Lumma Stealer

Lumma Stealer has used HTTP and HTTP for command and control communication.(Citation: Qualys LummaStealer 2024)(Citation: Fortinet LummaStealer 2024)

Lumma Stealer has created registry keys to maintain persistence using `HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`.(Citation: Cybereason LumaStealer Undated)(Citation: Netskope LummaStealer 2025)

Lumma Stealer has used PowerShell for initial user execution and other fuctions.(Citation: Qualys LummaStealer 2024)(Citation: Cybereason LumaStealer Undated)(Citation: Netskope LummaStealer 2025)(Citation: Fortinet LummaStealer 2024)

Lumma Stealer has gathered credential and other information from multiple browsers.(Citation: Cybereason LumaStealer Undated)(Citation: Fortinet LummaStealer 2024)(Citation: TrendMicro LummaStealer 2025)

Lumma Stealer has configured a custom user data directory such as a folder within `%USERPROFILE%\AppData\Roaming` for staging data.(Citation: TrendMicro LummaStealer 2025)

Lumma Stealer has used HTTPS for command and control purposes.(Citation: Fortinet LummaStealer 2024)

Lumma Stealer has utilized the .NET `ProcessStartInfo` class features to prevent the process from creating a visible window through setting the `CreateNoWindow` setting to “True,” which allows the executed command or script to run without displaying a command prompt window.(Citation: Fortinet LummaStealer 2024)

Lumma Stealer has leveraged legitimate applications to then side-load malicious DLLs during execution.(Citation: Cybereason LumaStealer Undated)

Lumma Stealer has attempted to bypass Windows Antimalware Scan Interface (AMSI) by removing the string “AmsiScanBuffer” from the “clr.dll” module in memory to prevent it from being called.(Citation: Netskope LummaStealer 2025)

Lumma Stealer has used payloads that resemble benign file extensions such as .mp3, .accdb, and .pub, though the files contained malicious JavaScript content.(Citation: Netskope LummaStealer 2025)

Lumma Stealer has used AES-encrypted payloads contained within PowerShell scripts.(Citation: Qualys LummaStealer 2024)

Lumma Stealer has been delivered through phishing emails with malicious attachments.(Citation: Cybereason LumaStealer Undated)

Lumma Stealer has used process hollowing leveraging a legitimate program such as “BitLockerToGo.exe” to inject a malicious payload.(Citation: Qualys LummaStealer 2024)

Lumma Stealer has detected antivirus processes using commands such as “tasklist” and “findstr.”(Citation: Qualys LummaStealer 2024)

Lumma Stealer has installed a malicious browser extension to target Google Chrome, Microsoft Edge, Opera and Brave browsers for the purpose of stealing data.(Citation: Cybereason LumaStealer Undated)

Lumma Stealer has used valid code signing digital certificates from ConsolHQ LTD and Verandah Green Limited to appear legitimate.(Citation: TrendMicro LummaStealer 2025)

Lumma Stealer has used mshta.exe to execute additional content.(Citation: Qualys LummaStealer 2024)(Citation: Netskope LummaStealer 2025)

Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files.(Citation: Cybereason LumaStealer Undated)

Lumma Stealer has queried system resources on the victim device to identify if it is executing in a sandbox or virtualized environments, checking usernames, conducting WMI queries for system details, checking for files commonly found in virtualized environments, searching system services, and inspecting process names.(Citation: Fortinet LummaStealer 2024) Lumma Stealer has checked system GPU configurations for sandbox detection.(Citation: TrendMicro LummaStealer 2025)