Georgia Court Takes Down International Malware Network

The messages appeared harmless, even routine. One, from someone claiming to be a potential guest, asked a hotel about an alleged comment on Booking.com. Another, seemingly from the booking site itself, requested a review of negative guest feedback.

The emails were fraudulent—phishing scams designed to trick recipients into downloading malware that would steal financial data and login credentials.

Now, a major tech company and global law enforcement agencies are targeting a malware network known as Lumma Stealer, which authorities link to the cyberattack. Microsoft, the U.S. Justice Department, Europol, and Japan’s Cybercrime Control Center have launched a joint operation to dismantle Lumma’s digital infrastructure, according to Microsoft and court documents unsealed Wednesday in federal court in Atlanta.

A Dangerous Malware Threat Targeting Sensitive Information and Critical Sectors

Steven Masada, assistant general counsel and director of Microsoft’s Digital Crimes Unit, called Lumma “one of the most renowned info-stealer malwares in existence” in an interview with The Atlanta Journal-Constitution. In 2024 alone, Lumma infected 1.8 million devices, according to cybersecurity firm Flashpoint.

Lumma is a form of malware that individuals sell on the dark web to steal passwords, credit card details, bank information, and cryptocurrency wallets. According to Microsoft, it has allowed cybercriminals to breach sectors such as transportation, finance, and healthcare, extort schools through ransomware attacks, and drain victims’ bank accounts.

Lumma has been active since 2022 and exemplifies the growing trend of cybercrime-as-a-service, according to Masada.

Much like legitimate software companies, Lumma offers tiered monthly or annual subscriptions, with pricing based on the level of customization and control users want. Masada noted that hundreds of cybercriminal and state-affiliated groups around the world have utilized it.

Unlike traditional software that provides tools like word processing or PDF editing, Lumma is designed for malicious use—demonstrated by the cyberattack that impersonated Booking.com, which showcased the malware’s reach and impact.

A Key Player in the Cybercrime Supply Chain, Spreading Across Global Devices

“Cybercriminals are essentially marketing and selling their services to other bad actors to expand their operations,” Masada said, describing Lumma as a key component in the cybercrime supply chain.

Between March and May, Microsoft detected Lumma infections on over 394,000 Windows devices globally. Court records reveal that hackers compromised at least 532 computers in Georgia alone, with Atlanta ranking among the most heavily impacted U.S. cities.

Microsoft filed a federal civil lawsuit against Lumma on May 13 in Atlanta, citing the large number of victims in the area, including Booking.com, which has a significant presence there. Booking.com did not immediately comment on the situation.

In collaboration with other cybersecurity firms and law enforcement agencies, Microsoft gathered intelligence and coordinated efforts to dismantle various components of Lumma’s extensive infrastructure.

Global Action Against Lumma

Last week, Microsoft obtained a sealed court order authorizing it to begin disabling, suspending, and blocking roughly 2,300 domains linked to Lumma’s operations.

The Justice Department also disrupted Lumma’s online marketplace and seized its core command systems, while Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center took down Lumma infrastructure within their respective regions.

According to Masada, Microsoft will reroute the seized domains to a cloud environment it monitors, using the data to gather intelligence and potentially identify more infected devices.

Despite this global crackdown, those behind Lumma remain unidentified. Microsoft traces the main developer, known by the alias ‘Shamel,’ to Russia and believes that other individuals are also involved in maintaining the malware.

Microsoft obtained a temporary restraining order against 10 unidentified individuals, including “Shamel,” others believed to be maintaining Lumma’s infrastructure, and users of the malware.

Masada noted that whoever is behind Lumma will likely attempt to adapt and reconstruct their network. Microsoft aims to have a court-appointed monitor in place to grant swift authorization to seize any new domains that cybercriminals may create in the future.

Read the original article on: Tech Xplore

Read more: From robots to humans, good decisions require diverse perspectives.