top of page

Lumma-nating malware ain’t pretty

Lumma malware, first seen in 2022, has seen a surge in activity through this year, evolving techniques and becoming increasingly popular on underground forums and markets. New studies on this malware have uncovered detection evasion tools using mathematics to discern user activity.

Lumma malware (also LummaC2) is typically an info-stealer malware which collects information including passwords, usernames, financial information, credit card details, crypto-wallet data, and browser cookies, harvesting and sending them back to their command-and-control servers for threat actors to use as they want.

This information is commonly sold in dark markets, with prices depending on the quality of the data. Another way in which info-stealers are used are as part of “as-a-service models”. Lumma is no different. The LummaC2 malware can target 70 browsers, cryptocurrency wallets and multi-factor authentication extensions.

For up to $1000 per month, subscribers can use LummaC2 malware to bypass proactive protection, view and upload logs, and utilise log and traffic analysis tools. Affiliates of the malware can also benefit from a cut of new subscriptions which they bring to the platform.

Recent analysis of Lumma shows that the malware has evolved its tactics and is now able to evade detection of security packages by measuring mouse movements of users to determine whether it is being run in a sandbox.

The malware uses trigonometry methods, tracking the movements and records where the mouse is positioned in intervals, calculate angles and vectors from these results and compares them to predetermined (albeit arbitrary) thresholds; in this case, they’re compared to a 45-degree angle. This discerns human-like and automatic behaviour and prevents the malware continuing until this rule is satisfied.

Other characteristics of the malware include the use of a crypter to protect the executables from being shared with other threat actors without purchase and from threat hunters and researchers. By encrypting strings in XOR, dynamic configuration files received from the C2 can be supported, and control flow flattening obfuscation used to break the original flow of the program and thus making detection harder.

Distribution of Lumma malware has evolved over its lifetime. It has been seen being distributed in YouTube videos promoting cracked software (unlicenced or copied software), on dark web forums, on Telegram Channels and also via Lumma’s official retail page. Another access vector includes downloads of trojanised software or malicious emails containing URLs.

This analysis of Lumma malware highlights how readily available malware is to threat actors, including those without high levels of expertise and technical skill.

Also of note is the emphasis of threat actors to evade detection and bypass security measures and adding multiple layers of protection within their code to obfuscate and complicate analysis and threat hunting investigations.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page