Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Overview of Lumma Infostealer

Lumma Stealer, first identified in August 2022, has evolved from its initial C programming language foundation into a sophisticated modular architecture for information theft.

This malware spreads primarily through phishing emails, fake software updates, and compromised websites, with the developers regularly enhancing its evasion capabilities. The malware’s recent surge in activity this year, demonstrates the effectiveness if its continued distribution through a subscription-based Malware-as-a-Service (MaaS) model on the dark web.

As Lumma continues to adapt and evade detection, it highlights a broader reality, infostealer malware remains one of the most persistent threats to organizations, making proactive defenses and real-time monitoring essential to safeguarding sensitive data.

Throughout 2023, 2024, and now 2025, we observed a sharp increase in Lumma Stealer attacks targeting organizations globally. The malware now features advanced evasion techniques, including AMSI bypasses and memory manipulation.

How Lumma Stealer Works

The infection typically begins with a PowerShell script that hides two Base64-encoded files: a loader (GOO.dll) and the main payload

When run, the loader injects the malware into RegSvcs.exe, a legitimate Windows process. This disguise helps Lumma operate without raising suspicion.

Once active, Lumma decrypts key parts of its code only during execution to avoid detection by antivirus tools. It then contacts its command-and-control server to download configuration data and begin stealing information—all while maintaining a low profile.

Obfuscation and anti-analysis

Lumma Stealer uses advanced evasion techniques to hide from antivirus programs and make it hard for researchers to study. It scrambles its code and only unlocks important parts, like file names and commands, when it runs. This makes it difficult for tools that scan files (called static analysis tools) to detect anything suspicious before the malware actually starts working.

One way it hides is by unlocking important system files – like “ntdll.dll” and “kernel32.dll” – only while it’s running. It also checks if it’s being run in a virtual machine or sandbox (tools used by researchers to safely test malware). If it finds one, it can shut itself down or act differently to avoid getting caught.

Some of the methods Lumma uses include:

• Encrypting code with special keys to hide what it does

• Using huge PowerShell scripts (about 68,000 lines) scrambled with a simple coding trick (XOR)

• Protecting its files with a tool called .NET Reactor, which requires extra tools just to decode

It even uses tricks like “Heaven’s Gate” (a way to mix 32-bit and 64-bit code) and disables certain Windows tracking features to stay hidden. 

What Lumma Stealer Steals

The main goal of Lumma Stealer is to steal personal data. It’s especially interested in:

• Browser information like saved passwords, cookies, autofill data, and browsing history from Chrome, Firefox, and others

• Cryptocurrency wallets such as MetaMask, Exodus, and Electrum

• Emails and system info, including sensitive files like financial documents and personal records

It quietly looks through the computer for certain file types – like .txt, .pdf, and settings files – especially under 20MB in size so it can exfiltrate them quickly without being noticed.

How It Finds Data

Lumma uses a smart search system that goes through folders looking for valuable files. It focuses on important areas of the computer where people often save passwords or wallet data. It skips large files to stay fast and undetected, and uses rules to pick out things like:

• Configuration files

• Documents with private info

• Cryptocurrency wallets

This makes it one of the more dangerous types of malware, especially for people who don’t know they’ve been infected.

Command and Control (C2): How Lumma Stealer Stays in Touch with its operator

Lumma Stealer uses a clever trechnique to hide the servers it talks to (called Command and Control servers, or C2). Instead of listing server addresses directly in the malware, it hides them inside Steam profile names. This lets hackers change the server locations anytime – without having to change the malware itself.

This helps it bypass security tools that look for known bad websites or domains.

How It Communicates

Lumma Stealer uses several smart techniques to keep its messages with the C2 server hidden:

• Sends HTTP POST requests to specific links to signal that it’s active

• Hides its messages using Base64 encoding and XOR encryption

• Dynamically pulls C2 addresses from Steam profiles, making it hard to block

These methods let Lumma stay connected and update instructions while avoiding detection.

Why This Is Dangerous

Even if security teams block known C2 servers, the hackers can quickly switch to new ones just by updating a Steam profile. The infected computers will automatically find the new address, so there’s no need to re-infect the system.

This setup makes Lumma’s communication network very flexible and hard to shut down, which is a big reason why it’s such a serious threat.

How Lumma Stealer is Distributed

Lumma Stealer isn’t just a tool for expert hackers – it’s part of a subscription-based service called Malware-as-a-Service (MaaS). This means cybercriminals can rent the malware on dark web forums instead of building it themselves.

Pricing starts around $250 for a one-month subscription and goes up to $1,000 for a lifetime license, which includes updates and support.

Why This Is a Big Deal

Because of this model, even people with little technical skill can launch advanced cyberattacks. They don’t need to know how to write malware – they just pay for it and use the ready-made tools and support that come with it.

This setup has made credential theft easier and more widespread. Attackers see it as a cheap and effective way to steal valuable data, like login details and crypto wallets.

What’s Included in the Subscription

The Lumma MaaS offering typically includes:

• Different subscription plans (weekly, monthly, or lifetime)

• Regular updates to improve its ability to avoid detection

• Support services to help buyers deploy and use the malware

Affiliate Program

The people who buy and use Lumma aren’t always developers – they’re often affiliates who rent the malware and use it to steal data. The more they pay, the more powerful features they get, including:

• Better anti-detection tools

• More data-stealing options, like passwords and crypto wallets

The developers behind Lumma actively recruit affiliates on underground forums. They also offer technical support and regular updates, helping attackers stay ahead of new security defenses.

How to Detect and Stop Lumma Stealer

Detecting Lumma Stealer means keeping a close eye on unusual activity – especially PowerShell commands that use encryption in strange or suspicious ways. 

How to Protect Against It

To reduce the risk of a Lumma Stealer infection and protect your organization’s identity data, consider the following steps – especially when paired with Twilight Cyber’s Identity Threat Protection:

• Use strong email filters to block phishing emails containing hidden or scrambled scripts
• Monitor for identity threats in real time using Twilight Cyber’s platform, which detects infected machines within hours of infection, allowing you to quickly identify and clean compromised machines, and mitigate leaked credentials.
• Disable PowerShell if it’s not needed, or restrict who can use it
• Allow only trusted apps to run, using application whitelisting

Twilight Cyber helps you detect infected machines and stolen credentials within hours, giving you the visibility and speed needed to mitigate any Lumma stealer infection before it can be exploited.

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox