#NSBCS.075 - Down Goes Lumma: Striking at Cybercrime

Cyber Threat Intelligence
Written By Shane Bell
#NSBCS.075 - Down Goes Lumma: Striking at Cybercrime

Source: NSB Cyber

 

Down Goes Lumma: Striking at Cybercrime

Infostealers are malicious programs that steal sensitive data like passwords, credit card details, and cryptocurrency wallets, often spreading through phishing emails or fake websites. Lumma Stealer, a favored tool among cybercriminals, including ransomware groups like Octo Tempest, has infected over 394,000 Windows computers globally from March 16 to May 16, 2025, per Microsoft Threat Intelligence (https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/). On May 13, 2025, Microsoft’s Digital Crimes Unit (DCU) and international partners executed a major operation to dismantle Lumma’s infrastructure, seizing domains and disrupting its marketplaces.

Key Aspects of the Takedown:

  • Date and Lead: May 13, 2025, led by Microsoft’s DCU with a U.S. District Court order from Northern District of Georgia.

  • Actions Taken: Seized ~2,300 malicious domains; U.S. Department of Justice targeted Lumma’s command structure and sales platforms.

  • Global Collaboration: Involved Europol, Japan’s Cybercrime Control Center, and firms like ESET, Bitsight, and Cloudflare.

  • Outcome: Disrupted Lumma’s network, with FBI banners on seized sites.

The operation significantly impacts cybercriminals by halting active attacks and forcing costly rebuilding efforts. It signals stronger law enforcement and private sector collaboration, potentially deterring smaller operators. However, resilient threat actors may shift to other tools, underscoring the need for continuous defense.

Implications for Cybercrime:

  • Disruption: Raises costs and complexity for rebuilding Lumma’s infrastructure.

  • Deterrence: Collaborative efforts show cybercrime tools are vulnerable, discouraging some actors.

  • Resilience: Larger groups may adapt, requiring sustained countermeasures.

This takedown highlights the power of public-private collaboration in combating cybercrime. Microsoft, cybersecurity firms, and global law enforcement united to dismantle Lumma’s backbone, weakening a key enabler of digital crime. Such partnerships combine private sector innovation with public sector authority, enabling swift, large-scale action against elusive threats. Sustaining and expanding these collaborations is critical, as cybercriminals’ adaptability demands shared expertise, resources, and global coordination to stay ahead and protect the digital ecosystem.

For information on NSB Cyber’s Cyber Threat Intelligence capabilities or to book a meeting with our team, click here.

What we read this week

  • Mandatory Tracking App for Foreigners in Moscow Raises Surveillance Concerns - Russia has introduced a law requiring all foreign nationals residing in the Moscow region to install a mobile tracking app that collects fingerprints, facial images, residential information, and real-time geolocation. Exemptions apply only to diplomats and Belarusian citizens. The data will be transmitted to the Ministry of Internal Affairs, with non-compliance resulting in deportation and registration on a state watchlist. Critics, including legal experts and migrant community leaders, warn the initiative violates privacy rights under Russia’s constitution and risks deterring essential labour migration. The surveillance pilot runs until September 2029, with nationwide expansion likely if deemed effective.

  • SEO Poisoning Targets Payroll via Mobile Credential Harvesting - A targeted SEO poisoning campaign is tricking employees into entering credentials into fake payroll portals, with attackers rerouting salaries to their own accounts. Discovered by ReliaQuest in May 2025, the campaign exploits mobile searches by ranking malicious WordPress sites high in search results. These pages redirect mobile users to credential harvesters mimicking Microsoft login portals. Stolen credentials are transmitted via WebSockets using Pusher, enabling near-instant exploitation. Attackers route traffic through compromised home routers to bypass IP restrictions. Victims span the manufacturing sector. Organisations should enforce MFA, monitor payroll changes, and direct users to corporate SSO access only.

  • Scattered Spider Targets Retail with Social Engineering and Ransomware - Scattered Spider (UNC3944) has resumed targeting major retailers, compromising Dior in May following attacks on M&S, Harrods, and Co-op. The group, known for social engineering help desks to obtain credentials, is leveraging the DragonForce ransomware-as-a-service model. Customer data from Dior’s China and South Korea markets was reportedly stolen. Analysts warn the group has pivoted towards US retail and continues to exploit longstanding weaknesses in supply chains and credential workflows. Organisations should implement MFA-backed self-service password resets, verify IT support interactions, and monitor for lateral movement from compromised user accounts to prevent unauthorised access and ransomware deployment.

  • Undocumented Cellular “Kill Switches” Found in Chinese Solar Inverters - US investigators have discovered hidden cellular radios—labelled as potential "kill switches"—in Chinese-made solar power inverters connected to critical infrastructure. These rogue components, found in equipment used across the US and UK, could enable remote shutdowns by Beijing during geopolitical conflict. Unlike documented remote access for maintenance, these embedded radios bypass firewall protections and are not disclosed in product specifications. The US Department of Energy acknowledges the risks but faces difficulty due to opaque supply chains. The incident heightens existing concerns over Chinese foreign cyber operations and escalations in global tensions.

  • Chrome Now Auto-Changes Compromised Passwords via Google Password Manager - Google Chrome’s Password Manager can now automatically update compromised passwords when detected during sign-in. The new feature prompts users to auto-generate and replace breached credentials on supported websites, streamlining the remediation process. Sites must implement the “autocomplete" attributes for current and new passwords and configure a redirect to “/.well-known/change-password" for compatibility. This initiative aims to reduce user friction and enhance account security. The update reflects broader industry shifts towards stronger authentication, including passkeys, which Microsoft recently adopted as default for new accounts.

References
https://www.bleepingcomputer.com/news/government/russia-to-enforce-location-tracking-app-on-all-foreigners-in-moscow/
https://cybersecuritynews.com/hackers-attacking-employees-to-steal-payroll-logins/
https://www.darkreading.com/threat-intelligence/large-retailers-scattered-spider-ransomware-web
https://securityaffairs.com/178005/hacking/rogue-devices-in-chinese-made-power-inverters-used-worldwide.html
https://thehackernews.com/2025/05/google-chrome-can-now-auto-change.html
Shane Bell
Previous

#NSBCS.076 - Social Engineering and Phishing 2.0: The Next Wave of Cyber Deception
Next

#NSBCS.074 - Your Digital Twin: Safeguarding Your Shadow Self