The CISA and FBI released a joint advisory detailing the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) of the LummaC2 information stealer malware, active since 2022 and targeting Windows systems. AttackIQ updated its assessment template to help organizations simulate these threats, enhancing detection and prevention capabilities against Lumma Stealerâs post-compromise behaviors. #LummaStealer #LummaC2 #AttackIQ
Keypoints
- Lumma Stealer (LummaC2) is a lightweight, subscription-based information stealer malware operating since at least 2022, targeting Windows 7 through Windows 11.
- The malware collects system profiling data, browser information (including cookies, passwords, and extensions), cryptocurrency wallets, and two-factor authentication details before exfiltration.
- Lumma has been promoted primarily on Russian-speaking dark web forums and Telegram channels since May 2023.
- AttackIQ has updated its Lumma Stealer assessment template with the latest TTPs from CISAâs May 2025 advisory to aid security teams in testing defenses against this threat.
- The assessment covers multiple MITRE ATT&CK techniques, including process injection, system binary proxy execution, persistence via registry run keys, and exfiltration over C2 channels.
- Recommended priorities for detection and mitigation include monitoring ingress tool transfers and using endpoint and network controls to detect malicious payload delivery.
- AttackIQâs platform supports continuous validation of defenses, helping organizations improve security posture by emulating adversary behavior aligned with the CTEM framework.
MITRE Techniques
- [T1105] Ingress Tool Transfer â Downloads malicious payloads to memory or disk to test prevention capabilities (âdownloads to memory and saves to disk in two separate scenariosâ).
- [T1055] Process Injection â Injects code by allocating memory and writing shellcode within a running process (âperforms process injection by allocating memory in a running process with VirtualAllocâ).
- [T1218.010] System Binary Proxy Execution: Mshta â Uses mshta to execute a remote HTA payload containing VBScript (âemploys the Mshta Windows utility to download a remote Microsoft HTML Application payloadâ).
- [T1059.001] Command and Scripting Interpreter: PowerShell â Runs base64-encoded PowerShell scripts (âexecutes PowerShell script using the -encodedCommand parameterâ).
- [T1218.011] System Binary Proxy Execution: Rundll32 â Executes export functions from DLLs using rundll32 (âexecutes an export function from an AttackIQ DLL using the RunDll32 utilityâ).
- [T1574.002] Hijack Execution Flow: DLL Side-Loading â Loads a malicious DLL through a trusted executable to evade detection (âleverages a legitimate and trusted executable to side-load a malicious DLLâ).
- [T1547.001] Logon Autostart Execution: Registry Run Keys â Adds persistence by setting registry keys to run malware on system startup (âsets the HKLM registry run keyâ).
- [T1497] Virtualization/Sandbox Evasion â Uses Windows API calls to detect debugging or sandbox environments (âcalls IsDebuggerPresent Windows APIâ).
- [T1012] Query Registry â Enumerates user-specific registry keys for system information (âqueries HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings registry keyâ).
- [T1217] Browser Bookmark Discovery â Enumeration of browser bookmarks using PowerShell scripts (âleverages a PowerShell script to enumerate browser bookmarks with Get-Contentâ).
- [T1041] Exfiltration Over C2 Channel â Sends stolen data via HTTP POST requests to Command and Control servers (âsimulates exfiltration of sensitive information through HTTP POST requestsâ).
Indicators of Compromise
- [File Hashes] Samples of Lumma Stealer payloads â core payloads across versions and obfuscation methods, including multiple identified hashes.
- [Registry Keys] Persistence mechanisms â HKLMSoftwareMicrosoftWindowsCurrentVersionRun key used for autostart execution.
- [Command Lines] PowerShell and cmd.exe commands â usage of encoded PowerShell scripts involving âInvoke-WebRequestâ and âDownloadDataâ for payload download.
- [Network Traffic] Exfiltration over HTTP POST â transmission of browser data, credit card numbers, and passwords to C2 servers.
Read more: https://www.attackiq.com/2025/05/22/response-to-cisa-advisory-aa25-141b/