Microsoft Dismantles World’s Largest Info-Stealing Malware Lumma
Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected
In a sweeping follow-up operation this week, Microsoft’s Digital Crimes Unit (DCU), in collaboration with Europol, law enforcement agencies from Europe and Japan, and cybersecurity partners including ESET, Bitsight, Lumen, Cloudflare, CleanDNS, and GMO Registry, successfully disrupted Lumma’s technical infrastructure.
The joint effort severed communications between the malware and infected systems, effectively neutralizing its control network.
Over 1,300 malicious domains were seized or transferred to Microsoft and are now being redirected to secure Microsoft servers. These servers enable the interception of requests from compromised systems, allowing investigators to gather critical technical data, trace attack methods, and identify the types of stolen information.
"Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Luma malware. Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims," Microsoft said.
The latest version, LummaC2 v4.0, incorporated advanced evasion tactics, including human-behavior detection and code obfuscation.
While the disruption is a significant blow, experts warn that malware groups like Lumma are resilient.
Lumma, a Malware-as-a-Service tool active since 2022, is sold on underground forums and favored by cybercriminals for its stealth and versatility.
“Lumma goes into your web browser and harvests every single piece of information on your computer that could be used to access either dollars or accounts – with the victim profile being everyone, anywhere at any time. The threat actors behind the malware target hundreds of victims daily, grabbing anything they can get their hands on," Blake Darché, Head of Cloudforce One at Cloudflare, said.
Used by groups like Octo Tempest, it spreads through phishing and malvertising, impersonates trusted brands like Microsoft, and is designed to evade detection—enabling operators to steal data or launch further attacks.
Comments ()