Microsoft and Partners Strike Blow Against Lumma Stealer Malware

James Ding
May 22, 2025 09:04

Microsoft leads a global coalition to disrupt Lumma Stealer, a prominent malware tool used for cybercrime. Legal action and domain seizures mark a significant step in cybersecurity efforts.

In a concerted effort to combat cybercrime, Microsoft, in collaboration with international partners, has taken decisive action against Lumma Stealer, a notorious malware tool used by cybercriminals globally. According to Microsoft, the Digital Crimes Unit (DCU) filed legal action on May 13, 2025, to disrupt Lumma Stealer, which has been instrumental in data theft and cybercrime.

Seizing Malicious Domains

With a court order from the United States District Court of the Northern District of Georgia, Microsoft’s DCU successfully seized and blocked approximately 2,300 domains linked to Lumma’s operations. The Department of Justice (DOJ) further supported these efforts by dismantling the central command structure of Lumma, while Europol and Japan’s Cybercrime Control Center (JC3) played crucial roles in suspending local infrastructures.

Impact of the Operation

Between March and May 2025, over 394,000 Windows computers were identified as infected by Lumma malware. Microsoft’s coordinated action with law enforcement and industry partners has severed communication between the malware and its victims, redirecting seized domains to Microsoft sinkholes to gather intelligence and enhance security measures.

Understanding Lumma Stealer

Lumma Stealer, a Malware-as-a-Service (MaaS), has been marketed in underground forums since 2022. It is known for stealing sensitive information including passwords and cryptocurrency wallets. The malware is distributed through spear-phishing emails and malvertising, often impersonating trusted brands like Microsoft.

Global Cybersecurity Collaboration

This operation underscores the importance of global collaboration in cybersecurity. Microsoft worked alongside companies such as ESET, Bitsight, Lumen, Cloudflare, CleanDNS, and GMO Registry, which contributed to the swift takedown of Lumma’s infrastructure.

The operation against Lumma Stealer highlights the ongoing need for vigilance and innovation in cybersecurity practices. Microsoft and its partners continue to explore new methods to counteract cyber threats, ensuring the protection of critical infrastructure and online users worldwide.

Image source: Shutterstock