Information stealers, or infostealers, are malware applications that hoover enormous amounts of information from machines including login credentials, cryptocurrency wallet data, personally identifiable information (PII), session tokens, multifactor authentication (MFA) tokens, etc. — any data stored in a browser can be collected. This malware is spread through phishing campaigns, social engineering, malicious advertising (malvertising) and search engine optimization (SEO) campaigns. The stolen data often ends up in underground markets as “logs,” which are packages of credentials and data from compromised machines that are priced in accordance with their perceived value. This mass collection of data has posed a problem for consumer and enterprise security. A home-based employee might use a personal computer that has been compromised by an infostealer to log in to some of their work accounts, which are then stolen. Although enterprise security products may be able to spot signs and block the reuse of stolen credentials, it’s still a common attack vector.
Lumma has been one of the most popular infostealers. It was developed by the threat actor Shamel aka lumma, HellsCoder and believed to be based in Russia. It first appeared on Russian-language cybercriminal forums in 2022 and gained market share because it is effective, easy to use and difficult for security applications to detect. Lumma also offered its own marketplace where the stolen data could be sold. To give a perspective on the reach of this malware, from April 2024 to June 2024, Lumma’s market had more than 21,000 listings that sold “logs” or batches of data that Lumma captured.
One way users are infected with Lumma is after conducting searches for pirated or “cracked” software whose digital protections have been removed or circumvented. Malware distributors have found offering mislabeled software pretending to be other applications or embedding malware within those applications to be an effective way to capture unsuspecting victims.
Our analysts recently observed these types of campaigns. At the end of March 2025, we initially identified a campaign through proactive searches for cracked software, employing broad criteria and targeting Google-hosted sites. For instance, we used search queries such as “download free cracked software site:google.com” and “download free cracked software 2025 site:google.com.” In nearly every case, examining the top results led to the Lumma infostealer.
Victims are also sometimes tricked into clicking malicious links on X aka Twitter or Google’s Colab service. Clicking either the search result or other links will typically lead a victim to another domain with a “Download Now” button. If clicked, the button leads to a compressed (.ZIP) archive on a file-sharing site. The downloaded ZIP file contains a second, password-protected ZIP archive. After extracting this archive, users encounter a Nullsoft Scriptable Install System (NSIS) installer (i.e., setup.exe or set-up.exe), which executes the Lumma information stealer packed with the CypherIT crypter. Malware crypters are used to change a piece of malware in ways to try to hide it from security tools (see our blog “A Briefing on Malware Crypting Services”).
In May 2025, law enforcement along with private partners significantly disrupted Lumma infrastructure by targeting the command-and-control (C2) servers that communicate with Lumma-infected machines. Microsoft was granted a court order that allowed it to seize or
block 2,300 domains related to Lumma’s infrastructure.The U.S. Department of Justice (DOJ) seized Lumma’s control panel, which was a component of Lumma’s marketplace, while the European Union Agency for Law Enforcement Cooperation’s (Europol’s) European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (J3C) also suspended other Lumma infrastructure. Microsoft identified more than 394,000 Windows computers that had been infected globally and efforts were taken to remediate those machines.
After the disruption, Lumma operators issued an update indicating their belief that law enforcement exploited a vulnerability and then erased some of their disks and a backup server. Lumma’s operators also wrote that one of its domains was taken over then used to phish Lumma clients, collecting IP addresses. The FBI dropped a message on a Telegram channel associated with Lumma and warned its customers that “all your logs and account information are safe with us.” However, not long after the law enforcement action, new C2 servers were stood up, which indicated the developers had successfully restored portions of the Lumma ecosystem. It appears this main player in the infostealer scene will continue to cause trouble.
What follows is a demonstration of a threat hunt for a technique that has been used by adversaries after compromising a machine with Lumma. It involves using the Findstr, known as find string, command on Windows — similar to Unix’s grep — to look for running processes that might be linked to security functions or monitoring. Attackers will use Findstr with Tasklist.exe in order to see those processes that could interfere with their malware and potentially shut those processes down.
Hunting for Lumma activity
One way to figure out if a machine has been infected with Lumma or other malware is to hunt for indicators of compromise (IoCs), such as file hashes, malicious domains or URLs. Intel 471 regularly collects these indicators in real time for more than 350 Windows and Android malware families and those are available as part of Malware Intelligence. Finding an instance of Lumma by searching for a SHA-256 of it that has been seen in another campaign is a quick win. But usually it’s not this easy.
