Upon extraction, victims encounter a Nullsoft Scriptable Install System (NSIS) installer, typically named setup.exe or set-up.exe, which executes the Lumma payload packed with the CypherIT crypter—a tool designed to obfuscate malware signatures and evade security detection. This malicious software systematically harvests enormous volumes of sensitive data from infected machines, including login credentials, cryptocurrency wallet information, personally identifiable information, session tokens, and multifactor authentication tokens—essentially any data stored within web browsers becomes vulnerable to extraction. The infection chain typically begins when users search for cracked applications using queries such as “download free cracked software site:google.com,” leading them to compromised Google-hosted sites that ultimately deliver the malware payload. Developed by the threat actor known as Shamel, also operating under aliases lumma and HellsCoder, this Russian-based malware first surfaced on cybercriminal forums in 2022 and rapidly gained market dominance due to its effectiveness and stealth capabilities. The cybersecurity landscape continues to face significant threats from sophisticated information stealers, with Lumma emerging as one of the most prevalent and dangerous malware families targeting both consumer and enterprise environments. Intel 471 analysts identified widespread distribution campaigns where victims are lured through searches for pirated software, with attackers leveraging search engine optimization techniques and malicious advertising. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Despite law enforcement disruption efforts in May 2025 that seized over 2,300 domains and affected 394,000 infected machines globally, Lumma operators quickly restored infrastructure, demonstrating the persistent nature of this threat. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The malware’s reach is staggering, with Lumma’s dedicated marketplace hosting over 21,000 listings between April and June 2024, where stolen data packages called “logs” are sold to the highest bidder. This living-off-the-land approach searches for active security processes including Bitdefender, ESET, Quick Heal, and Sophos—immediately terminating execution if detected. The malware employs a sophisticated multi-stage deployment process that begins with users downloading ZIP archives containing password-protected secondary archives.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 19 Jul 2025 05:45:11 +0000