Almost 400,000 PCs infected: Microsoft and Europol smash Lumma malware
Thousands of domains, Steam profiles and Telegram channels were exploited by malware operators - that's over for now. Europol praises cooperation with Microsoft.
(Image: Titima Ongkantong/Shutterstock.com)
A collective of cloud and security companies, led by Europol and Microsoft, has succeeded in striking a blow against the widespread malware Lumma. The malware nests itself on Windows PCs using various tricks and steals access data, cryptocurrency and documents. Microsoft detected almost 400,000 infected Windows PCs between mid-March and mid-May alone and has now struck. Europol is delighted with the successful cooperation.
Lumma, which is now the world's most widespread infostealer, is marketed by its developer as “Malware-as-a-Service” (MaaS). The malware's logo – a blue and white hummingbird silhouette – could be mistaken for that of a tech start-up by an uninitiated observer, but behind it lies sophisticated machinery.
Flexible and robust pest
Lumma uses various distribution channels: via malvertising, i.e., advertisements for Trojanized software, “drive-by downloads”, as by-catch with other malware, with phishing campaigns or via the currently popular “Clickfix” method, Lumma reaches the PCs of its victims. And it does so very successfully: between March 16 and May 16, 2025, Microsoft identified 394,000 Windows PCs infected with the Infostealer. On these PCs, Lumma searches for browser data, crypto wallets, VPN configurations and documents in PDF or Word format, for example. The Infostealer also collects the hardware specification of the PC and transmits it to its masters.
Videos by heise
This is done via a multi-level system of so-called “C2” (Command & Control) addresses, some of which are hosted by CDNs such as Cloudflare, but some of which are also hidden in Steam player profiles or Telegram groups. At the same time, the domains act as an administration interface for the criminals. They log in to the C2 domain and can then control their malware remotely –, for example to launch further exploits. Microsoft and its partners have now attacked these C2 domains: They disabled over 1,300 of these control addresses and redirected them to harmless “sinkholes” operated by Microsoft.
(Image:Â Microsoft)
CleanDNS, the carrier Lumen (formerly Level3 / CenturyLink), the US Department of Justice and CDN provider Cloudflare were also involved in the campaign. Many of the C2 domains were hidden behind the latter's content network. Europol expressly praised the cooperation with the companies in a statement: “Partnerships between the public sector and companies are a cornerstone of Europol's work in the digital age”, the authority said. It took care of the coordination between the parties involved and law enforcement agencies worldwide.
The Lumma stealer was considered the malware top dog after investigators blew up a platform for its competitors Redline and Meta in October 2024.
(cku)
