What is Lumma Stealer, the malware Microsoft says infected more than 394,000 Windows PCs worldwide?

In one of the most widespread malware outbreaks of recent years, Microsoft has confirmed that a powerful information-stealing malware known as Lumma Stealer has compromised over 394,000 Windows PCs across the globe. Between March 16 and May 16, 2025, this malware silently infiltrated systems, stealing sensitive data and wreaking havoc across individuals, businesses, and organizations.

The global operation to take down Lumma involved Microsoft, the FBI, Europol, and other cybercrime units. But what exactly is Lumma Stealer, how does it operate, and what can you do to protect yourself?


What Is Lumma Stealer?

Lumma Stealer is a type of malware called an infostealer, which is designed to extract sensitive data from infected systems. This includes:

  • Usernames and passwords
  • Banking and credit card details
  • Cryptocurrency wallet credentials
  • Browser cookies and session tokens
  • VPN and FTP client data
  • Email and messaging app credentials

Once collected, this data is transmitted back to the attacker’s servers and often sold on dark web markets or used in larger-scale cyberattacks.

Lumma is not just a random virus created by a lone hacker. It operates under a Malware-as-a-Service (MaaS) model. In other words, cybercriminals can buy or rent this malware, often paying subscription fees ranging from $250 to $1,000 per month, depending on the level of customization and support they require.


How Does Lumma Stealer Spread?

Lumma uses a variety of clever distribution tactics, making it extremely difficult to track and stop. Some of the most common delivery methods include:

  • Phishing emails with malicious attachments or links
  • Fake software installers or cracked software
  • Malvertising – online ads that lead users to infected downloads
  • Drive-by downloads through compromised websites

Once a user clicks a malicious link or installs a trojanized file, Lumma embeds itself into the system and begins silently harvesting data.


Targeted Applications and Browsers

One of Lumma’s most dangerous traits is its ability to extract data from multiple commonly used applications. It can target:

  • Web browsers like Chrome, Firefox, Edge, and Opera
  • VPN tools used by businesses and remote workers
  • Email clients like Outlook and Thunderbird
  • Messaging apps including Telegram and Discord
  • Cryptocurrency wallets, both desktop and browser-based

In some cases, Lumma can even capture screenshots and log keystrokes, giving attackers an even deeper view into the victim’s activity.


Microsoft’s Global Takedown Operation

In response to the rising threat, Microsoft launched a massive disruption campaign in May 2025 in collaboration with:

  • The U.S. Department of Justice
  • The FBI
  • Europol
  • Japan’s Cybercrime Control Center

Together, these organizations seized over 2,300 malicious domains used by Lumma’s infrastructure. They also sinkholed more than 1,300 of these domains—redirecting traffic from infected PCs to safe servers operated by Microsoft. This move not only disrupted Lumma’s operations but also allowed researchers to study the malware further and help victims regain control of their devices.


The Rise of Malware-as-a-Service (MaaS)

Lumma is part of a broader trend in the cybercrime world: the rise of MaaS platforms. These services allow less-skilled hackers to rent or buy powerful malware and use it with minimal technical knowledge.

This means that even small-time cybercriminals can launch sophisticated attacks, contributing to the skyrocketing number of malware infections worldwide.

Lumma’s developers, believed to be based in Russia, continually update the malware to avoid detection by antivirus software. They also use bulletproof hosting, rotating domains, and legitimate cloud services to hide their activities.


Why Is Lumma So Dangerous?

Unlike ransomware, which announces its presence by locking your files and demanding payment, Lumma operates silently. Most victims don’t realize they’ve been infected until their passwords are leaked, their bank accounts are emptied, or their crypto assets vanish.

Its stealthy nature makes it a favorite among cybercriminals looking to perform identity theft, financial fraud, or larger-scale network intrusions using stolen credentials.


How to Protect Yourself from Lumma Stealer

To reduce the risk of infection and data loss, follow these cybersecurity best practices:

  1. Update software regularly – Keep your operating system, browser, and antivirus software up to date.
  2. Use strong, unique passwords – Consider a password manager to store and generate secure credentials.
  3. Enable two-factor authentication (2FA) – Adds an extra layer of security even if your password is stolen.
  4. Avoid downloading cracked software or files from unknown sources.
  5. Be cautious with email attachments and links, especially from unknown senders.
  6. Install a reputable antivirus or endpoint detection system.

If you suspect your device has been infected, disconnect from the internet immediately, perform a full scan using updated security software, and change all your passwords from a clean device.


Final Thoughts

The Lumma Stealer campaign shows just how widespread and dangerous modern malware can be. With nearly 400,000 infections in just two months, it’s clear that cybercriminals are constantly evolving, using advanced tools and services to scale their attacks.

Microsoft’s takedown of Lumma’s infrastructure is a major step forward, but the fight against cybercrime is far from over. Staying informed, practicing good digital hygiene, and adopting a proactive security mindset are the best defenses we have.