Analysis of the Lumma infostealer

◈ Key Findings

Used not only as a standalone threat but also in the initial intrusion stages of multi-vector attacks such as ransomware, account takeover, and internal network breaches.
Primary targets include high-value credential data such as web browser cookies, cryptocurrency wallets, and VPN/RDP accounts.
Stolen sensitive data is reused for various attacks, including identity theft, financial fraud, and corporate network intrusions.
Strengthening EDR systems capable of behavior-based detection and integration with threat intelligence is a key mitigation strategy.

1. Overview

In recent years, cyber threats have become increasingly sophisticated and advanced, continuously evolving in both scope and complexity. As a result, cybersecurity has emerged as a critical issue for both individuals and organizations.

In particular, infections caused by infostealer malware are regarded as a high-risk threat vector that performs unauthorized activities within a victim’s endpoint system. This type of malware collects and exfiltrates sensitive information without user awareness, leading to direct and indirect damages such as privacy violations, financial loss, and reputational harm to organizations.

Infostealer-based attacks are typically conducted by organized cybercriminal groups, and the stolen data is traded on the Dark Web. Such data is then reused for various malicious activities, including identity theft, financial fraud, and secondary exploitation, posing a serious threat to both individuals and enterprises.

Beyond functioning as an independent threat, infostealers are increasingly leveraged in the early stages of multi-vector attacks such as ransomware deployment and account takeovers. Accordingly, strengthening EDR systems capable of behavior-based detection and integration with threat intelligence is essential.

This report aims to analyze the latest trends and real-world cases of infostealer threats, providing practical insights to help organizations establish effective defense strategies.

2. Background

2-1. Concept of Malware-as-a-Service (MaaS)

MaaS (Malware-as-a-Service) is a model in which cybercriminals provide resources required to carry out attacks—such as malware development tools, command-and-control (C2) servers, and distribution infrastructure—as a service. Providers charge fees or subscription charges for use of the service, enabling third parties to execute attack campaigns without directly developing or operating the malware themselves.

In other words, the MaaS provider is responsible for developing, maintaining, and operating the attack infrastructure, while users obtain the capability to distribute malware and conduct attacks by paying a fee (either subscription-based or one-time).

Lumma can be considered a representative infostealer distributed via a MaaS model. The characteristics of MaaS-based usage are as follows.

Accessibility

- Even attackers without programming skills can easily execute attacks by using MaaS.

- These services are sold through private online channels such as the Dark Web, Telegram, and web forums.

Modularity and customization support

- Attack tools are modular, allowing users to customize functions according to need.

- Attackers can customize multiple options, including how the malware connects to its C2 servers.

Monetization structure

- Developers earn revenue from subscription or usage fees, and may also profit by selling stolen data.

- Attackers can execute attacks with minimal effort and resell the stolen data for profit.

Continuous updates provided

- Developers regularly update the malware to evade detection and add new features.

2-2. MaaS Ecosystem within the Cybercrime Industry

MaaS (Malware-as-a-Service) is a variant model that exploits the SaaS (Software-as-a-Service) concept and is classified as a subcomponent of the broader CaaS (Cybercrime-as-a-Service) ecosystem. Such MaaS and CaaS-based markets are primarily active on the Dark Web or within closed online forums.

Within the MaaS ecosystem, the entities responsible for developing, distributing, and maintaining the malware and its operational infrastructure are referred to as MaaS operators. These operators are often not a single individual but an organized group consisting of specialized roles such as malware developers, C2 server and infrastructure administrators, access right managers, and technical support staff.

MaaS operators typically offer various types of malware as services, which can be categorized into the following main types:

Ransomware

- This type of malware restricts access to the victim’s data and demands payment in exchange for providing the decryption key. IIn the MaaS model, attackers primarily rent ready-made, file-encrypting tools, allowing them to run profitable ransomware campaigns without developing the malware themselves.

Infostealer

- This malware collects sensitive information—such as browser credentials, session cookies, and account data stored in password managers—from the victim’s system and transmits it to a remote attacker-controlled server. The stolen information is then used for account takeover and secondary attacks.

Backdoor

- A backdoor grants attackers persistent and covert remote access to the victim’s system. Through this channel, attackers can conduct long-term intrusion activities such as data collection, privilege escalation, and installation of additional malware.

2-3. Threat Impact

The MaaS model lowers the entry barrier for cybercrime and produces several consequential effects.