As mentioned before, malware distributors use crypters to change the characteristics of malware every time it is deployed, which means its hash will change. Thus, searching for a previous hash detected at one time and not finding it is not a reliable indicator that the machine is not infected. C2 servers, which are used to control the malware and exfiltrate data, likewise are frequently changed along with domains or file-sharing links used to host the malware. This doesn’t mean that threat hunters should skip hash and URL scans since it is part of being diligent, but those scans shouldn’t be solely relied upon to guarantee a system hasn’t been compromised.
Hunting for behaviors associated with malware deployment can provide more reliable results. In the case of Lumma, operators may seek to maintain persistence to keep continued access or undertake other steps to avoid having their access revoked, such as looking for what security applications are running. By identifying these processes, attackers can attempt to manipulate or disable security mechanisms, gather sensitive information or facilitate more effective ways to execute based on what processes are discovered. This behavior has been seen in Lumma samples that have been packed with the CypherIT crypter.
Intel 471 analysts documented this type of action in a recent Malware Campaign Report published in our platform. Once Lumma’s NSIS installer has been launched, a malicious routine begins with the creation of a command.exe instance. This routine renames and then executes a heavily obfuscated batch script. The script then conducts an environment check using the Tasklist and Findstr utilities to search for active processes associated with common antivirus software including Bitdefender, ESET, Quick Heal and Sophos. If any of these processes are found, the malware immediately terminates. Utilizing the Findstr command in conjunction with Tasklist allows attackers to filter the list of running processes to locate specific targets. This technique is often used by infostealers and other types of malware to also monitor system activity or find processes of interest for further exploitation.
Tasklist and Findstr are known as living-off-the-land binaries (LOLBins). LOLBins are native Windows tools that are often abused by attackers because they can provide critical information about a system that has been compromised and can be used to manipulate the system. Since the tools are often preinstalled on the compromised system, they’re not going to be flagged as malware, but we can hunt for behaviors that may indicate the malicious use of the tools.
Our threat hunting analysts have written a package called “Potential use of Findstr with Tasklist” that’s designed to detect this behavior in various endpoint, detection and response (EDR), security incident and event management (SIEM) and logging aggregation tools. The hunt package is compatible with CrowdStrike LogScale, Google SecOps, Microsoft Defender and Sentinel, Palo Alto Corex XDR, QRadar Query, SentinelOne Singularity and Splunk. The broad query logic can be seen below.
Let’s run this hunt in Splunk using Windows Sysmon logs.
There are interesting results. We can see that in a short amount of time, someone ran Findstr to look for files, documents or other material containing the word “password” and then ran Tasklist. We see both the process command-line arguments, the processes that are being executed and the parent process. In this example, the attacker doesn’t appear to be looking for security products but rather may be trying to collect information, such as finding an Excel spreadsheet with passwords in it. Another possibility is an attacker is looking for their own password file that they’ve concatenated but not exfiltrated.
It also could be a false positive, and this could be completely legitimate behavior. Perhaps an administrator is trying to see if other people in the organization have created files with lists of passwords, which attackers sometimes hunt for as well. The best way to determine if these are false positives is to look at how often this has happened in an environment previously and then try to get an understanding of how often this should happen. Another example of using patterns to detect abnormal activity is the deletion of shadow copies. Ransomware actors often delete shadow copies to make it harder for organizations to recover. If there is only one person in an organization that is allowed to delete volume shadow copies and the event is not tied to that person’s account, it shows that historical patterns can reveal a baseline and highlight likely abnormal behavior.
In the above example, this kind of discovery behavior would normally be considered suspicious. Administrators may use other types of tools to elicit the same information about their environment. But there's always that one or two organizations out there for which this is a common practice. To determine if it is normal, investigators can start looking at users, their responsibilities and roles and the machines these commands were executed on for further clarification.
A video version of this case study is available here. The Community Edition of HUNTER contains this free threat hunt, which is available upon registration. The Community Edition also contains other free hunt packages and visibility into HUNTER’s subscription-only library of advanced threat hunting packages, detailed analyst notes and proactive recommendations. Also, this case study draws on an extensive Malware Campaign Report from our Malware Intelligence team. The report is called “Actors leverage cracked software to distribute CypherIT-encrypted Lumma malware, other stealer payloads” and it is available to subscribers. For more information, please contact us. Happy hunting!
