Lumma C2 Stealer

Lumma C2 Stealer (also known as Lumma, LummaC2, LummaC Stealer) is a information stealer active since 2022. Rising MaaS stealer replacing RedLine. Key characteristics include: browser credentials, crypto wallets, 2FA tokens, Telegram C2, $250-1000/month, post-RedLine leader.

Overview & Background

Rising MaaS stealer replacing RedLine. First identified in 2022, this threat is attributed to eCrime (MaaS).

Threat Assessment

Lumma C2 Stealer remains an active threat. Organizations should implement detection rules and monitor for indicators associated with this information stealer.

Category: Information Stealer
Active since: 2022
Attribution: eCrime (MaaS)
Also known as: Lumma, LummaC2, LummaC Stealer

Technical Analysis

Lumma C2 Stealer employs the following capabilities and techniques:

Browser Credentials: Core functionality
Crypto Wallets: Core functionality
2Fa Tokens: Core functionality
Telegram C2: Core functionality
$250-1000/Month: Core functionality
Post-Redline Leader: Core functionality

MITRE ATT&CK Mapping

Tactic	Technique	Usage
Initial Access	T1566.001 Phishing Attachment	Common delivery vector
Execution	T1204.002 Malicious File	User-triggered execution
Persistence	T1547.001 Registry Run Keys	Autostart persistence
Defense Evasion	T1027 Obfuscated Files	Payload obfuscation
C2	T1071.001 Web Protocols	HTTP/HTTPS C2

Detection & Defense

Endpoint detection: Deploy behavioral detection rules for Lumma C2 Stealer indicators
Network monitoring: Monitor for C2 traffic patterns and anomalous connections
Threat intelligence: Track Lumma C2 Stealer IOCs and campaign updates
Security awareness: Train users to recognize phishing and social engineering
Patch management: Keep systems updated to prevent exploitation

Defend Against Lumma C2 Stealer

Mjolnir Security provides detection and response capabilities against Lumma C2 Stealer and similar threats.

Threat DetectionIncident ResponseThreat HuntingMDR ServicesThreat Intelligence

Proactive Threat Hunting Hunt for Lumma C2 Stealer indicators and TTPs within your environment.
Threat Intelligence Monitor Lumma C2 Stealer campaigns and infrastructure changes.
24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.

Written by: Mjolnir Security  |  Published: November 10, 2025

Overview & Background

Technical Analysis

MITRE ATT&CK Mapping

Detection & Defense

Defend Against Lumma C2 Stealer

RedLine Stealer: The Infostealer That Fueled a Cybercrime Empire

Cobalt Strike: Adversary's Arsenal