Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations
The FBI and CISA have released a joint advisory on the LummaC2 malware, which can infiltrate computer networks and exfiltrate sensitive information of individuals and organizations across multiple US critical infrastructure sectors. The malware has been observed as recently as May 2025, with indicators of compromise dating back to November 2023. LummaC2 is typically deployed through spearphishing hyperlinks and attachments, and can bypass standard cybersecurity measures. Once infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, and multifactor authentication details. The malware uses a command and control server to receive instructions, and can steal data, take screenshots, and delete itself. The advisory includes indicators of compromise, and recommends that organizations investigate and vet these indicators prior to taking action. The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of the advisory to reduce the likelihood and impact of LummaC2 malware. The advisory uses the MITRE ATT&CK Matrix for Enterprise framework to map threat actor activity to tactics and techniques. The LummaC2 malware has been observed for sale on Russian-language speaking cybercriminal forums since 2022, and has been used to steal sensitive information from over 21,000 victims.