Unveiling the Lumma Password Stealer Attack: Infection Chain and Escalation Tactics Exposed

Lumma, a sophisticated C++-based information stealer, has surged in prevalence over recent years, posing significant risks to both individuals and organizations by exfiltrating sensitive data such as browser credentials, cryptocurrency wallets, and personal files.

Developed since December 2022 and distributed as Malware-as-a-Service (MaaS) via Telegram channels with tiered subscriptions, Lumma relies on initial access brokers (IABs) who exploit leaked credentials or phishing campaigns to facilitate breaches.

According to ENISA, IABs form a critical link in modern attack chains, often chaining with ransomware operations.

Threat Landscape

Despite a major disruption in 2025 by the US Department of Justice, Europol, and Japan’s Cybercrime Center, which seized Lumma’s infrastructure and identified over 394,000 infected Windows devices between March and May 2025 per Microsoft Threat Intelligence, the malware persists, adapting tactics to evade detection.

Its fully undetectable (FUD) status is maintained through mandatory packing, ensuring the ...