On May 21, 2025, the United States Department of Justice (“DOJ”) announced it had obtained warrants authorizing the seizure of five internet domains used to operate a family of malware known as LummaC2, also referred to as LummaStealer (“Lumma”) that targets customers of the Windows operating system developed by Microsoft Corporation (“Microsoft”). The warrants were part of a global effort to take down Lumma, led by Microsoft. According to a recent blog post by Microsoft, between March 16, and May 16, 2025, Microsoft identified over 394,000 Windows computers throughout the world infected by Lumma. Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center used this information to prevent Lumma from communicating with infected computers through their infrastructures. In addition, Microsoft filed a civil action in Georgia against Lumma’s operators—as well as marketers and end users—in which Microsoft obtained a temporary restraining order (“TRO”) requiring third parties owning or operating domains believed to be controlled by Lumma to give Microsoft control of the domains and take other actions to prevent Lumma from operating and misusing victims’ data.
According to an advisory issued by the Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency (the “FBI/CISA Advisory”) in connection with the seizure, Lumma has been sold on cybercriminal forums since 2022. Lumma operates by using a variety of techniques to steal data stored in victims’ computers. The Center for Internet Security, Inc., a nonprofit cybersecurity organization, recently reported that Lumma has not only targeted private companies but also state, local, and tribal government organizations in the United States.
As explained in Microsoft’s Complaint against Lumma and the FBI/CISA Advisory, the techniques that Lumma commonly employs include:
- The “Clickfix” Technique: Displaying fake error messages or prompts that instruct victims to fix issues by copying, pasting, and launching commands that download Lumma;
- Fake CAPTCHAs in Phishing Emails: Sending phishing or spear-phishing emails directing victims to comply with fake CAPTCHAs that download Lumma;
- Fake CAPTCHAs on Compromised Websites: Creating links on compromised websites that direct victims to fake CAPTCHA pages that prompt users to paste commands into the Windows Run tool that downloads Lumma;
- Malicious Link Files: Sending phishing emails with links that direct victims to download link (“.LNK”) files disguised as PDFs that, once activated, initiate Windows commands (directly and through Windows Management Infrastructure) to collect data from the victim’s system;
- Malicious Internet Shortcuts: Sending phishing emails with internet shortcut (“.URL”) attachments that, when activated, download Lumma from a remote computer; and
- Spoofed or Fake Versions of Popular Software: Creating versions of popular software for victims to download, such as multimedia players or utility programs, that have malware embedded within them.
Once Lumma is downloaded and activated, the victim’s computer becomes a client in Lumma’s malicious network, which includes command and control servers that send commands to, and receive data from, infected computers. Through this network, Lumma can collect data from the victim’s computer, including browser data such as passwords, credit card information, and cryptocurrency account credentials, which Lumma’s operators and users either directly exploit or sell to third parties.
Microsoft’s collaboration and coordination with domestic and foreign cybersecurity agencies are laudable and will undoubtedly reduce the spread of Lumma. However, given the evidence of its widespread deployment in Microsoft’s Complaint and the FBI/CISA Advisory, individuals and entities who use the Windows operating system should take measures to mitigate their risk of being infected by Lumma. Such measures may include:
- Blocking the domains identified in Microsoft’s TRO as likely to be under Lumma’s control;
- Implementing the principle of “least privilege” (providing a user or system with access to only the resources and privileges necessary for their assigned tasks);
- Implementing application controls, such as application allowlists, to prevent installation and execution of unauthorized report access or other software;
- Using phishing resistant multi-factor authentication;
- Disabling HTML in emails and scanning email attachments;
- Keeping Windows up to date by installing the latest software updates, patches, hot fixes, and service patches;
- Performing regular anti-virus scans and ensuring anti-virus software is up to date;
- Monitoring and reviewing registry changes and access logs;
- Detecting and monitoring usage of application program interfaces; and
- Educating employees to recognize social engineering and phishing attacks.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.
