S1213: Lumma Stealer
Lumma Stealer is an information stealer malware family in use since at least 2022. Lumma Stealer is a Malware as a Service (MaaS) where captured data has been sold in criminal markets to Initial Access Brokers.[1][2][3][4][5]
Analyst context for executives and security teams
Lumma Stealer matters because ATT&CK identifies it as a Windows information-stealer malware family, in use since at least 2022, delivered as Malware-as-a-Service, with captured data sold in criminal markets to Initial Access Brokers. For leaders, the practical risk is not only the initial infected workstation; it is the downstream exposure of browser data, web session cookies, screenshots, staged files, and exfiltrated information that may enable later unauthorized access.
Executive priority
Prioritize Lumma Stealer as an identity and incident-response readiness issue, not just an endpoint malware issue. The ATT&CK relationships emphasize user-driven execution, browser/session theft, local collection, C2 over web protocols, and exfiltration. Executives should ask whether the organization can rapidly identify affected Windows hosts, determine what browser/session data may have been exposed, invalidate relevant sessions, preserve evidence, and show auditors that endpoint, network, and identity response controls are operating.
Technical view
ATT&CK does not provide official detection text for S1213, so validation should be relationship-driven. On Windows, test whether SOC coverage can connect suspicious user execution or malicious files with PowerShell, Python, AutoHotKey/AutoIT, mshta, Electron abuse, process hollowing, obfuscated or encoded payloads, deobfuscation activity, browser information discovery, browser extension abuse, local data staging, screen capture, web-protocol C2, and exfiltration over that channel. IR playbooks should include host triage, browser artifact review, session-cookie risk assessment, network destination review, and identity containment decisions.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell and script interpreter activity, including Python, AutoHotKey, and AutoIT where present
- File creation, file type mismatch, encoded/encrypted content, and local staging directories
- EDR memory/process behavior relevant to process hollowing
- mshta.exe and Electron application execution context
Detection direction
- Do not rely on a single malware signature; the supplied ATT&CK coverage points to behavior spanning execution, stealth, discovery, collection, credential access, C2, and exfiltration.
- Tune detections for suspicious combinations: user-opened files followed by script execution, obfuscated payload handling, browser data access, local staging, and outbound web traffic to unusual destinations.
- Review false positives carefully for administrative scripting, legitimate automation tools, Electron-based business applications, and normal browser extension activity.
- Validate visibility gaps around encrypted web traffic, unmanaged Windows endpoints, personal browser profiles, and endpoints where PowerShell or script logging is incomplete.
- Correlate endpoint alerts with identity actions because stolen session cookies may bypass normal password-focused response assumptions.
Mitigation priorities
- Harden initial execution paths: restrict or monitor risky file execution, script interpreters, mshta, and unauthorized automation tools on Windows.
- Reduce browser-derived exposure by governing extensions, limiting unmanaged browser use for business access, and ensuring session revocation procedures are available during IR.
- Improve endpoint and network telemetry retention so responders can reconstruct local collection, staging, and outbound web communications.
- Prepare identity containment steps for suspected cookie or browser data theft, including session invalidation and review of authenticated web activity.
- Use user-awareness and software-source controls to reduce execution of deceptive or untrusted files, consistent with the ATT&CK relationships for user execution and supply-chain style delivery mechanisms.
Analyst notes and limits
The strongest decision value is in treating S1213 as a credential/session and data-exfiltration scenario. ATT&CK lists Windows as the platform for the malware object and provides many behavior relationships, but no object-level tactics or official detection guidance. Defensive validation should therefore be based on the related techniques and local evidence.
This take is limited to the supplied ATT&CK STIX fields, external references, and relationships. It does not assert current targeting, attribution, customer exposure, or guaranteed detection. Local environment baselines, tool capabilities, legal constraints around browser artifact collection, and available log retention will determine practical coverage.
