Lumma Unleashed: Inside the Vast Ecosystem Powering the World’s Top Infostealer
Experts from Insikt Group have presented the first comprehensive investigation into the activities of Lumma Stealer affiliates—one of the most widespread families of data-stealing malware. Covering the period from mid-2024 through the first half of 2025, the report exposes the vast ecosystem sustaining Lumma’s operations. At its core lies not only the malware itself, but also an array of auxiliary services: proxy networks, VPNs, specialized anti-detect browsers for multi-account management, exploit-building and encryption tools, evasion techniques, and resilient hosting infrastructure.
One of the key findings is that Lumma affiliates rarely confine themselves to a single scheme. Investigators documented cases where a single operator simultaneously engaged in housing-rental fraud while leveraging multiple Malware-as-a-Service (MaaS) platforms—including Vidar, Stealc, and Meduza Stealer. This diversification enhances operational flexibility, reduces exposure to law-enforcement takedowns, and ensures continued profitability even if parts of the infrastructure are seized.
The inquiry uncovered previously unknown tools, such as a compromised email credential validator (EMAIL SOFTWARE 1.4.0.9) and a phishing-page generator (DONUSSEF). These programs enabled the validation of stolen logins, creation of fraudulent websites, and facilitation of supporting attacks. Affiliates relied heavily on phishing campaigns, mass email and SMS spam, and fake login portals. To preserve anonymity, they employed proxy services like GhostSocks, ASocks, and FACELESS, alongside VPNs such as ExpressVPN, NordVPN, ProtonVPN, and Surfshark. For managing multiple identities, they turned to anti-detect browsers like Dolphin and Octo Browser, which obfuscate digital fingerprints.
A significant portion of the infrastructure depends on so-called bulletproof hosting providers—including AnonRDP, Bulletproof Hosting, and HostCay—while also exploiting legitimate platforms such as MEGA and ImgBB. To bypass antivirus software and email filters, affiliates utilized services like Hector, which offered exploit builders and cryptors for various file formats, including Excel spreadsheets and macro-enabled Office documents. Before distribution, malicious files were tested on platforms like KleenScan, which promise not to share samples with security vendors.
Cybercriminal forums remain the linchpin of the Lumma ecosystem. These hubs serve as recruitment grounds, marketplaces for cryptors, traffic, and infrastructure, and venues for selling stolen data. For example, in 2024, 92% of all logs listed on Russian Market were tied to Lumma. Carding shops further streamlined the monetization of stolen credit card and banking credentials. Such forums also provide tutorials and training, lowering the barrier of entry and transforming communities into talent pipelines for cybercrime.
The investigation also highlighted affiliate experimentation with diverse fraud schemes. An operator known as blackowl23 was observed conducting rental scams on the German platform WG-Gesucht, posting fraudulent property listings linked to fake booking.com pages and persuading victims to make advance payments using stolen site accounts. Other actors engaged simultaneously in cryptocurrency fraud, banking credential theft, and infiltration of corporate systems.
Despite law-enforcement interventions in spring 2025, Lumma demonstrated remarkable resilience: its infrastructure was re-established within days, and affiliate activity showed no decline. Insikt Group emphasizes that Lumma’s ecosystem is decentralized—meaning that even significant strikes against its core merely slow, rather than halt, its operations. Effective suppression, they argue, can only be achieved through sustained law-enforcement pressure and systematic monitoring of the dark web and underground forums.
To defend against such threats, experts recommend organizations monitor data leaks, employ YARA, Sigma, and Snort rules to detect infections, restrict downloads from untrusted sources, train employees to recognize redirects and fake login pages, and track dark-web activity. In the long run, protection demands not only technical countermeasures but also continuous analysis of the criminal landscape—where Lumma remains one of the most dominant and adaptive forces.
