{"description": "Enterprise techniques used by Lumma Stealer, ATT&CK software S1213 (v1.0)", "name": "Lumma Stealer (S1213)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has used HTTP and HTTP for command and control communication.(Citation: Qualys LummaStealer 2024)(Citation: Fortinet LummaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has automated collection of various information including cryptocurrency wallet details.(Citation: Cybereason LumaStealer Undated)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has created registry keys to maintain persistence using `HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run`.(Citation: Cybereason LumaStealer Undated)(Citation: Netskope LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1217", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has identified and gathered information from two-factor authentication extensions for multiple browsers.(Citation: Cybereason LumaStealer Undated)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has used PowerShell for initial user execution and other fuctions.(Citation: Qualys LummaStealer 2024)(Citation: Cybereason LumaStealer Undated)(Citation: Netskope LummaStealer 2025)(Citation: Fortinet LummaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has used malicious Python scripts to execute payloads.(Citation: Cybereason LumaStealer Undated)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.010", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has utilized AutoIt malware scripts and AutoIt executables.(Citation: Qualys LummaStealer 2024)(Citation: Cybereason LumaStealer Undated)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has gathered credential and other information from multiple browsers.(Citation: Cybereason LumaStealer Undated)(Citation: Fortinet LummaStealer 2024)(Citation: TrendMicro LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has configured a custom user data directory such as a folder within `%USERPROFILE%\\AppData\\Roaming` for staging data.(Citation: TrendMicro LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1622", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has checked for debugger strings by invoking `GetForegroundWindow` and looks for strings containing \u201cx32dbg\u201d, \u201cx64dbg\u201d, \u201cwindbg\u201d, \u201collydbg\u201d, \u201cdnspy\u201d, \u201cimmunity debugger\u201d, \u201chyperdbg\u201d, \u201cdebug\u201d, \u201cdebugger\u201d, \u201ccheat engine\u201d, \u201ccheatengine\u201d and \u201cida\u201d.(Citation: Fortinet LummaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has used Base64-encoded content during execution, decoded via PowerShell.(Citation: Netskope LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has used HTTPS for command and control purposes.(Citation: Fortinet LummaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has exfiltrated collected data over existing HTTP and HTTPS C2 channels.(Citation: Qualys LummaStealer 2024)(Citation: Fortinet LummaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has utilized the .NET `ProcessStartInfo` class features to prevent the process from creating a visible window through setting the `CreateNoWindow` setting to \u201cTrue,\u201d which allows the executed command or script to run without displaying a command prompt window.(Citation: Fortinet LummaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has leveraged legitimate applications to then side-load malicious DLLs during execution.(Citation: Cybereason LumaStealer Undated)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has attempted to bypass Windows Antimalware Scan Interface (AMSI) by removing the string \u201cAmsiScanBuffer\u201d from the \u201cclr.dll\u201d module in memory to prevent it from being called.(Citation: Netskope LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has used payloads that resemble benign file extensions such as .mp3, .accdb, and .pub, though the files contained malicious JavaScript content.(Citation: Netskope LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has used SmartAssembly to obfuscate .NET payloads.(Citation: Fortinet LummaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has used AES-encrypted payloads contained within PowerShell scripts.(Citation: Qualys LummaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213)  has been delivered through phishing emails with malicious attachments.(Citation: Cybereason LumaStealer Undated)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has been delivered through phishing emails containing malicious links.(Citation: Cybereason LumaStealer Undated)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has used process hollowing leveraging a legitimate program such as \u201cBitLockerToGo.exe\u201d to inject a malicious payload.(Citation: Qualys LummaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1620", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has used reflective loading techniques to load content into memory during execution.(Citation: Netskope LummaStealer 2025)(Citation: Fortinet LummaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has taken screenshots of victim machines.(Citation: Cybereason LumaStealer Undated)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has detected antivirus processes using commands such as \u201ctasklist\u201d and \u201cfindstr.\u201d(Citation: Qualys LummaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1176", "showSubtechniques": true}, {"techniqueID": "T1176.001", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has installed a malicious browser extension to target Google Chrome, Microsoft Edge, Opera and Brave browsers for the purpose of stealing data.(Citation: Cybereason LumaStealer Undated)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has harvested cookies from various browsers.(Citation: Cybereason LumaStealer Undated)(Citation: Fortinet LummaStealer 2024)(Citation: TrendMicro LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has used valid code signing digital certificates from ConsolHQ LTD and Verandah Green Limited to appear legitimate.(Citation: TrendMicro LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1195", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has been delivered through cracked software downloads.(Citation: Cybereason LumaStealer Undated)(Citation: Fortinet LummaStealer 2024)(Citation: TrendMicro LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.005", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has used mshta.exe to execute additional content.(Citation: Qualys LummaStealer 2024)(Citation: Netskope LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.015", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) as leveraged Electron Applications to disable GPU sandboxing to avoid detection by security software.(Citation: TrendMicro LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has gathered various system information from victim machines.(Citation: Cybereason LumaStealer Undated)(Citation: Fortinet LummaStealer 2024)(Citation: TrendMicro LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has been distributed through a fake CAPTCHA that presents instructions to the victim to open Windows Run window (\u201cWindows Button + R\u201d) and paste clipboard contents (\u201cCTRL + V\u201d) and press \u201cEnter\u201d to execute a Base64-encoded PowerShell.(Citation: Qualys LummaStealer 2024)(Citation: Cybereason LumaStealer Undated)(Citation: Netskope LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files.(Citation: Cybereason LumaStealer Undated)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Lumma Stealer](https://attack.mitre.org/software/S1213) has queried system resources on the victim device to identify if it is executing in a sandbox or virtualized environments, checking usernames, conducting WMI queries for system details, checking for files commonly found in virtualized environments, searching system services, and inspecting process names.(Citation: Fortinet LummaStealer 2024) [Lumma Stealer](https://attack.mitre.org/software/S1213) has checked system GPU configurations for sandbox detection.(Citation: TrendMicro LummaStealer 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Lumma Stealer", "color": "#66b1ff"}]}