Since its emergence in August 2022, Lumma Infostealer has rapidly become a significant tool in the malware-as-a-service (MaaS) landscape, enabling even unskilled cybercriminals to harvest high-value credentials. This malware is primarily delivered through phishing sites that masquerade as cracked software installers. The malicious payload is encapsulated within a Nullsoft Scriptable Install System (NSIS) package, specifically designed to evade signature-based detection mechanisms.
Upon execution, the NSIS installer drops a ZIP archive into the system’s temporary directory. A command-line script, often named Contribute.docx, then invokes `extrac32.exe` to unpack a disguised Cabinet file. The extracted components—fragments of an AutoIt script and the AutoIt interpreter—are programmatically merged into a single executable stub. This process involves reassembling fragmented AutoIt modules in memory and loading obfuscated shellcode through a technique known as process hollowing. This method replaces a legitimate process with the stealer, effectively camouflaging its activity under the guise of a benign executable.
The infection mechanism is further sophisticated by the malware’s ability to verify the absence of specific security processes, such as `SophosHealth`, `ekrn`, and `AvastUI`, using commands like `tasklist` and `findstr`. By doing so, the installer adjusts execution timing and payload placement to slip past heuristic defenses. Once the malicious process is injected, it decrypts its command-and-control (C2) domains—rhussois.su, diadtuky.su, and todoexy.su—and establishes encrypted channels for data exfiltration.
The stolen data includes web browser cookies, Telegram session data, cryptocurrency wallet files, and configuration files for VPN and RDP services. These credentials enable lateral movement and persistent access within victim networks, often without raising immediate alarms. The multifaceted nature of these thefts amplifies the potential for identity fraud, financial loss, and deeper network intrusions.
Genians analysts identified Lumma Infostealer following a surge in reports of credential theft in September 2025. Victims across both consumer and enterprise environments reported unauthorized access to web sessions, remote desktop services, and digital asset wallets. The stolen browser cookies and account tokens facilitate seamless session hijacking, bypassing multi-factor authentication measures in many cases. Cryptocurrency wallets saved in local databases, as well as VPN and RDP credentials stored in configuration files, are exfiltrated via encrypted channels to C2 domains hosted on compromised cloud infrastructure.
Although Lumma Infostealer often serves as an initial foothold for ransomware and other follow-on attacks, its standalone impact is far-reaching. Victims may remain unaware of the breach until secondary actions—such as unauthorized wire transfers or illicit account listings on underground forums—bring the compromise to light. The modular design of the malware facilitates continuous updates, with developers pushing regular patches to evade new detection signatures.
Strengthening endpoint detection and response (EDR) systems with behavior-based analytics and threat intelligence integration is critical to intercept the attack chain before data reaches the attacker’s C2 infrastructure. Implementing network-level blocks for known C2 domains and employing sandbox detonation for suspicious NSIS packages can further mitigate the threat posed by this stealthy and adaptable infostealer.