Reduction in attack complexity

- By offering commoditized malware, operational infrastructure, and technical support as a service, MaaS simplifies the attack preparation process. As a result, individuals lacking programming skills or security expertise can readily carry out attack campaigns, significantly lowering the entry barrier to cybercrime.

Expansion of attack scale

- The MaaS model enables many affiliates to launch attacks using the same malware. This structure causes the same malware to be reused across multiple campaigns, which can exponentially increase the scale and frequency of cyber attacks.

Increased complexity of threat attribution

- Because identical malware is shared and used by multiple threat actors, techniques become homogenized and it becomes harder to identify origins. This complicates digital forensics and actor-tracking efforts by law enforcement and security professionals, making it more difficult to attribute a given attack to a specific group or individual.

3. Analysis

3-1. Lumma Infostealer

Lumma is one of the representative information-stealing malware (infostealer) families that target the Windows operating system. First observed in August 2022, it has been actively distributed worldwide, and in September 2025 it ranked first in ANY.RUN’s "Week’s Threats" among malware uploaded to the service.

[Figure 3-1] ANY.RUN Weekly Malware Ranking

Lumma Infostealer is notable for being operated as Malware-as-a-Service (MaaS), meaning it is available to anyone via subscription or one-time payment. As a result, attackers lacking specialized skills or development capabilities can readily carry out attacks, and cases using Lumma Infostealer continue to be observed.

Genians Security Center (GSC) identified instances of Lumma Infostealer being distributed packaged with the Nullsoft Scriptable Install System (NSIS). The file was disguised as pirated software and was distributed from phishing sites.

The package contains fragmented AutoIt¹ modules and malicious AutoIt scripts. At execution, it reassembles and runs the fragmented files, loads an obfuscated shellcode² into memory, and uses the process hollowing³ technique to replace the AutoIt process with Lumma Infostealer. The malware then communicates with its C2 server and performs information theft.

[Figure 3-2] Lumma Infostealer Attack Flow

These NSIS packaging, AutoIt scripts, shellcode injection, and process hollowing techniques further complicate signature-based detection and analysis.

In addition, attackers are improving distribution and infection methods by changing the distribution site URLs and the distributed files, so defenses that rely on a single indicator are unlikely to be effective. Therefore, behavior-based detection and response via EDR is essential.

3-2. Distribution Process

Lumma Infostealer is primarily disguised as pirated or cracked software and is distributed via phishing sites as shown below.

[Figure 3-3] Lumma Infostealer distribution site

When a user clicks the download link on the site above, they are redirected to a second site; this appears intended to hide the association with the original site and to evade security- and reputation-based blocking.

Monitoring also confirmed that the URL of the redirection target is periodically changed. It appears the attacker continuously rotates URLs to avoid detection and tracking.

[Figure 3-4] Redirection page

The final download host is MEGA cloud. By leveraging a legitimate cloud service for distribution infrastructure, the attacker appears to attempt to bypass IP/domain blocking.

[Figure 3-5] Distribution via MEGA cloud

[Figure 3-6] Downloaded file detected by Genian EDR

3-3. NSIS File Analysis

When the file is downloaded from the site, an encrypted ZIP archive is saved. Using the password included in the filename to extract the archive reveals a file named 'setup.exe' packaged with NSIS.

[Figure 3-7] setup.exe file

NSIS is an open-source installer creation tool used to distribute software. It is frequently used because of its small size, high compression ratio, and script-based control over the installation process.

However, these characteristics allow attackers to disguise malware as legitimate installation programs or to covertly drop and execute additional payloads during the installation process.

When the 'setup.exe' file is executed, it first drops the embedded malicious file to the '%Temp%' directory.

[Figure 3-8] Malicious file dropped in Temp folder

[Figure 3-9] File drop activity detected by Genian EDR

After completing the file drop, it launches the 'Contribute.docx' file via cmd.exe.

[Figure 3-10] cmd command detected by Genian EDR

3-4. Contribute.docx File Analysis

The 'Contribute.docx' file contains dummy code and obfuscated cmd commands. The final cmd command reassembles the dropped files to create and execute a malicious AutoIt file.

