DUBAI, UAE, 26th May, 2025: Cloudflare’s Cloudforce One and Trust and Safety team participated in a coordinated disruption effort targeting the Lumma Stealer malware operation. Lumma Stealer (also known as LummaC2) is part of a broader class of information-stealing malware that poses a serious threat to both individuals and organizations. By exfiltrating credentials, cryptocurrency wallets, cookies, and other sensitive data from infected machines, Lumma facilitates a wide range of downstream criminal activity, including financial fraud, identity theft, and enterprise breaches that can lead to ransomware. Disrupting this ecosystem is critical to protecting users, undermining the cybercrime economy, and preventing further harm. Lumma Stealer attempted to abuse numerous service providers’ infrastructure, including Cloudflare, to support their malware operations. Cloudflare detected Lumma Stealer’s abuse and participated in a Microsoft-led disruption effort. As part of this effort, Microsoft collaborated with other private industry partners, both those directly impacted and those providing intelligence and technical support, along with the U.S. Department of Justice, Europol’s European Cybercrime Center (EC3), and Japan’s Cybercrime Control Center (JC3).
In a Nutshell
· Lumma Stealer is Malware-as-a-Service offering that allows criminals to rent access to an administrative panel, where they can retrieve stolen data and generate customized builds of the malware payload for distribution to victims worldwide.
· Like most other information stealing malware, Lumma Stealer is spread primarily through social engineering campaigns that lure targets into following instructions that result in the download and execution of malware.
· The Lumma Stealer disruption effort denies the Lumma operators access to their control panel, marketplace of stolen data, and the Internet infrastructure used to facilitate the collection and management of that data. These actions impose operational and financial costs on both the Lumma operators and their customers, forcing them to rebuild their services on alternative infrastructure.
Mitigating Lumma Stealer activity
Properly defending against Lumma Stealer involves a layered security approach, since it’s a fast-evolving infostealer often delivered via malvertising, phishing, or compromised software. Enterprise defenders should carefully restrict access to new domains, as newly registered domains (NRDs) are a common tactic extensively used by LummaC2. Users outside of an enterprise may consider limiting or preventing the execution of PowerShell and other scripts if it is not required. Enterprise defenders should also consider the following:
Endpoint protection and hardening
· Do not permit users to download executable files from untrusted websites
· Do not permit users to download or execute scripts or Microsoft Office macros that were downloaded from the Internet, are unsigned, or that are not explicitly allowed by policy
· Use reputable endpoint detection and response (EDR) tools that can detect suspicious behaviors, like credential scraping or unauthorized file access
· Application allowlisting to prevent unknown executables (including downloaded payloads) from running
· Disable PowerShell for non-administrative users, or use Constrained Language Mode to reduce abuse risk
Browser and credential hygiene
· Avoid saving passwords in browsers—use a dedicated password manager instead.
· Clear autofill data and browser caches regularly
· Disable autofill for sensitive information like names, phone numbers, or addresses, especially on corporate machines
Patch and update regularly
· Keep browsers, operating systems, and all software up to date to reduce exploitability via known vulnerabilities
DNS and network filtering
· Use secure DNS filtering and threat intelligence-based blocklists to prevent connections to NRDs, known C2 servers, malware delivery domains, and Telegram APIs used for data exfiltration
Email and web filtering
· Implement malicious attachment and link detection in email gateways
· Deploy browser isolation or sandboxing to reduce the risk of drive-by downloads from malvertising
User training
· Educate users about malvertising, fake software installers, and browser scareware tactics like ClickFix, which are common delivery mechanisms
· Warn users not to run PowerShell scripts or click on scare popups instructing them to “fix” computer issues
Detection and threat hunting
· Monitor for unusual outbound connections (especially to Telegram or rare domains)
· Monitor for unauthorized credential access from browsers
· Monitor for suspicious PowerShell or process spawning activity (e.g., explorer.exe spawning powershell.exe)
Detailed information can be found on this blog post.
-Ends-
About Cloudflare
Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud company on a mission to help build a better Internet. It empowers organizations to make their employees, applications and networks faster and more secure everywhere, while reducing complexity and cost. Cloudflare’s connectivity cloud delivers the most full-featured, unified platform of cloud-native products and developer tools, so any organization can gain the control they need to work, develop, and accelerate their business.
Powered by one of the world’s largest and most interconnected networks, Cloudflare blocks billions of threats online for its customers every day. It is trusted by millions of organizations – from the largest brands to entrepreneurs and small businesses to nonprofits, humanitarian groups, and governments across the globe.
Learn more about Cloudflare’s connectivity cloud at cloudflare.com/connectivity-cloud. Learn more about the latest Internet trends and insights at radar.cloudflare.com. Follow us: Blog | X | LinkedIn | Facebook | Instagram
