The activity of the Lumma Stealer information stealer has decreased over the past couple of months after the identities of five alleged core group members were exposed.
Offered on underground forums as malware-as-a-service (MaaS) since at least August 2022, Lumma Stealer (also known as LummaC2 Stealer or LummaC2) has been one of the most prominent information stealers this year.
The malware was targeted by a law enforcement operation in May this year, but resumed activity two months later, on rebuilt infrastructure.
From June to September, the threat actors behind Lumma Stealer were highly active, but that changed last month, when Trend Micro noticed a sharp decline in command-and-control (C&C) infrastructure activity associated with the MaaS.
The drop, the cybersecurity firm notes, coincides with an underground doxxing campaign targeting the Lumma Stealer group, which is also tracked as Water Kurita and Storm-2477.
“Allegedly driven by competitors, this campaign has unveiled personal and operational details of several supposed core members, leading to significant changes in Lummastealer’s infrastructure and communications,” Trend Micro notes.
As part of the doxxing campaign, the alleged group members’ personal information, social media profiles, financial information, and passwords were published on a website named ‘Lumma Rats’.
Two of the five individuals appear to be the malware’s administrator and developer, while the remaining three have undisclosed roles in the operation.
“The disclosures included highly sensitive details such as passport numbers, bank account information, email addresses, and links to various online profiles,” Trend Micro says.
According to the cybersecurity firm, someone with insider knowledge of the operation or access to compromised accounts or databases appears to be behind the doxxing campaign.
Following the disclosure, the group’s Telegram account was reportedly compromised, preventing the threat actors from communicating with their customers and leading to the sharp decline in the infostealer’s activity.
“It is important to note that the accuracy of the doxed information and the actual involvement of the named individuals have not been independently verified. The campaign may also be motivated by personal or competitive grudges, and attribution should be treated with caution,” Trend Micro notes.
Lumma Stealer’s sharp decline, however, resulted in cybercriminals seeking alternative solutions, with the Vidar and StealC information stealers emerging as the top replacement options. The transition also affected the pay-per-install (PPI) service Amadey, which was used for Lumma Stealer distribution.
The shift also encouraged other MaaS operators to aggressively market their services and might lead to “new, stealthier infostealer variants entering the market,” Trend Micro warns.
Related: Widespread Infostealer Campaign Targeting macOS Users
Related: Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime
Related: Interpol Targets Infostealers: 20,000 IPs Taken Down, 32 Arrested, 216,000 Victims Notified
Related: Counter Antivirus Service AVCheck Shut Down by Law Enforcement
