More than 394,000 Windows computers infected with data-stealing Lumma malware
In a new blog post, Microsoft has released some troubling malware numbers. The company warns that Lumma — a piece of information-stealing malware — has infected more than 394,000 Windows systems globally in just two months, from March 16, 2025 to May 16, 2025 .
According to Microsoft, Lumma Stealer (also known as LummaC2 ) is a malware-as-a-service (MaaS) developed by the Storm-2477 hacker group . Hackers have used Lumma to steal sensitive data from applications such as browsers, cryptocurrency wallets, and many other sources.
The tech giant also explained how Lumma is distributed through malicious campaigns including:
- Phishing Email
- Malvertising
- Drive-by downloads from compromised websites
- Fake apps contain malware
- Fake CAPTCHAs Fool Users
For example, in the case of malvertising , Microsoft points out that fake ads such as 'Download Notepad++' or 'Update Chrome' are used to lure victims. To avoid this trap, users should download applications only from the developer's official website . However, the risk does not stop there. Even when downloading the browser from a safe source, Lumma can still infiltrate the system through other methods. After a successful infection, Lumma can steal data from both Chromium-based browsers (Chrome, Edge) as well as Gecko-based browsers (Firefox).
Microsoft details Lumma's malicious capabilities as follows:
- Browser and cookie information : Extract saved passwords, session cookies, autofill data from Chromium, Edge, Firefox.
- Cryptocurrency Wallets and Extensions : Search for wallet files, browser extensions, and local keys related to MetaMask, Electrum, Exodus.
- Diverse applications : Steal data from VPN (.ovpn), email applications, FTP, Telegram.
- User Documents : Collect PDF, DOCX, RTF files from personal folders.
- System Information : Collect data such as CPU, OS version, installed applications to customize attacks later.
In the heat map below, Microsoft shows Lumma's wide reach, concentrated in Europe, the eastern United States, and parts of India :
There is some good news, though. Microsoft claims that Defender — its antivirus engine — was able to detect LummaC2 through warnings flagging it as a Trojan or displaying the following suspicious behavior:
- Behavior:Win32/LuammaStealer
- Trojan:JS/LummaStealer
- Trojan:MSIL/LummaStealer
- Trojan:Win32/LummaStealer
- Trojan:Win64/LummaStealer
- TrojanDropper:Win32/LummaStealer
- Trojan:PowerShell/Powdow
- Trojan:Win64/Shaolaod
- Behavior:Win64/Shaolaod
- Behavior:Win32/MaleficAms
- Behavior:Win32/ClickFix
- Behavior:Win32/SuspClickFix
- Trojan:Win32/ClickFix
- Trojan:Script/ClickFix
- Behavior:Win32/RegRunMRU
- Trojan:HTML/FakeCaptcha
- Trojan:Script/SuspDown
Defender for Office 365 and Defender for Endpoint are also getting similar detection updates. You can see technical details about Lumma in the official posts from Microsoft.
You should read it
- Discover a new kind of malicious code that can record the phone call to extort money
- Don't fall for these Reddit scams that are waiting to install malware on your computer!
- Microsoft: 100% of PCs in Vietnam are infected with malware
- New malware discovered that can bypass Windows SmartScreen and steal user data
- Detecting a new strain of malicious code that abuses Windows Installer to deploy infection activities
- New discovery of the first version of Stuxnet malicious code
- How to identify computers infected with viruses with 10 characteristic signs
- A series of malicious applications that collect user data, delete immediately if you are installing
- Signs that your computer is infected with malware
- 2 Dangerous Trojans are being distributed heavily through fake VPN webs
- Fileless malware - Achilles heel of traditional antivirus software
- Detection of malicious code infecting the web browsers of 300,000 PCs, silently stealing user data