#Lumma

LummaC2 infostealer-as-a-service - browser credentials, crypto wallets, autofill data, MFA seeds


#Lumma

LummaC2 infostealer (browser, crypto, autofill, MFA)

IOCs by window

Today

0

IOCs tagged #Lumma

Week

0

IOCs tagged #Lumma

Month

0

IOCs tagged #Lumma

Year

1,170

IOCs tagged #Lumma

Counts as of 2026-04-29. Regenerated daily.

About #Lumma

  • Type: infostealer-as-a-service marketed since 2022 on Russian-language criminal forums. Targets browser-stored credentials, cookies, crypto-wallet files (Metamask, Trust Wallet, Ledger Live), browser extensions, autofill data, FTP / SSH keys, and MFA-seed extensions.
  • Abuse pattern: monthly subscription pricing has made Lumma one of the highest-volume stealer families since 2024. Distributed via SEO-poisoned cracked software downloads, ClickFix-style fake-CAPTCHA loaders, and YouTube-comment-driven loaders.
  • Detection signals: browser-DPAPI and SQLite read patterns from non-browser processes, panel URLs on rotating short-lived domains, AES-encrypted exfil over HTTPS POST. Microsoft / EU + US LE coordinated takedowns repeatedly disrupt the panel infrastructure.
  • References: MITRE ATT&CK S1138 · Malpedia.

Recent IOCs tagged #Lumma

No IOCs tagged #Lumma in the past 30 days. Year aggregate: 1,170. For longer-window data, query api.tweetfeed.live/v1/year/lumma.

Related tags

Tags that frequently co-occur with #Lumma.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is Lumma stealer?

Lumma (LummaC2) is an infostealer-as-a-service marketed since 2022 on Russian-language criminal forums. It targets browser credentials, cookies, crypto-wallet files, browser extensions, autofill data, FTP / SSH keys and MFA-seed extensions, and exfiltrates them to operator panels. Monthly subscription pricing made it one of the highest-volume stealer families from 2024 onward. MITRE ATT&CK tracks it as S1138.

How is Lumma typically delivered?

SEO-poisoned cracked-software downloads and ClickFix-style fake-CAPTCHA pages are the most common delivery vectors. Operators buy ad placements that rank for popular pirated-software queries, then serve a loader that drops Lumma. YouTube-comment-driven loaders pointing at PasteBin scripts are also frequent.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Lumma-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Lumma subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Lumma IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).