime Center (EC3), and Japan's Cybercrime Control Center (JC3). According to Cloudflare, the operation denied Lumma Stealer operators access to: Their command-and-control panel and stolen data marketplace The infrastructure used to collect and manage data This action has increased operational and financial pressure on Lumma operators and their customers, forcing them to rebuild their malware services elsewhere. Lumma Stealer is a Malware-as-a-Service platform. It allows cybercriminals to rent an admin panel, retrieve stolen data, and generate custom malware builds for global distribution. The malware spreads mainly through social engineering. Victims are lured into downloading and executing the payload via fake messages or ads. To mitigate Lumma Stealer threats, experts recommend a layered defense. The malware evolves quickly and often uses malvertising, phishing, and compromised software. Cloudflare revealed several key security recommendations for enterprises and users: Block users from downloading executables and scripts from untrusted sources Use reputable endpoint detection tools and apply application allow listing Disable or restrict PowerShell and unsigned macros Additionally, users should avoid saving passwords in browsers, clear autofill data, and disable autofill for sensitive information. Regular software updates and DNS filtering are also critical. Enterprises should monitor for unusual connections, rare domain access, and suspicious script activity. Email and web filtering tools can also block malicious links and drive-by downloads. Finally, user training is vital. Educating users about scareware, fake installers, and PowerShell misuse can help prevent infections and strengthen defenses against Lumma Stealer.
Time of India
22-05-2025
- Time of India
Microsoft files legal action against information-stealing malware Lumma Stealer
Synopsis Microsoft's DCU helped in the "takedown, suspension, and blocking of malicious domains that formed the backbone of Lumma's infrastructure," via a court order from the U.S. District Court of the Northern District of Georgia, the blog said. The US Department of Justice said on Wednesday it has seized five internet domains used by malicious cyber actors to operate the LummaC2 information-stealing malware service. The FBI's Dallas Field Office is investigating the case.
Techday NZ
22-05-2025
- Techday NZ
Cloudflare, Microsoft & police disrupt global malware service
Cloudflare, in partnership with Microsoft and international law enforcement, has helped dismantle the infrastructure supporting LummaC2, an information-stealing malware service regarded as a significant threat to users and organisations worldwide. This collaborative effort targeted key elements of the Lumma Stealer operation, resulting in the seizure, takedown and blocking of malicious domains, as well as disruption to digital marketplaces used by criminals to distribute and monetise stolen data. Cloudflare also banned a number of accounts used in the deployment and configuration of these domains, aiming to weaken the underlying ecosystem relied on by cybercriminals. Lumma Stealer, also known as LummaC2, operates as a subscription-based service that enables threat actors to access a central administrative panel through which they can acquire customised malware builds and retrieve data stolen from victims. Stolen information includes credentials, cryptocurrency wallets, cookies and various forms of sensitive data, which can subsequently facilitate identity theft, financial fraud and intrusions into both consumer and enterprise environments. Blake Darché, Head of Cloudforce One at Cloudflare, said: "Lumma goes into your web browser and harvests every single piece of information on your computer that could be used to access either dollars or accounts – with the victim profile being everyone, anywhere at any time. The threat actors behind the malware target hundreds of victims daily, grabbing anything they can get their hands on. This disruption worked to fully setback their operations by days, taking down a significant number of domain names, and ultimately blocking their ability to make money by committing cybercrime. While this effort threw a sizable wrench into the largest global infostealers infrastructure, like any threat actor, those behind Lumma will shift tactics and reemerge to bring their campaign back online." First observed on Russian-language crime forums in early 2023, Lumma Stealer's operations have increasingly shifted to Telegram, where cybercriminals buy access and share data using cryptocurrency. Logs of stolen credentials, known as "logs", are indexed and made available through Lumma's own marketplace or resold via other criminal networks. The spread of Lumma Stealer is primarily achieved through social engineering campaigns. These include deceptive pop-ups — part of a method called ClickFix — which trick users into executing malicious scripts, as well as by bundling payloads in cracked versions of legitimate software and distributing them via pay-per-install networks. The malware's developers invest in bypassing detection from antivirus solutions, increasing the risk to affected users and organisations. Cloudflare's disruption operations involved placing a Turnstile-enabled interstitial warning page on domains associated with Lumma's command and control servers as well as its marketplace. In addition to impeding access, Cloudflare collaborated with leading industry partners, including Microsoft, multiple registry authorities, the FBI, the U.S. Department of Justice, Europol's European Cybercrime Center, and Japan's Cybercrime Control Center. This was intended to ensure that the criminals could not simply migrate their infrastructure or regain control via alternative registrars. The tactics used by Lumma's operators relied on abusing infrastructure belonging to providers like Cloudflare, often to obscure the origin IP addresses of servers used to store stolen data. Cloudflare's Trust and Safety team repeatedly suspended malicious accounts and flagged illicit domains, escalating countermeasures after the malware was observed bypassing its initial warning pages. Mitigation advice for users and organisations includes restricting the execution of unknown scripts, limiting the saving of passwords in browsers, and employing reputable endpoint protection tools capable of detecting credential theft. Regular software updates, DNS filtering and user education around the risks of malvertising and fake software installers are also highlighted as part of a comprehensive defence strategy. By disrupting Lumma Stealer's infrastructure and limiting access to its command and control services, the operation has imposed significant operational and financial constraints on both the core operators and the wider criminal clientele. The disruption aims to undermine the infostealer-as-a-service model that has contributed to increased instances of cyber-enabled fraud, enterprise security breaches, and ransomware incidents.
Yahoo
22-05-2025
- Yahoo
Microsoft, DOJ take down Lumma Stealer malware sites
May 21 (UPI) -- Microsoft, the Department of Justice and others have thwarted the use of the Lumma Stealer malware that globally has infected nearly 400,000 computers. The tech giant's Digital Crimes Unit seized and helped take down, suspend and block about 2,300 "malicious domains" that were the backbone of Lumma's infrastructure, said Steven Masada, assistant general counsel for Microsoft's DCU. Microsoft on May 13 filed a federal lawsuit against Lumma Stealer in the U.S. District Court for Northern Georgia, itnews reported. Microsoft says Lumma Stealer is a "malware as a service" that can steal data from browsers, cryptocurrency wallets and other applications by installing malware. The tech firm from March 15 through Friday identified more than 394,000 Windows computers around the world that were infected with the Lumma malware. The Department of Justice on Wednesday unsealed two warrants authorizing the seizure of five Internet domains used by cybercriminals to operate the Lumma malware service, which also is called "LummaC2." The Lumma malware "is deployed to steal sensitive information, such as user login credentials from millions of victims in order to facilitate a host of crimes," said Matthew Galeotti, leader of the DOJ's Criminal Division, in a news release. Those crimes include fraudulent bank transfers and cryptocurrency theft, Galeotti said. "The Justice Department is resolved to use court-ordered disruptions like this one to protect the public from the theft of their personal information and their assets," he added. The DOJ's affidavit seeking the two seizure warrants accuses the administrators of LummaC2 of using the seized websites to distribute the malware to their affiliates and other cyber criminals. Browser data, autofill info, login credentials for email and banking services, and cryptocurrency seed phrases that open crypto wallets were common targets affected by the malware, according to the DOJ. FBI investigators also identified at least 1.7 million instances in which the malware enabled cybercriminals to steal such information. The DOJ on Monday seized two online domains used to distribute the malware, which caused the Lumma operators to direct users to three new domains on Tuesday. The DOJ seized the three new domains on Wednesday. Europol's European Cybercrime Center and Japan's Cybercrime Control Center enabled the takedown of Lumma infrastructure within their respective jurisdictions, Microsoft officials said.
New York Post
22-05-2025
- Business
- New York Post
Microsoft files legal action against information-stealing malware Lumma Stealer
Microsoft said on Wednesday its Digital Crimes Unit filed a legal action against Lumma Stealer last week, after it found nearly 400,000 Windows computers globally infected by the information-stealing malware in the past two months. Lumma is capable of stealing data from various browsers and applications, such as cryptocurrency wallets, and installing other malware, the company said in a blog. Microsoft said it has found nearly 400,000 Windows computers globally that were infected by information-stealing malware in the past two months. AP Microsoft's DCU helped in the 'takedown, suspension, and blocking of malicious domains that formed the backbone of Lumma's infrastructure,' via a court order from the U.S. District Court of the Northern District of Georgia, the blog said. The U.S. Department of Justice said on Wednesday it has seized five internet domains used by malicious cyber actors to operate the LummaC2 information-stealing malware service. The FBI's Dallas Field Office is investigating the case. 'The growth and resilience of Lumma Stealer highlight the broader evolution of cybercrime and underscores the need for layered defenses and industry collaboration to counter threats,' Microsoft said in a separate blog post on the malware.
