Full Report
Explore a groundbreaking investigation into Lumma affiliates: uncover their tools, tactics, scams, and integration in the cybercriminal ecosystem. Essential reading for defenders.
Analysis Summary
# Threat Actor: Lumma Infostealer Ecosystem Affiliates
## Attribution & Identity
The actor is identified as a broad network of **Lumma affiliates** operating within an interconnected information-stealing ecosystem. These affiliates are integrated within the broader cybercriminal community, often tying themselves to distinct threat actor personas across underground forums. Lumma itself is sometimes referred to as **LummaC2**.
## Activity Summary
The investigation focused on the operations of Lumma affiliates from the second half of 2024 through the first half of 2025.
* **Simultaneous Operations:** Affiliates frequently run multiple schemes concurrently, such as leveraging stolen logs for rental fraud scams.
* **MaaS Leveraging:** Affiliates utilize multiple Malware-as-a-Service (MaaS) platforms simultaneously, including **Vidar**, **Stealc**, and **Meduza Stealer**, in addition to Lumma, to maximize success rates and mitigate takedown risks.
* **Operational Hubs:** Affiliates heavily rely on underground and specialized carding forums for recruitment, obtaining resources (like crypting services), and monetizing stolen data via built-in black markets.
* **Unreported Tools:** Insikt Group uncovered previously unreported tools, including a cracked email credential validation tool and a phishing page generator tied to another active persona.
* **Persistence:** Despite law enforcement actions in May 2025, the network has demonstrated resilience, rapidly reestablishing infrastructure within days.
## Tactics, Techniques & Procedures
- **Ecosystem Reliance:** Use of operational enablers such as proxy networks, VPNs, anti-detect browsers for multi-account management, exploit services, and crypting services.
- **Multi-Malware Usage:** Simultaneous deployment of Lumma alongside Vidar, Stealc, and Meduza Stealer.
- **Log Misuse:** Using stolen credentials (from infostealers) for secondary fraud, such as rental scams.
- **Malvertising/Redirects:** Employee training recommended for recognizing illegitimate downloads and redirects associated with malvertising, including "ClickFix attacks."
- **Resource Development:** Acquiring infrastructure (Domains, VPS, Servers), acquiring capabilities, and compromising email accounts, as detailed in associated MITRE ATT&CK codes.
- **Command and Control:** Use of External Proxy techniques.
| Tactic: Technique | ATT&CK Code |
| :--- | :--- |
| Resource Development: Acquire Infrastructure: Domains | T1583.001 |
| Resource Development: Acquire Infrastructure: Virtual Private Server | T1583.003 |
| Resource Development: Acquire Infrastructure: Server | T1583.004 |
| Resource Development: Acquire Access | T1650 |
| Resource Development: Obtain Capabilities: Tool | T1588.002 |
| Resource Development: Compromise Accounts: Email Accounts | T1586.002 |
| Command and Control: Proxy: External Proxy | T1090.002 |
## Targeting
- **Sectors:** The description notes that Lumma is actively exfiltrating data from **individuals, organizations, and governments**. Specific fraud activities noted involve **rental fraud**.
- **Geography:** Investigation covered affiliates operating across **multiple countries**.
- **Victims:** Not explicitly named, but implied targets include those possessing financial data, credentials, and logs valuable for underground markets.
## Tools & Infrastructure
- **Malware Families Used:** Lumma (MaaS), Vidar, Stealc, Meduza Stealer.
- **Operational Support Tools:** Cracked email credential validation tool, phishing page generator.
- **Infrastructure (C2, etc.):**
- Lumma Sample Hash: `b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630`
- Meduza Panel: `hxxp://195[.]133[.]18[.]15/auth/login`
- Stealc Panel: `hxxp://94[.]232[.]249[.]208/6a6fe9d70500fe64/main.php`
- **Ngioweb Botnet-Linked IPs (Used by affiliate blackowl23):** `162[.]210[.]192[.]136`, `174[.]138[.]176[.]77`, `174[.]138[.]176[.]78`, `195[.]154[.]43[.]189`, `209[.]159[.]153[.]19`, `212[.]83[.]137[.]94`, `212[.]83[.]138[.]186`, `212[.]83[.]138[.]245`, `212[.]83[.]143[.]103`, `212[.]83[.]143[.]118`, `212[.]83[.]143[.]159`, `212[.]83[.]143[.]191`, `38[.]91[.]107[.]229`, `38[.]91[.]107[.]2`, `51[.]83[.]116[.]4`, `66[.]29[.]129[.]52`, `67[.]213[.]210[.]115`, `67[.]213[.]212[.]50`
## Implications
Lumma and its affiliate network represent a sophisticated, decentralized model of cybercrime that exhibits high technical sophistication, rapid adaptation, and significant resilience. Disruptions offer only short-term setbacks, as affiliates quickly re-establish operations. The continued popularity of Lumma MaaS suggests this threat actor structure will remain a frontrunner in the cyber space. Stolen data is actively monetized across various means (fraud, direct sales).
## Mitigations
- **Detection/Hunting:** Deploy YARA, Sigma, and Snort rules to uncover current and historical infections. Monitor dark web and underground forums for leaked credentials and malware logs.
- **Ingress Control:** Restrict downloads from untrusted websites. Implement allow-lists where feasible.
- **User Training:** Educate employees to recognize signs of illegitimate downloads, redirects from malvertising campaigns, and techniques like ClickFix attacks.
- **Strategic Monitoring:** Continuously observe the cybercriminal ecosystem to anticipate emerging threats.
- **Sustained Pressure:** Achieving long-term mitigation requires persistent law enforcement pressure and focused intelligence efforts against individual affiliates.