Aside from being an information stealer written in C, Lumma Stealer – aka LummaC2 Stealer – is available on a Malware-as-a-Service (MaaS) model on Russian-speaking dark forums.
It was developed by threat actor ‘Shamel’, who uses the alias ‘Lumma’.
The stealer focuses on cryptocurrency wallets and two-factor authentication (2FA) browser extensions, finishing by stealing information from the victim’s machine.
The stolen data is sent to a command and control (C2) server via HTTP POST requests, with the user agent labelled as “TeslaBrowser/5.5”.
Lumma Stealer also possesses a non-resident loader, allowing it to drop EXE, DLL and PowerShell payloads onto a victim’s device.