Since its emergence in August 2022, Lumma Infostealer has rapidly become a cornerstone of malware-as-a-service platforms, enabling even unskilled threat actors to harvest high-value credentials.
Delivered primarily via phishing sites masquerading as cracked software installers, the malicious payload is encapsulated within a Nullsoft Scriptable Install System (NSIS) package designed to evade signature-based detection.
Upon execution, fragmented AutoIt modules are reassembled in memory, with obfuscated shellcode loaded through process hollowing.
This technique replaces a legitimate process with the stealer, camouflaging its activity under the guise of a benign executable.
Genians analysts identified Lumma Infostealer following a surge in reports of credential theft in September 2025. Victims across both consumer and enterprise environments reported unauthorized access to web sessions, remote desktop services, and digital asset wallets.
The stolen browser cookies and account tokens facilitate seamless session hijacking, bypassing multi-factor authentication measures in many cases.
Cryptocurrency wallets saved in local databases, as well as VPN and RDP credentials stored in configuration files, are exfiltrated via encrypted channels to command-and-control (C2) domains hosted on compromised cloud infrastructure.
The multifaceted nature of these thefts amplifies the potential for identity fraud, financial loss, and deeper network intrusions.
Although Lumma Infostealer often serves as an initial foothold for ransomware and other follow-on attacks, its standalone impact is far-reaching.
Victims may remain unaware of the breach until secondary actions—such as unauthorized wire transfers or illicit account listings on underground forums—bring the compromise to light.
The modular design of the malware facilitates continuous updates, with developers pushing regular patches to evade new detection signatures.
Strengthening endpoint detection and response (EDR) systems with behavior-based analytics and threat intelligence integration is critical to intercept the attack chain before data reaches the attacker’s C2 infrastructure.
Infection Mechanism and Evasion Tactics
At the heart of Lumma’s infection strategy is a layered installer that bypasses conventional scanners. When a user executes the downloaded NSIS installer, it drops a ZIP archive into the Temp directory.
A command-line script (Contribute.docx) then invokes extrac32.exe to unpack a disguised Cabinet file.
The extracted components—fragments of an AutoIt script and the AutoIt interpreter—are programmatically merged into a single executable stub.
The following snippet illustrates the process hollowing routine used to inject the final payload:-
; Fragment of AutoIt loader
Run("cmd.exe /c Contribute.docx")
_ConsoleWrite("Launching AutoIt mode...")
_ProcessCreate("Riding.pif", "", @SystemDir, 0, $pi)
_WinAPI_WriteProcessMemory($pi.hProcess, $remoteAddr, $shellcode, BinaryLen($shellcode))
_WinAPI_SetThreadContext($pi.hThread, $context)
_WinAPI_ResumeThread($pi.hThread).webp)
By verifying the absence of security processes (like SophosHealth, ekrn, AvastUI) with tasklist and findstr, the installer adjusts execution timing and payload placement, slipping past heuristic defenses.
Once injected, the malicious process decrypts its C2 domains—rhussois.su, diadtuky.su, and todoexy.su—and establishes encrypted channels for data exfiltration.
Stolen artifacts include web browser cookies, Telegram session data, cryptocurrency wallet files, and configuration files for VPN and RDP services.
These credentials enable lateral movement and persistent access within victim networks, often without raising immediate alarms.
The sophistication of Lumma Infostealer’s infection mechanism underscores the necessity for continuous monitoring of process injection events, routine auditing of installer behaviors, and enforcement of application allowlisting policies.
Implementing network-level blocks for known C2 domains and employing sandbox detonation for suspicious NSIS packages can further mitigate the threat posed by this stealthy and adaptable infostealer.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
