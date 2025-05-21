Microsoft, in a new blog post, has put out some scary numbers about malware. The company has warned that "Lumma," an information-stealing malware, has managed to affect over 394,000 Windows systems worldwide in a span of just two months, between March 16, 2025, and May 16, 2025.

Microsoft says that Lumma stealer, also called LummaC2, is a malware-as-a-service (MaaS) developed by Storm-2477. Lumma has been used by cybercriminals as a tool to steal sensitive information from apps like browsers, cryptocurrency wallets, and other places.

The tech giant has explained how Lumma has been distributed via various malicious campaigns including phishing emails, malvertising (fake ads for spreading malware), drive-by downloads on compromised websites, trojanized apps, and misleading fake CAPTCHAs, among others.

In the case of malverts, for example, Microsoft points out that fake “Notepad++ download” or “Chrome update" were used to trick victims. To avoid such traps, users are advised to ensure they only download from official websites. If you are not sure, you can also head over to Neowin software stories pages, where we share authentic official links for Notepad++, Mozilla's Firefox, Google Chrome (offline installer), and more apps.

However, the danger does not end there. Even if you managed to obtain the browser from a secure source, Lumma may still affect you, as it can end up in your system in other ways, as Microsoft noted. After a successful infection, Lumma can steal from Chromium-based browsers like Chrome or Edge, or Gecko-based Firefox.

Microsoft has explained the infection capabilities of Lumma:

Browser credentials and cookies : Lumma Stealer extracts saved passwords, session cookies, and autofill data from Chromium (including Edge), Mozilla, and Gecko-based browsers.

: Lumma Stealer extracts saved passwords, session cookies, and autofill data from Chromium (including Edge), Mozilla, and Gecko-based browsers. Cryptocurrency wallets and extensions : Lumma Stealer actively searches for wallet files, browser extensions, and local keys associated with wallets like MetaMask, Electrum, and Exodus.

: Lumma Stealer actively searches for wallet files, browser extensions, and local keys associated with wallets like MetaMask, Electrum, and Exodus. Various applications : Lumma Stealer targets data from various virtual private networks (VPNs) (.ovpn), email clients, FTP clients, and Telegram applications.

: Lumma Stealer targets data from various virtual private networks (VPNs) (.ovpn), email clients, FTP clients, and Telegram applications. User documents : Lumma Stealer harvests files found on the user profiles and other common directories, especially those with .pdf, .docx, or .rtf extensions.

: Lumma Stealer harvests files found on the user profiles and other common directories, especially those with .pdf, .docx, or .rtf extensions. System metadata: Lumma Stealer collects host telemetry such as CPU information, OS version, system locale, and installed applications for tailoring future exploits or profiling victims.

In the heat map below, Microsoft shows how far-reaching Lumma's effect has been. As you can see, Europe, eastern USA, and many parts of India show the most activity:

All is not bad, though, as Microsoft ended its blog post on a positive note. The company has confirmed that its Defender antivirus is now capable of detecting LummaC2. It will be flagged under the following Trojans or suspicious behaviour:

Behavior:Win32/LuammaStealer

Trojan:JS/LummaStealer

Trojan:MSIL/LummaStealer

Trojan:Win32/LummaStealer

Trojan:Win64/LummaStealer

TrojanDropper:Win32/LummaStealer

Trojan:PowerShell/Powdow

Trojan:Win64/Shaolaod

Behavior:Win64/Shaolaod

Behavior:Win32/MaleficAms

Behavior:Win32/ClickFix

Behavior:Win32/SuspClickFix

Trojan:Win32/ClickFix

Trojan:Script/ClickFix

Behavior:Win32/RegRunMRU

Trojan:HTML/FakeCaptcha

Trojan:Script/SuspDown

The same is true for Defender for Office 365 and Defender for Endpoint. You can find technical details regarding Lumma in the official blog post here and the announcement here.