Topline
Hundreds of thousands of Windows computers were recently infected by a malware-as-a-service offering known as Lumma Stealer, Microsoft announced Wednesday, saying it has severed communications between the malware and victims throughout the world.
Microsoft said it cut communications between the malware and its victims. (Photo by Beata … More
Key Facts
Over 394,000 Windows computers globally were infected by Lumma between March 16 and May 16, according to Microsoft.
Microsoft severed communications between the malware and its victims in addition to seizing over 1,300 domains used by the malware.
Three hundred domains will be redirected to Microsoft sinkholes—controlled domains used to capture and evaluate malicious traffic.
Microsoft said it has “seized and facilitated the takedown, suspension, and blocking” of malicious domains that served as the core of Lumma’s operation, noting the Justice Department has also seized the “central command structure” for Lumma and disrupted the marketplaces in which it is sold.
Get Forbes Breaking News Text Alerts: We’re launching text message alerts so you’ll always know the biggest stories shaping the day’s headlines. Text “Alerts” to (201) 335-0739 or sign up here.
What Is Lumma?
Lumma is a Russian malware-as-a-service offering sold in underground forums to hackers who typically use the malware, which impersonates trusted brands, to monetize stolen information or exploit victims. Lumma has been used to target passwords, banking information and cryptocurrency wallets, allowing hackers to hold information ransom or disrupt. The malware was recently identified in a hacking campaign that used phishing attacks impersonating online travel agency Booking.com. At large, Lumma has been used to target gaming communities and sectors such as healthcare, telecommunications, finance, manufacturing and logistics.
What We Don’t Know
Where in the world the Lumma attacks between March 16 and May 16 were specifically based. Microsoft also did not specify if the computers belonged to consumers or businesses and what, if any, sectors were affected by the hacks.
Big Number
About 400. That is how many active clients the developer of Lumma, known as “Shamel,” said he had in 2023.
Key Background
Cyber attacks have increased significantly in 2025, according to research from IT software firm Check Point, which reported that the global education sector saw the highest number of attacks in the first quarter of this year (4,484 weekly attacks). New technologies such as generative artificial intelligence are helping cybercriminals stage increasingly sophisticated attacks, the World Economic Forum said in a 2025 global cybersecurity outlook, noting a sharp increase in phishing and social engineering attacks last year. The forum identified supply chain vulnerabilities as the top cyber risk, saying the increased complexity of modern supply chains and a lack of oversight into suppliers’ cybersecurity capabilities has created more risk for businesses.
Further Reading
Global Cybersecurity Outlook 2025 (World Economic Forum)
Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer (Microsoft)
