Battling Lumma Stealer Malware: an Abuse Team’s Perspective
Working in coordination with international law enforcement and other industry partners in our role to provide abuse management services to registries and registrars, CleanDNS has taken action against over 970 domains linked to Lumma Stealer’s infrastructure.
Article publication date: 21 May 2025.
Meet the latest emerging threat in infostealer malware: a silent, nearly undetectable abuse infrastructure campaign designed to gain sensitive information without detection and employed by cybercriminals around the world. Lumma Stealer is a persistent menace in the ecosystem of online harms, targeting governments and businesses around the world and spreading through the underground world of cybercrime like wildfire.
As an infostealer malware, Lumma Stealer specializes in exfiltrating sensitive data including credentials, browser information, and cryptocurrency wallet details. Over the past six months, CleanDNS has been collaborating with the Microsoft Digital Crimes Unit on activity to target and disrupt the infrastructure behind this abuse campaign. Working in coordination with international law enforcement and other industry partners in our role to provide abuse management services to registries and registrars, CleanDNS has taken action against over 970 domains linked to Lumma Stealer’s infrastructure.
The Threat Landscape
Lumma Stealer operates under a Malware-as-a-Service (MaaS) model, allowing cybercriminals to distribute it widely. Threat actors have refined their tactics, leveraging fake CAPTCHA pages and malicious YouTube links to trick users into executing the malware. Lumma Stealer campaigns have proliferated across many industries including education systems, finance and healthcare sectors, manufacturing, and more.
Our Response: Disrupting Malicious Domains
As an organization dedicated to abuse mitigation, our team has focused on identifying and dismantling the command and control (C2) domains that enable Lumma Stealer’s operations.
Our approach includes:
- Proactive Monitoring: Using advanced threat intelligence tools, we track domain registrations associated with Lumma Stealer.
- Effective reporting mechanisms: We work with a network over 70+ reporters worldwide including cybersecurity organizations, threat intelligence researchers, nonprofits, and more who submit evidenced abuse reports for streamlined processes to take action.
- Evidence Analysis: Our evidencing model uses a combination of automated reviews, infrastructure checks, and evidence categorization to accelerate, support, and streamline mitigation efforts and the evidentiary process.
- Rapid Suspension Actions: Coordinating with registries and registrars, we can swiftly suspend domains linked to malicious activity.
- Pattern Analysis: By mapping domain clusters, we uncover automated registration techniques used by cybercriminals.
- Collaboration with Security Experts: Partnering with cybersecurity researchers, we share insights to identify different parts of Lumma Stealer.
The Ongoing Battle
Infostealers will continue to evolve and be present as a key enabler of numerous forms of cybercrime. The fight against infostealers like Lumma Stealer requires the collaboration of abuse teams, the wider cyber security industry, and Law Enforcement Agencies to work together to identify emerging threats and disrupt cybercriminal infrastructure.
Disrupting the tools cybercriminals rely on has a lasting impact on cybercrime, as rebuilding malicious infrastructure and acquiring new exploit tools demands both time and financial resources. By cutting off access to critical mechanisms like Lumma, we can severely disrupt the operations of countless malicious actors in a single decisive action. This strategic approach slows attack velocity, reduces the effectiveness of campaigns, and significantly impairs illicit revenue streams.
As we move forward, the CleanDNS team remains committed to protecting users and the domain ecosystem from the dangers posed by infostealers. By staying vigilant and proactive, we aim to reduce the impact of this malware and to continue Cleaning Up the Internet for Good.
###
Updated 1:40pm ET, 21 May to reflect updated volume of domains actioned.
About CleanDNS
CleanDNS is an abuse management and online harm mitigation solution company on a mission to clean up the Internet for good. CleanDNS works with infrastructure providers, cybersecurity companies, and law enforcement organizations to report, evidence, and mitigate abusive domains to prevent further victimization.