[Figure 3-11] Contribute.docx file

The 'Contribute.docx' executed via cmd.exe first checks whether the following security processes are running by using the 'tasklist' and 'findstr' commands:

SophosHealth : Sophos security solution
nsWscSvc : Norton Security
Ekrn : ESET security solution
Bdservicehost : Bitdefender security solution
AvastUI, AVGUI : Avast security solution

If none of the above security solutions are detected, preparatory steps are taken to set variables for the executable name and extension that will be used to run the malicious AutoIt script.

[Figure 3-12] Security-solution check command

[Figure 3-13] tasklist, findstr commands detected by Genian EDR

Next, 'extrac32.exe' is used to extract a CAB⁴ archive disguised with the filename 'Make.docx'. The CAB contains 11 files that are later used to construct the AutoIt program.

[Figure 3-14] Extracted Make.docx

[Figure 3-15] extrac32.exe extraction activity detected by Genian EDR

The malware then creates a folder named '565905' and uses the 'Copy /b /y' command to concatenate the AutoIt runtime and malicious AutoIt script files.

[Figure 3-16] AutoIt3.exe and AutoIt script recombined via Copy command

Finally, Riding.pif (AutoIt3.exe) is used to execute the A (malicious AutoIt script) file.

3-5. AutoIt Script and Lumma Infostealer analysis

The "A" file appears to be a compiled AutoIt script that is obfuscated with dummy code and ASCII-encoded segments to hinder detection and analysis by security solutions.

When deobfuscated, strings are recoverable, but numerous dummy code blocks remain inserted to obstruct comprehensive analysis.

[Figure 3-17] Deobfuscated AutoIt script

When the AutoIt script is executed via Riding.pif (AutoIt3.exe), it uses shellcode to decrypt the obfuscated Lumma Infostealer.

Afterwards, the AutoIt script launches Lumma Infostealer using the Process Hollowing technique. Although the running process appears as "Riding.pif," Lumma Infostealer actually executes within that process.

[Figure 3-18] Lumma Infostealer injected into the Riding.pif process

Next, Lumma Infostealer decrypts encrypted C2 domains and communicates with the C2 servers. The C2 information observed during analysis is as follows.

C2 도메인	IP
rhussois[.]su	64.31.56[.]58
diadtuky[.]su	109.104.153[.]203
todoexy[.]su	64.227.2[.]250

[Table 3-1] C2 information

Finally, Lumma Infostealer collects and transmits information such as credentials stored in web browsers, Telegram data, and cryptocurrency wallet data to the C2. The primary data types Lumma Infostealer targets are:

Account information stored in web browsers such as Chrome and Edge
Email data (Outlook, etc)
Telegram data
Cryptocurrency-related data
Remote access program data, etc.

[Figure 3-19] Information exfiltration activity detected by Genian EDR

Therefore, avoid storing account credentials in web browsers, apply multi-factor authentication (MFA) to all accounts, and deploy security monitoring for anomaly detection.

4. Conclusion

Genian EDR visualizes the malware execution flow through an attack storyline, helping security personnel quickly identify threats and respond immediately.

[Figure 4-1] Genian EDR attack storyline

This variant of Lumma Infostealer is designed to surreptitiously execute an AutoIt script embedded within an NSIS package. The package contains the malware in split fragments, making the threat elements difficult to identify.

To detect such threats, it is necessary to investigate file and process events occurring on the endpoint and analyze the resulting execution flow.

EDR products can detect not only known threats but also attack techniques designed to evade signature-based solutions.

5. IoC (Indicator of Compromise)

E6252824BE8FF46E9A56993EEECE0DE6

E1726693C85E59F14548658A0D82C7E8

19259D9575D229B0412077753C6EF9E7

2832B640E80731D229C8068A2F0BCC39

95C3FCDDDA57DE75975733B5512E53FB

E489D88D670EB56D42FEAA4C9C74C4FE

5FE10C629656EEBE75062D6E9000B352

Domain

diadtuky[.]su

rhussois[.]su

todoexy[.]su

58.56.31[.]64

64.31.56[.]58

64.227.2[.]250

109.104.153[.]203

[1] AutoIt is a scripting language used on the Windows operating system, employed to automate tasks such as keyboard input.
[2] Shellcode is machine code executed in memory that is used to perform specific system-level commands.
[3] Process hollowing is a technique that hollows out a legitimate process and runs malicious code inside it.
[4] CAB files are compressed archives used for Windows updates or driver installation, and can be extracted with Windows’ built-in tools such as extrac32.exe and expand.exe.