Analysis of the Lumma Infostealer

hendryadrian.com

hendryadrian.com

◈ Key Findings

• Used not only as a standalone threat but also in the initial intrusion stages of multi-vector attacks such as ransomware, account takeover, and internal network breaches.
• Primary targets include high-value credential data such as web browser cookies, cryptocurrency wallets, and VPN/RDP accounts.
• Stolen sensitive data is reused for various attacks, including identity theft, financial fraud, and corporate network intrusions.
• Strengthening EDR systems capable of behavior-based detection and integration with threat intelligence is a key mitigation strategy.

1.  Overview

In recent years, cyber threats have become increasingly sophisticated and advanced, continuously evolving in both scope and complexity. As a result, cybersecurity has emerged as a critical issue for both individuals and organizations.

In particular, infections caused by infostealer malware are regarded as a high-risk threat vector that performs unauthorized activities within a victim’s endpoint system. This type of malware collects and exfiltrates sensitive information without user awareness, leading to direct and indirect damages such as privacy violations, financial loss, and reputational harm to organizations.

Infostealer-based attacks are typically conducted by organized cybercriminal groups, and the stolen data is traded on the Dark Web. Such data is then reused for various malicious activities, including identity theft, financial fraud, and secondary exploitation, posing a serious threat to both individuals and enterprises.

Beyond functioning as an independent threat, infostealers are increasingly leveraged in the early stages of multi-vector attacks such as ransomware deployment and account takeovers. Accordingly, strengthening EDR systems capable of behavior-based detection and integration with threat intelligence is essential.

This report aims to analyze the latest trends and real-world cases of infostealer threats, providing practical insights to help organizations establish effective defense strategies.

2. Background

2-1. Concept of Malware-as-a-Service (MaaS)

MaaS (Malware-as-a-Service) is a model in which cybercriminals provide resources required to carry out attacks—such as malware development tools, command-and-control (C2) servers, and distribution infrastructure—as a service. Providers charge fees or subscription charges for use of the service, enabling third parties to execute attack campaigns without directly developing or operating the malware themselves.

In other words, the MaaS provider is responsible for developing, maintaining, and operating the attack infrastructure, while users obtain the capability to distribute malware and conduct attacks by paying a fee (either subscription-based or one-time).

Lumma can be considered a representative infostealer distributed via a MaaS model. The characteristics of MaaS-based usage are as follows.

• Accessibility

• • Even attackers without programming skills can easily execute attacks by using MaaS.

• • These services are sold through private online channels such as the Dark Web, Telegram, and web forums.

• Modularity and customization support

• • Attack tools are modular, allowing users to customize functions according to need.

• • Attackers can customize multiple options, including how the malware connects to its C2 servers.

• Monetization structure

• • Developers earn revenue from subscription or usage fees, and may also profit by selling stolen data.

• • Attackers can execute attacks with minimal effort and resell the stolen data for profit.

• Continuous updates provided

• • Developers regularly update the malware to evade detection and add new features.

2-2. MaaS Ecosystem within the Cybercrime Industry

MaaS (Malware-as-a-Service) is a variant model that exploits the SaaS (Software-as-a-Service) concept and is classified as a subcomponent of the broader CaaS (Cybercrime-as-a-Service) ecosystem. Such MaaS and CaaS-based markets are primarily active on the Dark Web or within closed online forums.

Within the MaaS ecosystem, the entities responsible for developing, distributing, and maintaining the malware and its operational infrastructure are referred to as MaaS operators. These operators are often not a single individual but an organized group consisting of specialized roles such as malware developers, C2 server and infrastructure administrators, access right managers, and technical support staff.

MaaS operators typically offer various types of malware as services, which can be categorized into the following main types:

• Ransomware

• • This type of malware restricts access to the victim’s data and demands payment in exchange for providing the decryption key. In the MaaS model, attackers primarily rent ready-made, file-encrypting tools, allowing them to run profitable ransomware campaigns without developing the malware themselves.

• Infostealer

• • This malware collects sensitive information—such as browser credentials, session cookies, and account data stored in password managers—from the victim’s system and transmits it to a remote attacker-controlled server. The stolen information is then used for account takeover and secondary attacks.

• • A backdoor grants attackers persistent and covert remote access to the victim’s system. Through this channel, attackers can conduct long-term intrusion activities such as data collection, privilege escalation, and installation of additional malware.

2-3. Threat Impact

The MaaS model lowers the entry barrier for cybercrime and produces several consequential effects.

• Reduction in attack complexity

• • By offering commoditized malware, operational infrastructure, and technical support as a service, MaaS simplifies the attack preparation process. As a result, individuals lacking programming skills or security expertise can readily carry out attack campaigns, significantly lowering the entry barrier to cybercrime.

• Expansion of attack scale

• • The MaaS model enables many affiliates to launch attacks using the same malware. This structure causes the same malware to be reused across multiple campaigns, which can exponentially increase the scale and frequency of cyber attacks.

• Increased complexity of threat attribution

• • Because identical malware is shared and used by multiple threat actors, techniques become homogenized and it becomes harder to identify origins. This complicates digital forensics and actor-tracking efforts by law enforcement and security professionals, making it more difficult to attribute a given attack to a specific group or individual.

3. Analysis

3-1. Lumma Infostealer

Lumma is one of the representative information-stealing malware (infostealer) families that target the Windows operating system. First observed in August 2022, it has been actively distributed worldwide, and in September 2025 it ranked first in ANY.RUN’s “Week’s Threats” among malware uploaded to the service.

