WithSecure analysts identified Lumma during their analysis of open source samples between February and March 2025, revealing the malware’s sophisticated three-stage infection process. This massive infection rate prompted coordinated international law enforcement action, with the US Department of Justice, Europol, and Japan’s Cybercrime Center successfully seizing Lumma’s control panel and infrastructure worldwide, though threat actors have shown signs of continued activity despite this disruption. The cybersecurity landscape has witnessed a significant surge in information-stealing malware, with Lumma emerging as one of the most prevalent and sophisticated threats targeting Windows systems globally. The malware resolves critical Windows APIs dynamically by parsing the Process Environment Block (PEB) and Export Address Tables, avoiding static import dependencies that could trigger security solutions. The scale of Lumma’s impact became evident when Microsoft’s Threat Intelligence team reported that between March and May 2025, they identified over 394,000 Windows computers globally infected by this stealer. The loader then extracts and decrypts the second stage payload from a specific section (.CODE) using a custom decryption routine, before utilizing the Windows API function CallWindowProcA as an execution vector to transfer control to the decrypted shellcode. Their comprehensive analysis uncovered the malware’s complex infection chain, beginning with a .NET/C# loader that serves as the initial entry point for the attack sequence. The malware incorporates multiple anti-analysis features, including a self-integrity check that compares 20 bytes of its running process memory against the original file to detect unpacking attempts. Additionally, it performs a language check specifically targeting non-Russian systems by calling GetUserDefaultUILanguage and comparing the result against the Russian language identifier (0x419), demonstrating its targeted nature and potential attribution to Russian-speaking threat actors. The malware’s sophisticated multi-stage infection chain and advanced evasion techniques have made it a persistent challenge for security researchers and organizations alike. The malware employs a three-stage infection process that begins with a packed .NET executable serving as the initial loader. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. The second stage demonstrates advanced process hollowing techniques, creating a suspended process of itself and systematically replacing its memory contents. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malware systematically targets browser databases, cryptocurrency wallets, user credentials, and sensitive documents, making it particularly dangerous for both individual users and corporate environments. Its operators have leveraged various attack vectors, including phishing campaigns, malicious attachments, and compromised websites, to achieve widespread distribution across different geographical regions. This sophisticated approach involves far jumps to different code segments and direct syscall invocation, particularly using NtRaiseHardError to display deceptive warning dialogs. Perhaps most notably, Lumma implements the “Heaven’s Gate” technique in its third stage, transitioning between 32-bit and 64-bit execution modes to execute system calls directly.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 30 Jul 2025 11:45:16 +0000