Full Report
Infostealers, traffers operations & the BASE34 group
Analysis Summary
# Threat Actor: Lumma Infostealer Operation
## Attribution & Identity
The primary focus is on the **Lumma** information stealer operation, which functions as a Malware-as-a-Service (MaaS). The article details their operational structure, including specific Telegram handles for sales, support, and log markets:
* **Seller:** @lummaseller128
* **Logs Market:** @lummamarketplace_bot
* **Support:** @lummamarketsupport
* **Backup Channel:** @zevsup
The operation is also linked tangentially to the broader cybercriminal ecosystem involving the **LolzTeam (LZT)** marketplace and groups associated with **BASE34**.
## Activity Summary
Lumma is noted for being a prolific infostealer operation that sustained a significant disruption on May 21st following a multi-nation coordinated attack involving the FBI and Microsoft, which resulted in the seizure of thousands of domains and infrastructure. Despite this takedown, the developers immediately restored functionality, proving strong redundancy. Log data confirms the malware remains active and is being actively developed, with recent infection logs surfacing after the official takedown date. The operation actively sells stolen credentials via a marketplace bot linked to various monetization channels.
## Tactics, Techniques & Procedures
The article focuses more on the business and monetization structure rather than specific low-level execution TTPs, but implies standard infostealer behaviors:
* Malware distribution resulting in stolen data logs (passwords, cookies).
* Use of dedicated Telegram channels for sales, support, and log brokerage.
* Use of cryptocurrency for transactions and receiving payments (BTC, ETH, USDT, SOL, TRX, LTC, XMR).
* Maintaining continuity and redundancy post-takedown.
## Targeting
* **Sectors:** Not explicitly detailed, but the nature of an infostealer implies targeting general end-users and potentially enterprise credentials.
* **Geography:** Infection distribution data from the market bot shows victims across various countries, though specific dominant regions are not summarized other than the log marketplace concentration (Russia 34) favoring **.com domains**, followed by **Germany, France, and Italy**.
* **Victims:** The article references approximately 10.6K infected devices recorded in the market bot logs. Specific named victims are not mentioned.
## Tools & Infrastructure
* **Malware families used:** Lumma Infostealer.
* **Infrastructure (C2, domains, IPs):**
* Uses a **usrlink page** consolidating contact information.
* Uses **Telegram** extensively for all operational communication and sales (Seller, Market, Support).
* Monetization relies on crypto addresses:
* BTC: `bc1qqhut7kcpslkrz9p6jmv562l88nl7kjzu7mfwlv` (Also associated with Conti ransomware activity)
* ETH: `0x224645F28222E5874Aa3c8cba62c31938ea41059`
* USDT TRC20/TRX: `TMju6CzAyV5K5iNDUPgXmG21So1Pc1pwrU`
* SOL: `EFtKiL26apR9AhhGzqfH1wgsBhGY2AQiWe8h1sno2jEt`
* LTC: `ltc1q55z3qdys4rcgvrqms740hugs8zdvdenejfr3th`
* XMR: `88xueysnGy4g7Mo7CxaXJV5TfxS3vxrbgjmuoEmMpJRDdU1SD9mXhjoZzCDhgwWqUNgwE7jAwaNCNQsZx1KXeUJF8mtF4Yb`
* Associated marketplaces include **LolzTeam (LZT)** and the **Russia 34** Telegram channel.
## Implications
Lumma exemplifies the remarkable resilience and sophisticated business structure of established Malware-as-a-Service operations. The quick recovery post-law enforcement action highlights that organized cybercrime ecosystems possess better redundancy than many large corporations. The integration between Lumma, infostealer vendors, and marketplaces like LZT creates a self-sustaining, highly adaptive economy for monetizing stolen data.
## Mitigations
* Maintain heightened awareness and threat hunting efforts post-takedown, as operators often return or rebrand quickly.
* Implement strong credential hygiene and utilize Multi-Factor Authentication (MFA) broadly, as the primary stolen credential type is passwords and cookies.
* Monitor cybercriminal forums and Telegram channels for signs of new Lumma strains or related log sales, particularly those linking to known cryptocurrency addresses (e.g., the shared Conti address).
* Acknowledge the integrated nature of the cybercrime economy where infostealer results are quickly laundered or sold on platforms like LZT.