[Figure 3-1] ANY.RUN Weekly Malware Ranking

Lumma Infostealer is notable for being operated as Malware-as-a-Service (MaaS), meaning it is available to anyone via subscription or one-time payment. As a result, attackers lacking specialized skills or development capabilities can readily carry out attacks, and cases using Lumma Infostealer continue to be observed.

Genians Security Center (GSC) identified instances of Lumma Infostealer being distributed packaged with the Nullsoft Scriptable Install System (NSIS). The file was disguised as pirated software and was distributed from phishing sites.

The package contains fragmented AutoIt¹ modules and malicious AutoIt scripts. At execution, it reassembles and runs the fragmented files, loads an obfuscated shellcode² into memory, and uses the process hollowing³ technique to replace the AutoIt process with Lumma Infostealer. The malware then communicates with its C2 server and performs information theft.

[Figure 3-2] Lumma Infostealer Attack Flow

These NSIS packaging, AutoIt scripts, shellcode injection, and process hollowing techniques further complicate signature-based detection and analysis.

In addition, attackers are improving distribution and infection methods by changing the distribution site URLs and the distributed files, so defenses that rely on a single indicator are unlikely to be effective. Therefore, behavior-based detection and response via EDR is essential.

3-2. Distribution Process

Lumma Infostealer is primarily disguised as pirated or cracked software and is distributed via phishing sites as shown below.

[Figure 3-3] Lumma Infostealer distribution site

When a user clicks the download link on the site above, they are redirected to a second site; this appears intended to hide the association with the original site and to evade security- and reputation-based blocking.

Monitoring also confirmed that the URL of the redirection target is periodically changed. It appears the attacker continuously rotates URLs to avoid detection and tracking.

[Figure 3-4] Redirection page

The final download host is MEGA cloud. By leveraging a legitimate cloud service for distribution infrastructure, the attacker appears to attempt to bypass IP/domain blocking.

[Figure 3-5] Distribution via MEGA cloud

[Figure 3-6] Downloaded file detected by Genian EDR

3-3. NSIS File Analysis

When the file is downloaded from the site, an encrypted ZIP archive is saved. Using the password included in the filename to extract the archive reveals a file named ‘setup.exe’ packaged with NSIS.

[Figure 3-7] setup.exe file

NSIS is an open-source installer creation tool used to distribute software. It is frequently used because of its small size, high compression ratio, and script-based control over the installation process.

However, these characteristics allow attackers to disguise malware as legitimate installation programs or to covertly drop and execute additional payloads during the installation process.

When the ‘setup.exe’ file is executed, it first drops the embedded malicious file to the ‘%Temp%’ directory.

[Figure 3-8] Malicious file dropped in Temp folder

[Figure 3-9] File drop activity detected by Genian EDR

After completing the file drop, it launches the ‘Contribute.docx’ file via cmd.exe.

[Figure 3-10] cmd command detected by Genian EDR

3-4. Contribute.docx File Analysis

The ‘Contribute.docx’ file contains dummy code and obfuscated cmd commands. The final cmd command reassembles the dropped files to create and execute a malicious AutoIt file.

<img src=”https://www.genians.co.kr/hs-fs/hubfs/%5B%EC%82%AC%EC%A7%84%203-11%5D%20Contribute.docx%20%ED%8C%8C%EC%9D%BC.png?width=1346&height=818&name=%5B%EC%82%AC%EC%A7%84%203-11%5D%20Contribute.docx%20%ED%8C%8C%EC%9D%BC.png” width=”1346″ height=”818″ loading=”lazy” alt=”Contribute.docx file” srcset=”https://www.genians.co.kr/hs-fs/hubfs/%5B%EC%82%AC%EC%A7%84%203-11%5D%20Contribute.docx%20%ED%8C%8C%EC%9D%BC.png?width=673&height=409&name=%5B%EC%82%AC%EC%A7%84%203-11%5D%20Contribute.docx%20%ED%8C%8C%EC%9D%BC.png 673w, https://www.genians.co.kr/hs-fs/hubfs/%5B%EC%82%AC%EC%A7%84%203-11%5D%20Contribute.docx%20%ED%8C%8C%EC%9D%BC.png?width=1346&height=818&name=%5B%EC%82%AC%EC%A7%84%203-11%5D%20Contribute.docx%20%ED%8C%8C%EC%9D%BC.png 1346w, https://www.genians.co.kr/hs-fs/hubfs/%5B%EC%82%AC%EC%A7%84%203-11%5D%20Contribute.docx%20%ED%8C%8C%EC%9D%BC.png?width=2019&height=1227&name=%5B%EC%82%AC%EC%A7%84%203-11%5D%20Contribute.docx%20%ED%8C%8C%EC%9D%BC.png 2019w, https://www.genians.co.kr/hs-fs/hubfs/%5B%EC%82%AC%EC%A7%84%203-11%5D%20Contribute.docx%20%ED%8C%8C%EC%9D%BC.png?width=2692&height=1636&name=%5B%EC%82%AC%EC%A7%84%203-11%5D%20Contribute.docx%20%ED%8C%8C%EC%9D%BC.png 2692w, https://www.genians.co.kr/hs-fs/hubfs/%5B%EC%82%AC%EC%A7%84%203-11%5D%20Contribute.docx%20%ED%8C%8C%EC%9D%BC.png?width=3365&height=2045&amp