Global Law Enforcement Agencies and Microsoft Disrupt Over 2,300 Lumma Stealer Domains

Microsoft has partnered with global law enforcement agencies to disrupt the infrastructure associated with one of the most prominent infostealer operations, Lumma Stealer. Between March 16 and May 16, Microsoft identified approximately 394,000 Windows computers worldwide that were infected with Lumma Stealer malware.

This collaboration, which involved organizations such as Europol, Japan’s Cybercrime Control Center (JC3), and U.S. operatives, successfully led to the takedown, suspension, and blocking of over 2,300 domains that supported Lumma’s operations. Notably, more than 1,300 of these domains have been redirected to Microsoft-controlled sinkholes.

According to Microsoft, this initiative will enable its Digital Crime Unit (DCU) to provide actionable intelligence, reinforcing the security of the company’s services and helping to safeguard online users. Insights gained from this operation will also aid both public and private sector partners in tracking, investigating, and remediating this ongoing threat.

The U.S. Department of Justice has also played a crucial role by seizing the Lumma control panel, which complicates the ability of Lumma developers to rent out their malware infrastructure on cybercrime marketplaces. Collaborating cybersecurity and technology firms included Cloudflare, ESET, Bitsight, Lumen, and CleanDNS.

Ensar Seker, Chief Information Security Officer (CISO) at SOCRadar, highlighted that the operation signifies a pivotal moment in the fight against malware-as-a-service platforms, emphasizing that ongoing collaboration between public and private sectors remains vital. He stated, “Such actions not only disrupt the immediate threat but also send a clear message to cybercriminals about the increasing capabilities and resolve of global cybersecurity alliances.”

However, Seker cautioned that the resilience of malware underscores the necessity for continuous vigilance. The adaptability of Lumma—employing phishing, malvertising, and exploitation of trusted platforms—demonstrates the evolving tactics employed by threat actors.

Bruce Jenkins, CISO of Black Duck, warned against prematurely dismissing Lumma, asserting that security teams must maintain an alert stance against this and similar infostealer variants. He advised cybersecurity leaders to evaluate their security awareness programs to ensure users remain vigilant against phishing attacks, which could facilitate identical breaches. Jenkins further stressed the importance of reinforcing governance with a robust endpoint detection and response (EDR) solution and a comprehensive business resiliency plan that includes regular data backups and tested recovery procedures.

Lumma has emerged as one of the most prolific infostealers in operation, being available as a service since at least 2022. This malware is known for its ease of distribution, difficulty in detection, and ability to circumvent specific security measures, making it a preferred tool for cybercriminals, including prominent ransomware actors like Octo Tempest (Scattered Spider). Lumma often impersonates trusted brands, including Microsoft, and is distributed via spear-phishing emails and malvertising.

Infostealers, such as Lumma, have become increasingly fundamental to contemporary cybercrime operations, providing threat actors with a reliable source of credentials to breach sensitive corporate systems. A recent study from Gigamon revealed that 55% of organizations experienced a hybrid cloud breach in the past year, representing a 17% increase compared to the previous year. Alarmingly, almost half of the respondents indicated that their current tools were ineffective in detecting these breaches—an issue worsened by attackers utilizing legitimate credentials for access.

Additionally, nearly 47% of respondents reported a rise in attacks targeting their organization’s large language model (LLM) deployments. These models represent a lucrative source of training data that could be either stolen or exploited for ransom. Furthermore, LLMs themselves are susceptible to data poisoning and various disruptive attacks.