Microsoft has spearheaded a major operation to dismantle the Lumma Stealer malware ecosystem in collaboration with global law enforcement and cybersecurity partners. Originally surfacing in 2022, LummaC2 operates as a Malware-as-a-Service (MaaS) tool, popular for its stealthy data theft capabilities. Developed by a Russian figure known as “Shamel,” LummaC2 gained traction due to its sophisticated techniques and affordable pricing for less experienced cybercriminals, supported by comprehensive guidance on platforms like Gitbook. The joint effort led to the seizure of over 2,300 domains, ending Lumma’s command-and-control functionalities, marking a triumph for public-private cooperation against cyber threats.
LummaC2’s emergence on Russian-speaking forums attracted attention quickly, with 400 active customers reported by 2024. By mid-2025, over 21,000 log listings of LummaC2 appeared in dark web marketplaces. In early 2025, a significant campaign was detected, utilizing LummaC2 to impersonate Booking.com through sophisticated phishing emails, illustrating the malware’s adaptability. Microsoft’s legal action on May 13, supported by international enforcement bodies like Europol and the U.S. Department of Justice, played a crucial role in disrupting LummaC2 operations. The FBI and CISA later released an advisory detailing LummaC2’s technical operations and highlighting its severe data exfiltration capabilities, signaling the malware’s reach and impact within the cybercriminal environment.
