A coordinated international effort involving Microsoft, the U.S. Justice Department, Europol, and Japan’s Cybercrime Control Center has led to the dismantling of a significant malware known as Lumma Stealer.
This malware has been linked to a recent surge in sophisticated phishing scams that have targeted various industries, most notably the hospitality sector.
In one instance, criminals posed as prospective guests by sending emails to a hotel, inquiring about comments allegedly made on Booking.com, while others impersonated the booking site to solicit reviews of negative guest feedback.
These seemingly benign messages were actually phishing attempts designed to trick recipients into downloading malicious software that could compromise their financial information and credentials.
According to statements released by Microsoft and federal court documents unsealed in Atlanta, Lumma Stealer has been attributed to numerous cybercriminal activities since its inception in 2022.
Steven Masada, the assistant general counsel and director of Microsoft’s Digital Crimes Unit, described Lumma as one of the most notorious info-stealer malwares available.
The malware is sold on the dark web and is primarily used to steal sensitive information such as passwords, credit card numbers, bank account details, and cryptocurrency wallets, enabling cybercriminal groups to execute attacks across various sectors like transportation, finance, and healthcare.
Lumma is indicative of the growing cybercrime-as-a-service industry, which allows different criminal entities to access sophisticated tools for malicious purposes based on subscription models.
In 2024 alone, Lumma is reported to have infected approximately 1.8 million devices globally, significantly affecting cybersecurity, particularly in regions such as Georgia, where at least 532 computers were identified as victims.
Booking.com, which has a notable presence in Atlanta, was among the high-profile targets of Lumma, prompting Microsoft to file a civil suit in federal court on May 13 due to the malware’s extensive impact.
By mid-2024, Microsoft and its partners identified over 394,000 infected computers worldwide, intensifying efforts to understand and counteract Lumma’s operations.
In a definitive move, the U.S. Justice Department implemented measures to disrupt Lumma’s marketplace, while Europol and Japan’s Cybercrime Control Center took steps to suspend the malware’s infrastructure within their territories.
Last week, a federal court permitted Microsoft to take control of around 2,300 domains associated with Lumma as part of a sweeping attempt to dismantle its network.
This action involves redirecting the captured domains to a cloud environment monitored by Microsoft, which aims to develop intelligence on the malware and identify additional infected devices.
Despite the progress made in combating Lumma, the identities of its operators remain elusive. Current intelligence points to a principal developer from Russia who operates under the alias “Shamel,” though details about other collaborators are scarce.
A temporary restraining order has been obtained against ten unidentified entities linked to Lumma, including the primary developer and various other clients of the malware, as efforts continue to trace those responsible.
Masada warns that while significant strides have been made to disrupt Lumma’s operations, the developers behind the malware are likely to adapt and rebuild their infrastructure.
To counter this, Microsoft is aiming to gain a court-appointed monitor that would expedite the process of seizing any newly created domains linked to malicious activities in the future, reflecting an ongoing commitment to stymieing cyber threats.
As the landscape of cybercrime evolves, the collaborative efforts of tech companies and law enforcement agencies signify a necessary defense against increasingly sophisticated online threats.
image source from:https://www.ajc.com/news/2025/05/how-a-global-malware-operation-was-taken-down-from-a-federal-court-in-georgia/
