Lumma Infostealer Malware Attacks Users to Steal Browser Cookies, Cryptocurrency Wallets and VPN/RDP Accounts

Since its emergence in August 2022, Lumma Infostealer has rapidly become a cornerstone of malware-as-a-service platforms, enabling even unskilled threat actors to harvest high-value credentials.

Delivered primarily via phishing sites masquerading as cracked software installers, the malicious payload is encapsulated within a Nullsoft Scriptable Install System (NSIS) package designed to evade signature-based detection.

Upon execution, fragmented AutoIt modules are reassembled in memory, with obfuscated shellcode loaded through process hollowing.

This technique replaces a legitimate process with the stealer, camouflaging its activity under the guise of a benign executable.

Genians analysts identified Lumma Infostealer following a surge in reports of credential theft in September 2025. Victims across both consumer and enterprise environments reported unauthorized access to web sessions, remote desktop services, and digital asset wallets.

The stolen browser cookies and account tokens facilitate seamless session hijacking, bypassing multi-factor authentication measures in many cases.

Cryptocurrency wallets saved in local databases, as well as VPN and RDP credentials stored in configuration files, are exfiltrated via encrypted channels to command-and-control (C2) domains hosted on compromised cloud infrastructure.

The multifaceted nature of these thefts amplifies the potential for identity fraud, financial loss, and deeper network intrusions.

Although Lumma Infostealer often serves as an initial foothold for ransomware and other follow-on attacks, its standalone impact is far-reaching.

Victims may remain unaware of the breach until secondary actions—such as unauthorized wire transfers or illicit account listings on underground forums—bring the compromise to light.

The modular design of the malware facilitates continuous updates, with developers pushing regular patches to evade new detection signatures.

Strengthening endpoint detection and response (EDR) systems with behavior-based analytics and threat intelligence integration is critical to intercept the attack chain before data reaches the attacker’s C2 infrastructure.

Infection Mechanism and Evasion Tactics

At the heart of Lumma’s infection strategy is a layered installer that bypasses conventional scanners. When a user executes the downloaded NSIS installer, it drops a ZIP archive into the Temp directory.

A command-line script (Contribute.docx) then invokes extrac32.exe to unpack a disguised Cabinet file.

The extracted components—fragments of an AutoIt script and the AutoIt interpreter—are programmatically merged into a single executable stub.

The following snippet illustrates the process hollowing routine used to inject the final payload:-

; Fragment of AutoIt loader
Run("cmd.exe /c Contribute.docx")
_ConsoleWrite("Launching AutoIt mode...")  
_ProcessCreate("Riding.pif", "", @SystemDir, 0, $pi)  
_WinAPI_WriteProcessMemory($pi.hProcess, $remoteAddr, $shellcode, BinaryLen($shellcode))  
_WinAPI_SetThreadContext($pi.hThread, $context)  
_WinAPI_ResumeThread($pi.hThread)
Lumma Infostealer Attack Flow (Source – Genians)

By verifying the absence of security processes (like SophosHealth, ekrn, AvastUI) with tasklist and findstr, the installer adjusts execution timing and payload placement, slipping past heuristic defenses.

Once injected, the malicious process decrypts its C2 domains—rhussois.su, diadtuky.su, and todoexy.su—and establishes encrypted channels for data exfiltration.

Stolen artifacts include web browser cookies, Telegram session data, cryptocurrency wallet files, and configuration files for VPN and RDP services.

These credentials enable lateral movement and persistent access within victim networks, often without raising immediate alarms.

The sophistication of Lumma Infostealer’s infection mechanism underscores the necessity for continuous monitoring of process injection events, routine auditing of installer behaviors, and enforcement of application allowlisting policies.

Implementing network-level blocks for known C2 domains and employing sandbox detonation for suspicious NSIS packages can further mitigate the threat posed by this stealthy and adaptable infostealer.

Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

Tushar Subhra Dutta

Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.

Recent Posts

Jingle Thief Attackers Exploiting Festive Season with Weaponized Gift Card Attacks

As the festive season approaches, organizations are witnessing a disturbing increase in targeted attacks on…

27 minutes ago

Warlock Ransomware Actors Exploiting Sharepoint ToolShell Zero-Day Vulnerability in New Attack Wave

The cybersecurity landscape experienced a significant shift in July 2025 when threat actors associated with…

2 hours ago

New Python RAT Mimic as Legitimate Minecraft App Steals Sensitive Data from Users Computer

A sophisticated Python-based remote access trojan has emerged in the gaming community, disguising itself as…

2 hours ago

SideWinder Hacking Group Uses ClickOnce-Based Infection Chain to Deploy StealerBot Malware

The SideWinder advanced persistent threat group has emerged with a sophisticated new attack methodology that…

3 hours ago

MuddyWater Using New Malware Toolkit to Deliver Phoenix Backdoor Malware to International Organizations

The Advanced Persistent Threat group MuddyWater, widely recognized as an Iran-linked espionage actor, has orchestrated…

5 hours ago

New Red Teaming Tool RedTiger Attacking Gamers and Discord Accounts in the Wild

RedTiger is an open-source red-teaming tool repurposed by attackers to steal sensitive data from Discord…

5 hours ago