A new sample of the LummaC2 infostealer was observed using a series of PowerShell commands that downloaded and executed a payload on a targeted endpoint.
In a recent blog post, researchers at Ontinue described LummaC2 as an information-stealing malware written in the C programming language that’s designed to steal sensitive information.
The researchers said the malware was observed being used as malware-as-a-service (MaaS), and was seen on Russian-speaking forums starting in 2022. The malware infects the target host and aims to steal information from the endpoint and then exfiltrate it to the C2 server.
“The key takeaway from our analysis is a reinforcement of the importance of monitoring and mitigating obfuscated scripts, particularly those delivered via PowerShell,” said Rhys Downing cyber defender at Ontinue. “While the use of obfuscated PowerShell commands is not new, it remains a highly effective technique for attackers. Security teams should prioritize enhancing their detection and response capabilities around such tactics, ensuring that even well-known methods are continuously scrutinized and blocked.”
Why security pros should pay attention to LummaC2's resurgence
LummaC2’s resurgence highlights significant risks because of its sophisticated use of PowerShell and “living-off-the-land” binaries already available within an environment, making it harder to detect and mitigate, said Jason Soroko, senior fellow at Sectigo.
Unlike typical PowerShell-based malware, Soroko said LummaC2 combines obfuscation, trusted Windows binaries (Mshta.exe and Dllhost.exe), and persistence techniques via registry modifications to evade defenses and maintain long-term control.
“The critical takeaway is the malware’s advanced multi-stage infection process and ability to exploit legitimate system tools, which requires heightened vigilance and proactive defense strategies from security teams,” said Soroko. “While PowerShell commands are commonly exploited, LummaC2’s combination of tactics presents a unique and more challenging threat.”
Itzik Alvas, co-founder and CEO at Entro Security, added that the LummaC2 infostealer lets attackers compromise credentials of human and non-human identities (NHIs) on infected systems. Alvas said while the initial scope of attack is often relatively benign and most industries have standardized IAM and governance controls in place to limit risks associated with compromised human credentials, NHIs are often created and used with excessive permissions.
“As a result, compromised NHIs allow attackers on an infected system to covertly attack the entire organization from within,” said Alvas.
