Skip to content

S1213 Lumma Stealer

Lumma Stealer is an information stealer malware family in use since at least 2022. Lumma Stealer is a Malware as a Service (MaaS) where captured data has been sold in criminal markets to Initial Access Brokers.34521

Item Value
ID S1213
Associated Names LummaStealer
Type MALWARE
Version 1.0
Created 22 March 2025
Last Modified 22 March 2025
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
LummaStealer 3

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Lumma Stealer has used HTTP and HTTP for command and control communication.52
enterprise T1119 Automated Collection Lumma Stealer has automated collection of various information including cryptocurrency wallet details.3
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Lumma Stealer has created registry keys to maintain persistence using HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.34
enterprise T1217 Browser Information Discovery Lumma Stealer has identified and gathered information from two-factor authentication extensions for multiple browsers.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Lumma Stealer has used PowerShell for initial user execution and other fuctions.5342
enterprise T1059.006 Python Lumma Stealer has used malicious Python scripts to execute payloads.3
enterprise T1059.010 AutoHotKey & AutoIT Lumma Stealer has utilized AutoIt malware scripts and AutoIt executables.53
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Lumma Stealer has gathered credential and other information from multiple browsers.321
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Lumma Stealer has configured a custom user data directory such as a folder within %USERPROFILE%\AppData\Roaming for staging data.1
enterprise T1622 Debugger Evasion Lumma Stealer has checked for debugger strings by invoking GetForegroundWindow and looks for strings containing “x32dbg”, “x64dbg”, “windbg”, “ollydbg”, “dnspy”, “immunity debugger”, “hyperdbg”, “debug”, “debugger”, “cheat engine”, “cheatengine” and “ida”.2
enterprise T1140 Deobfuscate/Decode Files or Information Lumma Stealer has used Base64-encoded content during execution, decoded via PowerShell.4
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Lumma Stealer has used HTTPS for command and control purposes.2
enterprise T1041 Exfiltration Over C2 Channel Lumma Stealer has exfiltrated collected data over existing HTTP and HTTPS C2 channels.52
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Lumma Stealer has utilized the .NET ProcessStartInfo class features to prevent the process from creating a visible window through setting the CreateNoWindow setting to “True,” which allows the executed command or script to run without displaying a command prompt window.2
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Lumma Stealer has leveraged legitimate applications to then side-load malicious DLLs during execution.3
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Lumma Stealer has attempted to bypass Windows Antimalware Scan Interface (AMSI) by removing the string “AmsiScanBuffer” from the “clr.dll” module in memory to prevent it from being called.4
enterprise T1036 Masquerading -
enterprise T1036.008 Masquerade File Type Lumma Stealer has used payloads that resemble benign file extensions such as .mp3, .accdb, and .pub, though the files contained malicious JavaScript content.4
enterprise T1027 Obfuscated Files or Information Lumma Stealer has used SmartAssembly to obfuscate .NET payloads.2
enterprise T1027.013 Encrypted/Encoded File Lumma Stealer has used AES-encrypted payloads contained within PowerShell scripts.5
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Lumma Stealer has been delivered through phishing emails with malicious attachments.3
enterprise T1566.002 Spearphishing Link Lumma Stealer has been delivered through phishing emails containing malicious links.3
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing Lumma Stealer has used process hollowing leveraging a legitimate program such as “BitLockerToGo.exe” to inject a malicious payload.5
enterprise T1620 Reflective Code Loading Lumma Stealer has used reflective loading techniques to load content into memory during execution.42
enterprise T1113 Screen Capture Lumma Stealer has taken screenshots of victim machines.3
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Lumma Stealer has detected antivirus processes using commands such as “tasklist” and “findstr.”5
enterprise T1176 Software Extensions -
enterprise T1176.001 Browser Extensions Lumma Stealer has installed a malicious browser extension to target Google Chrome, Microsoft Edge, Opera and Brave browsers for the purpose of stealing data.3
enterprise T1539 Steal Web Session Cookie Lumma Stealer has harvested cookies from various browsers.321
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Lumma Stealer has used valid code signing digital certificates from ConsolHQ LTD and Verandah Green Limited to appear legitimate.1
enterprise T1195 Supply Chain Compromise Lumma Stealer has been delivered through cracked software downloads.321
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta Lumma Stealer has used mshta.exe to execute additional content.54
enterprise T1218.015 Electron Applications Lumma Stealer as leveraged Electron Applications to disable GPU sandboxing to avoid detection by security software.1
enterprise T1082 System Information Discovery Lumma Stealer has gathered various system information from victim machines.321
enterprise T1204 User Execution Lumma Stealer has been distributed through a fake CAPTCHA that presents instructions to the victim to open Windows Run window (“Windows Button + R”) and paste clipboard contents (“CTRL + V”) and press “Enter” to execute a Base64-encoded PowerShell.534
enterprise T1204.002 Malicious File Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files.3
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Lumma Stealer has queried system resources on the victim device to identify if it is executing in a sandbox or virtualized environments, checking usernames, conducting WMI queries for system details, checking for files commonly found in virtualized environments, searching system services, and inspecting process names.2 Lumma Stealer has checked system GPU configurations for sandbox detection.1

References

  1. Buddy Tancio, Fe Cureg, and Jovit Samaniego, Trend Micro. (2025, January 30). Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response. Retrieved March 22, 2025. 

  2. Cara Lin, Fortinet. (2024, January 8). Deceptive Cracked Software Spreads Lumma Variant on YouTube. Retrieved March 22, 2025. 

  3. Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025. 

  4. Leandro Fróes, Netskope. (2025, January 23). Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection. Retrieved March 22, 2025. 

  5. Vishwajeet Kumar, Qualys. (2024, October 20). Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA. Retrieved March 22, 2025.