Behind the Curtain: How Lumma Affiliates Operate

Aug. 20, 2025, 9:21 p.m.

Description

This analysis reveals the complex operations of Lumma affiliates within a vast information-stealing ecosystem. Affiliates utilize various tools and services, including proxy networks, VPNs, anti-detect browsers, and crypting services. The investigation uncovered previously undocumented tools and showed that affiliates often run multiple schemes simultaneously, such as rental scams, while also using other infostealers like Vidar, Stealc, and Meduza Stealer. Lumma affiliates are deeply integrated into the cybercriminal ecosystem, leveraging underground forums for resources, marketplaces, and operational support. The analysis highlights the resilience of Lumma's infrastructure and the challenges in disrupting such decentralized cybercriminal networks.

External References

https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate
https://www.recordedfuture.com/research/media_146663d7945a8f6dd5a6e50a5cdde5655e178e9a3.gif?width=1200&format=pjpg&optimize=medium
https://otx.alienvault.com/pulse/68a6166f6fc208e3c4192cc1
Tags
infostealer
cybercrime
vidar
proxy
vpn
stealc
lumma
meduza stealer
affiliate
craxsrat
underground forums
2025-08-20
crypting
anti-detect browser

Date

  • Created: Aug. 20, 2025, 6:39 p.m.
  • Published: Aug. 20, 2025, 6:39 p.m.
  • Modified: Aug. 20, 2025, 9:21 p.m.

Attack Patterns

  • CraxsRAT
  • Meduza Stealer
  • LUMMA
  • Stealc
  • Vidar
  • Lumma