The FBI and CISA released a joint advisory detailing the tactics, techniques, and indicators of compromise related to the LummaC2 infostealer malware, which has targeted critical U.S. infrastructure sectors since November 2023. LummaC2 uses spearphishing, obfuscation, and sophisticated command and control methods to steal sensitive data such as credentials, cryptocurrency wallets, and MFA details. #LummaC2 #FBI #CISA
Keypoints
- LummaC2 malware was first sold on Russian-speaking cybercriminal forums in 2022 and actively observed from November 2023 to May 2025.
- Threat actors deploy LummaC2 primarily via spearphishing emails containing hyperlinks or attachments and trick users into executing malicious PowerShell commands.
- The malware is often disguised within spoofed popular software to evade detection by antivirus and Endpoint Detection and Response (EDR) tools.
- LummaC2 collects various sensitive data including browser data, financial credentials, cryptocurrency wallets, and multifactor authentication details without immediate detection.
- The malware uses multiple command opcodes for flexible data theft, downloading files, taking screenshots, and self-deletion to maintain stealth.
- No files are created on disk unless commanded by the C2 server; LummaC2 primarily runs in memory and communicates with C2 domains via encrypted POST requests.
- The FBI and CISA recommend mitigation strategies such as application allowlisting, phishing resistance, monitoring for suspicious API calls, and segmentation to reduce risks.
MITRE Techniques
- [T1566.001] Spearphishing Attachment β Used to deploy LummaC2 payloads through malicious email attachments.
- [T1566.002] Spearphishing Link β Used to deploy malware via phishing hyperlinks.
- [T1027] Obfuscated Files or Information β LummaC2 malware obfuscates its code to bypass security detection.
- [T1036] Masquerading β Malware distributed by spoofing popular software to evade detection.
- [T1140] Deobfuscate/Decode Files or Information β Malware decrypts its C2 domains before communication (βdecrypts callback Command and Control (C2) domainsβ).
- [T1012] Query Registry β Uses GetUserNameW and GetComputerNameW APIs to gather system information for operational checks.
- [T1217] Browser Information Discovery β Steals browser data from multiple browsers.
- [T1119] Automated Collection β Automatically collects sensitive information including cryptocurrency wallets.
- [T1071.001] Application Layer Protocol: Web Protocols β Uses POST requests for C2 communication.
- [T1105] Ingress Tool Transfer β Downloads remote files as instructed by C2 server.
- [TA0010] Exfiltration β Exfiltrates collected data including credentials and MFA details.
- [T1106] Native API β Executes downloaded files via OS native APIs such as LoadLibrary and rundll32.exe.
Indicators of Compromise
- [File Hashes] LummaC2 executable hashes β Examples include MD5: 4AFDC05708B8B39C82E60ABE3ACE55DB, SHA256: 19CC41A0A056E503CC2137E19E952814FBDF14F8D83F799AEA9B96ABFF11EFBB, and others.
- [DLL Binaries] DLL files used by LummaC2 β iphlpapi.dll (IP Helper API), winhttp.dll (Windows HTTP Services).
- [Domains] Historical C2 and distribution domains β Examples: Pinkipinevazzey[.]pw, Musicallyageop[.]pw, blast-hubs[.]com, nestlecompany[.]pro, and numerous others.
Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b