Lumma Stealer.

A subscription-priced Russian-speaking malware-as-a-service info-stealer that emerged in 2022 and became one of the top-three stealers worldwide by 2024, distributed primarily via ClickFix lures and crack sites. It belongs to the Malware category of cybersecurity.

A subscription-priced Russian-speaking malware-as-a-service info-stealer that emerged in 2022 and became one of the top-three stealers worldwide by 2024, distributed primarily via ClickFix lures and crack sites.

Lumma Stealer (also called LummaC2) is a C-language Windows info-stealer first observed in mid-2022 and rented out as malware-as-a-service in Russian-speaking criminal forums. By 2024 it had become one of the dominant info-stealers worldwide alongside RedLine and StealC, having largely filled the vacuum left by RedLine and Raccoon takedowns. Capabilities are typical of the category: theft of browser cookies, saved passwords, autofill data, crypto-wallet files, Discord and Telegram tokens, Steam sessions, and arbitrary files matched against operator-supplied patterns. Lumma is widely distributed via ClickFix fake-CAPTCHA lures, malicious cracks and YouTube tutorials, malvertising, and SEO-poisoned download sites. The 2024–2025 operator added GenAI-powered command-and-control obfuscation and bundled a loader stage for follow-on payloads such as ransomware. In May 2025 Microsoft Digital Crimes Unit, the U.S. DOJ, Cloudflare, ESET and Europol jointly disrupted Lumma's infrastructure (Operation Endgame), seizing roughly 2,300 domains and disrupting the storefront, though the actor's panel and forks resurfaced within weeks.

Defences for Lumma Stealer typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: LummaC2, Lumma.