Home LummaC2 Infostealer Malware: What Businesses Need to Know About the Latest CISA Advisory (AA25-141B)

LummaC2 Infostealer Malware: What Businesses Need to Know About the Latest CISA Advisory (AA25-141B)

On May 21, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory warning organizations about the active use of LummaC2 malware in targeted attacks. This malware is being used to compromise organizations in critical infrastructure sectors, including manufacturing, energy, water, infrastructure and technology.

What is LummaC2 Malware?

LummaC2 is a Malware-as-a-Service (MaaS) platform first observed in late 2022. It was initially advertised on underground forums by a threat actor known as “Shamel.” Since then, it has become a popular infostealer among cybercriminals due to its ease of use, evasion techniques, and wide range of data theft capabilities.

LummaC2 is designed to collect:

Saved browser credentials and cookies
System and network information
Cryptocurrency wallet data
Authentication tokens (including 2FA)
Sensitive documents and files

This data is then exfiltrated to remote command-and-control (C2) infrastructure, often without detection and removing remnants to not leave a trace

How LummaC2 Gains Access to Victim Environments

According to the CISA advisory, threat actors are distributing LummaC2 using several techniques:

Phishing emails with malicious links or attachments (MITRE T1566.001 and T1566.002)
Trojanized software installers hosted on compromised or spoofed websites
Drive-by downloads through malvertising campaigns
Fake CAPTCHA attacks known as ClickFix, which prompt users to paste an encoded PowerShell command into the Windows Run dialog box (MITRE T1059.001)

These tactics allow the malware to bypass traditional security filters and gain a foothold on user endpoints.

Advanced Capabilities of LummaC2 Malware

LummaC2 uses advanced techniques to avoid detection and maintain persistence:

Fileless execution, allowing it to run in memory without writing files to disk
Dynamic API resolution and direct system calls, bypassing endpoint monitoring
String and configuration obfuscation, making analysis more difficult
Anti-sandbox and anti-VM techniques, including human interaction detection and delayed execution
Modular architecture, enabling plug-and-play features such as clipper malware or keylogging

These evasion techniques make LummaC2 difficult to detect with traditional antivirus or endpoint detection and response (EDR) tools.

How LummaC2 Exfiltrates Stolen Data

Once the malware collects data from the infected system, it exfiltrates it using HTTP POST requests to attacker-controlled C2 servers. If these servers are unreachable, LummaC2 can fall back to using public services such as:

Telegram
Dropbox
Steam

This redundancy makes it more resilient and harder to contain.

Law Enforcement Disruption of LummaC2 Infrastructure

In May 2025, the U.S. Department of Justice, in coordination with Microsoft and international partners, seized five core LummaC2 domains and more than 2,300 related websites. While this action disrupted parts of the malware’s infrastructure, LummaC2 continues to evolve and remains active in the wild.

LummaC2 Techniques Mapped to MITRE ATT&CK

The following MITRE ATT&CK techniques have been observed in LummaC2 activity:

Initial Access:
- T1566.001 – Phishing: Malicious Attachment
- T1566.002 – Phishing: Malicious Link
Execution:
- T1059.001 – PowerShell
- T1218.011 – Rundll32
- T1218.005 – Mshta
Defense Evasion:
- T1027 – Obfuscated Files or Information
- T1112 – Modify Registry
- T1055 – Process Injection
Credential Access:
- T1555 – Credentials from Password Stores
- T1552.001 – Browser Credentials
Collection and Exfiltration:
- T1005 – Data from Local System
- T1071.001 – Exfiltration via Web Protocols

How to Detect and Mitigate LummaC2 Infections

Detection Recommendations

Security teams should:

Monitor for suspicious PowerShell activity, especially encoded commands run by users
Detect unexpected use of mshta.exe or rundll32.exe
Watch for outbound HTTP POST traffic to unknown or known-malicious IPs and domains
Flag abnormal use of Telegram, Dropbox, or other unexpected data transfer services

Mitigation Strategies

To defend against LummaC2:

Enable phishing-resistant multi-factor authentication (MFA)
Limit or restrict PowerShell access to trusted users and signed scripts
Remove local administrator privileges from end users
Implement application allowlisting and restrict script execution policies
Integrate LummaC2 indicators of compromise (IOCs) into your SIEM, firewall, and endpoint tools
Conduct red team simulations and threat emulation exercises based on LummaC2 techniques

Key Takeaways for Security Professionals

LummaC2 is a rapidly evolving infostealer that poses a serious risk to enterprise and critical infrastructure organizations. It is stealthy, modular, and capable of bypassing common detection tools. Security teams should act now to incorporate LummaC2 detection logic into their threat hunting and incident response workflows.

Focus on the following priorities:

Improve visibility into PowerShell and process behavior
Educate end users about phishing and social engineering tactics
Harden endpoints and enforce least privilege policies
Regularly test defenses against known LummaC2 TTPs

How ArmorPoint Managed SOC Can Help Defend Against LummaC2

ArmorPoint’s Managed SOC services deliver 24/7 monitoring, detection, and response to help identify and stop threats like LummaC2 before damage is done. Our platform uses behavior-based analytics, real-time threat intelligence, and MITRE ATT&CK – aligned detections to flag activity such as encoded PowerShell commands, DLL sideloading, and suspicious memory access and many more.

To stay ahead of LummaC2’s tactics, ArmorPoint also provides:

Comprehensive endpoint visibility through the ArmorPoint agent, which includes critical features like Windows Process Monitor and behavioral runtime analysis. This ensures even legacy and development systems are monitored.
Enhanced MFA enforcement to prevent account takeovers, especially in high-risk areas like VPNs, cloud portals, and email platforms.
Stronger patch and vulnerability management, helping close security gaps that LummaC2 and similar threats often exploit.

Our SOC analysts investigate suspicious behavior in real time and provide fast, hands-on response to confirmed threats. With ArmorPoint, you can improve detection, reduce dwell time, and strengthen your defenses across the entire attack surface.

Ready to see how ArmorPoint can strengthen your defenses against LummaC2 and other advanced threats? Request a demo today.

About the Author

Ashlyn Burgett

aburgett@trapptechnology.com

Content Manager

Related Insights

Articles

MXDR vs XDR vs MDR: What’s the Difference and Which Do You Need?

What is the Difference Between MXDR, XDR, and MDR? At a glance, MXDR, XDR, and MDR can seem like variations of the same idea. They all focus on detecting and responding to threats. But the difference comes down to scope, ownership, and outcomes. XDR is designed to give you better…

Articles

Top Cybersecurity Threats in the Oil and Gas Industry

The Oil and Gas Industry is Operating in a High-Stakes Threat Environment Oil and gas organizations are facing a fundamentally different cybersecurity reality than they were even a few years ago. This is not just about protecting data anymore. It is about protecting operations that power economies, supply energy to…

Articles

Optimizing Syslog Collection: Best Practices for High-Volume Environments

Why is Syslog Still Critical in Modern Security Operations? Syslog remains one of the most widely used and essential methods for collecting event data from network devices such as firewalls, routers, switches, and other infrastructure components. While modern environments increasingly rely on APIs and endpoint agents, syslog continues to serve…

Subscribe to Our Insights

Receive exclusive updates, industry news, and advice for future-proofing your business delivered straight to your inbox every month.