Led by Microsoft, the operation largely disabled the botnet by targeting C&C servers. ESET provided technical analysis and data extracted from thousands of samples
ESET, a global European leader in the cybersecurity market, has collaborated with Microsoft, BitSight, Lumen, Cloudflare, CleanDNS and GMO Registry on an international operation aimed at dismantling Lumma Stealer, a notorious infostealer offered in Malware-as-a-Service mode. The operation targeted Lumma Stealer's infrastructure, specifically all known C&C servers from the past year, largely rendering the botnet inactive.
"ESET's automated systems analyzed tens of thousands of Lumma Stealer samples, extracting key elements such as C&C servers and affiliate identifiers. This allowed us to constantly monitor Lumma Stealer activity, group affiliates, track code updates, and more," explains Jakub Tomanek, ESET Lumma Stealer researcher. "Infostealer families like Lumma Stealer are often just the precursor to much more serious attacks. Stolen credentials are a valuable commodity in cybercrime, sold by initial access brokers to other cybercriminals, including affiliates of ransomware groups," adds Tomanek. Over the past two years, Lumma Stealer has been among the most popular infostealers globally, sparing no geographic area.
Its developers have continued to actively update and maintain the code with changes ranging from simple bug fixes to complete changes in string encryption and networking protocol. The shared infrastructure of the botnet was also actively managed by the operators. Between June 17, 2024 and May 1, 2025, ESET identified 3,353 unique C&C domains, averaging approximately 74 new domains per week, including occasional updates to Telegram-based resolvers. This continuous evolution demonstrates the dangerousness of the threat and the importance of the dismantling intervention.
Lumma Stealer adopts a Malware-as-a-Service model, in which affiliates pay a monthly subscription, divided into tiers, to receive updated versions of the malware and the infrastructure necessary for data exfiltration. Prices range from $250 to $1000 per month, depending on the level of functionality. The operators have also created a marketplace on Telegram, equipped with a rating system, to sell the stolen data without intermediaries. The most common distribution methods include phishing campaigns, pirated software and other malicious downloaders. Lumma Stealer employs a few but effective anti-emulation techniques to make malware analysis as complex as possible, hindering researchers' activities.
Microsoft's Digital Crimes Unit has coordinated the removal, the suspension, seizure and blocking of the malicious domains that formed the backbone of the Lumma Stealer infrastructure, thanks to an order of the United States District Court for the Northern District of Georgia. In parallel, the United States Department of Justice seized the malware's control panel and directly affected the Lumma Stealer marketplace and its buyers. The operation was also coordinated with Europol (European Cybercrime Center - EC3) and the Japan Cybercrime Control Center (JC3), which facilitated the blocking of local infrastructure.
"The operation was made possible by our constant monitoring of Lumma Stealer. The intervention, led by Microsoft, aimed at seizing all known C&C domains, rendering the infrastructure non-functional. ESET will however continue to monitor other infostealers and closely observe any residual activity of Lumma Stealer", concludes Tomanek.
For an in-depth analysis of the Lumma Stealer ecosystem, a detailed technical analysis and an overview of the evolution of its main static and dynamic characteristics, the post on the ESET Research blog entitled "ESET takes part in global operation to disrupt Lumma Stealer” on WeLiveSecurity.com. To stay updated on the latest news you can follow ESET Research on X (formerly known as Twitter), BlueSky e Mastodon.






