Lumma Stealer targets sensitive information, including user credentials, system details, browser data, and extensions. It has been advertised on the dark web and a Telegram channel since 2022, with over a dozen observed command-and-control (C2) servers in the wild and multiple updates. Figure 1 shows Lumma Stealer’s C2 server telemetry, illustrating a global presence with a peak observed in December.

Click for details.