The US Justice Department and Microsoft on Wednesday announced the takedown of over 2300 malicious domains, disrupting the central infrastructure of one of the most popular info-stealing malware tools used by cybercriminals today – the LummaC2 Infostealer.
The US Department of Justice (DoJ) announced the seizure of five domains it says were used by malicious cyber actors to operate the LummaC2 information-stealing malware service.
Jointly, Microsoft’s Digital Crimes Unit (DCU), in coordination with Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3), was granted a US court order on May 13th “facilitating the takedown suspension, and blocking approximately another 2,300 domains supporting the Lumma infrastructure."
The DoJ's five seized domains – also referred to as user panels – were said to be the infostealer’s central command where credentialed cybercriminals and administrators would log in to access and deploy the malware tool.
“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft,” said DOJ Criminal Division chief Matthew Galeotti.
Justice Department Seizes Domains Behind Major Information-Stealing Malware Operation
undefined U.S. Department of Justice (@TheJusticeDept) May 21, 2025
🔗: https://t.co/WpIxdxaKH7 pic.twitter.com/JKf7M7wSkQ
According to DoJ court documents, two of the domains were seized by the US government on Monday, May 19th. Within hours, Lumma administrators were already back in business, quickly setting up three new domains to host the user panels. The DoJ was able to nab those three domains on May 20th.
1.7 million instances of Lumma used for theft
A favorite among cybercriminals since 2022, the FBI said it had identified roughly 1.7 million instances where the LummaC2 malware was used to steal browser data, autofill information, and login credentials to access victims’ email and banking services, as well as cryptocurrency seed phrases, which permit access to virtual currency wallets.
Additionally, the Microsoft research found over 394,000 Windows computers infected with the malware worldwide in just the past two months.
“Lumma steals passwords, credit cards, bank accounts, and cryptocurrency wallets and has enabled criminals to hold schools for ransom, empty bank accounts, and disrupt critical services,” Microsoft said.
As part of the Microsoft action, those infected computers were cut off from the Lumma infrastructure. The heat map below depicts the number of infected Windows computers seen across the globe from March 16th through May 16th, 2025.
Still, Etay Maor, Chief Security Strategist at Cato Networks, believes it's more than likely the Lumma command structure resurfaces using a different architecture.
“Microsoft’s research reaffirms our findings that the threat actors have potential links to Russia, which is a non-extradition country. That will make it difficult to arrest the criminal in charge of the Lumma Stealer operation,” Maor said.
Cato Networks published its own research on Wednesday about the Lumma stealer targeting trusted cloud platforms, including Tigris, Oracle Cloud Infrastructure, and Scaleway, earlier this year.
Referred to as ‘living-off-the-cloud’ (LOTC) attacks,” the infostealer was observed targeting privileged users with fake ReCAPTCHA pages and Steam software downloads.
To help prevent Lumma attacks, about 1300 seized domains will be redirected to “Microsoft sinkholes” so security researchers can gain “actionable intelligence,” helping current and potential victims in both the public and private sectors, harden attack surfaces, and remediate against the malware.
Microsoft also expects the bust-up will help curb the number of attacks and minimize their effectiveness, while additionally cutting off illicit revenue streams.
Malware-as-a-Service marketed on underground forums
Not surprisingly, Lumma’s primary developer is based in Russia and goes by the internet alias “Shamel,” Microsoft’s DCU said.
Describing Lumma as a Malware-as-a-Service (MaaS), the DCU said the tool has been marketed and sold through dark web forums, many of them Russian speaking, and on Telegram since at least 2022.
Lumma offers its criminal buyers different payment tiers ranging from 250 to 20,000 US dollars, and depending on the level, users can “create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal,” the DCU said.
According to a DarkTrace profile on Shamel and the infostealer operation, "Lumma is able to obtain system and installed program data from compromised devices, alongside sensitive information such as cookies, usernames and passwords, credit card numbers, connection history, and cryptocurrency wallet data."
Lumma activity has been observed in the US, but widely deployed across the Europe, the Middle East and Africa regions, DarkTrace said.
Maor said that while ‘living-off-the-cloud’ (LOTC) attacks” are not a new technique, we expect to see more of them. “That will be a challenge for organizations because LOTC attacks are hard to detect, as they leverage legitimate cloud services,” he said.
Maor said to combat LOTC attacks, organizations should follow the OODA loop: observe, orient, decide, and act.
Further explaining the OODA loop, Maor said IT teams should first observe all network traffic. Second, orient their view by pulling back to see the “full picture and contextualize the information.”
Next, teams must decide on one central policy to deal with malicious and suspicious events, and finally take action to “enforce the policy everywhere, on all devices, users, and connections within a zero trust architecture.”
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI additionally released a joint advisory on Wednesday to warn of threat actors deploying the Lumma malware to exfiltrate sensitive information from both individuals and organizations across multiple US critical infrastructure sectors.
Your email address will not be published. Required fields are markedmarked