#Lumma

LummaC2 infostealer-as-a-service - browser credentials, crypto wallets, autofill data, MFA seeds

Subscribe (RSS)


#Lumma

LummaC2 infostealer (browser, crypto, autofill, MFA)

Subscribe (RSS)

IOCs by window

Today

0

IOCs tagged #Lumma

Week

0

IOCs tagged #Lumma

Month

26

IOCs tagged #Lumma

Year

1,007

IOCs tagged #Lumma

Counts as of 2026-05-20. Regenerated daily.

About #Lumma

  • Type: infostealer-as-a-service marketed since 2022 on Russian-language criminal forums. Targets browser-stored credentials, cookies, crypto-wallet files (Metamask, Trust Wallet, Ledger Live), browser extensions, autofill data, FTP / SSH keys, and MFA-seed extensions.
  • Abuse pattern: monthly subscription pricing has made Lumma one of the highest-volume stealer families since 2024. Distributed via SEO-poisoned cracked software downloads, ClickFix-style fake-CAPTCHA loaders, and YouTube-comment-driven loaders.
  • Detection signals: browser-DPAPI and SQLite read patterns from non-browser processes, panel URLs on rotating short-lived domains, AES-encrypted exfil over HTTPS POST. Microsoft / EU + US LE coordinated takedowns repeatedly disrupt the panel infrastructure.
  • References: MITRE ATT&CK S1138 · Malpedia.

Recent IOCs tagged #Lumma

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/lumma.

Date Type Value Source
May 06, 11:26 domain boletukk.cyou @FABO97662188
May 06, 11:26 url http://boletukk.cyou @FABO97662188
May 06, 11:26 domain trotskxt.cyou @FABO97662188
May 06, 11:26 url http://trotskxt.cyou @FABO97662188
May 06, 11:26 domain brechfo.cyou @FABO97662188
May 06, 11:26 url http://brechfo.cyou @FABO97662188
May 06, 11:26 domain cucumb.cyou @FABO97662188
May 06, 11:26 url http://cucumb.cyou @FABO97662188
May 06, 11:26 domain crapuhn.cyou @FABO97662188
May 06, 11:26 url http://crapuhn.cyou @FABO97662188

Related tags

Tags that frequently co-occur with #Lumma.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is Lumma stealer?

Lumma (LummaC2) is an infostealer-as-a-service marketed since 2022 on Russian-language criminal forums. It targets browser credentials, cookies, crypto-wallet files, browser extensions, autofill data, FTP / SSH keys and MFA-seed extensions, and exfiltrates them to operator panels. Monthly subscription pricing made it one of the highest-volume stealer families from 2024 onward. MITRE ATT&CK tracks it as S1138.

How is Lumma typically delivered?

SEO-poisoned cracked-software downloads and ClickFix-style fake-CAPTCHA pages are the most common delivery vectors. Operators buy ad placements that rank for popular pirated-software queries, then serve a loader that drops Lumma. YouTube-comment-driven loaders pointing at PasteBin scripts are also frequent.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Lumma-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Lumma subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Lumma IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).