Lumma Stealer
Lumma Stealer is an information stealer malware family in use since at least 2022. Lumma Stealer is a Malware as a Service (MaaS) where captured data has been sold in criminal markets to Initial Access Brokers.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1622 | Debugger Evasion | Lumma Stealer has checked for debugger strings by invoking `GetForegroundWindow` and looks for strings containing “x32dbg”, “x64dbg”, “windbg”, “ollydbg”, “dnspy”, “immunity debugger”, “hyperdbg”, “debug”, “debugger”, “cheat engine”, “cheatengine” and “ida”.CitationFortinet LummaStealer 2024 |
| Enterprise | T1059.010 | AutoHotKey & AutoIT Sub-technique | Lumma Stealer has utilized AutoIt malware scripts and AutoIt executables.CitationQualys LummaStealer 2024CitationCybereason LumaStealer Undated |
| Enterprise | T1195 | Supply Chain Compromise | Lumma Stealer has been delivered through cracked software downloads.CitationCybereason LumaStealer UndatedCitationFortinet LummaStealer 2024CitationTrendMicro LummaStealer 2025 |
| Enterprise | T1113 | Screen Capture | Lumma Stealer has taken screenshots of victim machines.CitationCybereason LumaStealer Undated |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Lumma Stealer has gathered credential and other information from multiple browsers.CitationCybereason LumaStealer UndatedCitationFortinet LummaStealer 2024CitationTrendMicro LummaStealer 2025 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Lumma Stealer has detected antivirus processes using commands such as “tasklist” and “findstr.”CitationQualys LummaStealer 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Lumma Stealer has used Base64-encoded content during execution, decoded via PowerShell.CitationNetskope LummaStealer 2025 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Lumma Stealer has used process hollowing leveraging a legitimate program such as “BitLockerToGo.exe” to inject a malicious payload.CitationQualys LummaStealer 2024 |
| Enterprise | T1218.015 | Electron Applications Sub-technique | Lumma Stealer as leveraged Electron Applications to disable GPU sandboxing to avoid detection by security software.CitationTrendMicro LummaStealer 2025 |
| Enterprise | T1497.001 | System Checks Sub-technique | Lumma Stealer has queried system resources on the victim device to identify if it is executing in a sandbox or virtualized environments, checking usernames, conducting WMI queries for system details, checking for files commonly found in virtualized environments, searching system services, and inspecting process names.CitationFortinet LummaStealer 2024 Lumma Stealer has checked system GPU configurations for sandbox detection.CitationTrendMicro LummaStealer 2025 |
| Enterprise | T1218.005 | Mshta Sub-technique | Lumma Stealer has used mshta.exe to execute additional content.CitationQualys LummaStealer 2024CitationNetskope LummaStealer 2025 |
| Enterprise | T1574.001 | DLL Sub-technique | Lumma Stealer has leveraged legitimate applications to then side-load malicious DLLs during execution.CitationCybereason LumaStealer Undated |
| Enterprise | T1685 | Disable or Modify Tools | Lumma Stealer has attempted to bypass Windows Antimalware Scan Interface (AMSI) by removing the string “AmsiScanBuffer” from the “clr.dll” module in memory to prevent it from being called.CitationNetskope LummaStealer 2025 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Lumma Stealer has created registry keys to maintain persistence using `HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`.CitationCybereason LumaStealer UndatedCitationNetskope LummaStealer 2025 |
| Enterprise | T1176.001 | Browser Extensions Sub-technique | Lumma Stealer has installed a malicious browser extension to target Google Chrome, Microsoft Edge, Opera and Brave browsers for the purpose of stealing data.CitationCybereason LumaStealer Undated |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Lumma Stealer has configured a custom user data directory such as a folder within `%USERPROFILE%\AppData\Roaming` for staging data.CitationTrendMicro LummaStealer 2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Lumma Stealer has exfiltrated collected data over existing HTTP and HTTPS C2 channels.CitationQualys LummaStealer 2024CitationFortinet LummaStealer 2024 |
| Enterprise | T1204 | User Execution | Lumma Stealer has been distributed through a fake CAPTCHA that presents instructions to the victim to open Windows Run window (“Windows Button + R”) and paste clipboard contents (“CTRL + V”) and press “Enter” to execute a Base64-encoded PowerShell.CitationQualys LummaStealer 2024CitationCybereason LumaStealer UndatedCitationNetskope LummaStealer 2025 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | Lumma Stealer has used payloads that resemble benign file extensions such as .mp3, .accdb, and .pub, though the files contained malicious JavaScript content.CitationNetskope LummaStealer 2025 |
| Enterprise | T1027 | Obfuscated Files or Information | Lumma Stealer has used SmartAssembly to obfuscate .NET payloads.CitationFortinet LummaStealer 2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Lumma Stealer has used PowerShell for initial user execution and other fuctions.CitationQualys LummaStealer 2024CitationCybereason LumaStealer UndatedCitationNetskope LummaStealer 2025CitationFortinet LummaStealer 2024 |
| Enterprise | T1119 | Automated Collection | Lumma Stealer has automated collection of various information including cryptocurrency wallet details.CitationCybereason LumaStealer Undated |
| Enterprise | T1620 | Reflective Code Loading | Lumma Stealer has used reflective loading techniques to load content into memory during execution.CitationNetskope LummaStealer 2025CitationFortinet LummaStealer 2024 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files.CitationCybereason LumaStealer Undated |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Lumma Stealer has used AES-encrypted payloads contained within PowerShell scripts.CitationQualys LummaStealer 2024 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Lumma Stealer has used valid code signing digital certificates from ConsolHQ LTD and Verandah Green Limited to appear legitimate.CitationTrendMicro LummaStealer 2025 |
| Enterprise | T1217 | Browser Information Discovery | Lumma Stealer has identified and gathered information from two-factor authentication extensions for multiple browsers.CitationCybereason LumaStealer Undated |
| Enterprise | T1539 | Steal Web Session Cookie | Lumma Stealer has harvested cookies from various browsers.CitationCybereason LumaStealer UndatedCitationFortinet LummaStealer 2024CitationTrendMicro LummaStealer 2025 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Lumma Stealer has used HTTPS for command and control purposes.CitationFortinet LummaStealer 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Lumma Stealer has used HTTP and HTTP for command and control communication.CitationQualys LummaStealer 2024CitationFortinet LummaStealer 2024 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Lumma Stealer has been delivered through phishing emails with malicious attachments.CitationCybereason LumaStealer Undated |
| Enterprise | T1059.006 | Python Sub-technique | Lumma Stealer has used malicious Python scripts to execute payloads.CitationCybereason LumaStealer Undated |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Lumma Stealer has utilized the .NET `ProcessStartInfo` class features to prevent the process from creating a visible window through setting the `CreateNoWindow` setting to “True,” which allows the executed command or script to run without displaying a command prompt window.CitationFortinet LummaStealer 2024 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Lumma Stealer has been delivered through phishing emails containing malicious links.CitationCybereason LumaStealer Undated |
| Enterprise | T1082 | System Information Discovery | Lumma Stealer has gathered various system information from victim machines.CitationCybereason LumaStealer UndatedCitationFortinet LummaStealer 2024CitationTrendMicro LummaStealer 2025 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c98be942b2f1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason LumaStealer Undated
Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025.
Open source URL -
[2]
Netskope LummaStealer 2025
Leandro Fróes, Netskope. (2025, January 23). Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection. Retrieved March 22, 2025.
Open source URL -
[3]
Qualys LummaStealer 2024
Vishwajeet Kumar, Qualys. (2024, October 20). Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA. Retrieved March 22, 2025.
Open source URL -
[4]
Fortinet LummaStealer 2024
Cara Lin, Fortinet. (2024, January 8). Deceptive Cracked Software Spreads Lumma Variant on YouTube. Retrieved March 22, 2025.
Open source URL -
[5]
TrendMicro LummaStealer 2025
Buddy Tancio, Fe Cureg, and Jovit Samaniego, Trend Micro. (2025, January 30). Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response. Retrieved March 22, 2025.
Open source URL -
[6]
LummaStealer
(Citation: Cybereason LumaStealer Undated)
-
[7]
mitre-attack S1213Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.