In a blog post, the company said it broke down the Lumma Stealer malware project with assistance from law enforcement officials around the world. The Lumma malware is heavily used by malign actors, the company said, adding that it is used to steal bank account information, credit card data, passwords, and cryptocurrency wallets.
Between March 16 and May 16, around 394,000 computers with Windows were found to have the malware around the world, the company said.
“Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims,” Microsoft said in its post Wednesday. “Moreover, more than 1,300 domains seized by or transferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be redirected to Microsoft sinkholes.”
A court order granted in the U.S. District Court of the Northern District of Georgia allowed Microsoft to seize and take down “approximately 2,300 malicious domains that formed the backbone of Lumma’s infrastructure,” while the Department of Justice also “seized the central command structure for Lumma and disrupted the marketplaces where the tool was sold to other cybercriminals.”
Other companies like Cloudflare, Lumen, and Bitsight also assisted in taking down the malware operation.
Lumma is a type of malware-as-a-service that has been marketed and sold via “underground forums” over the past three years, according to Microsoft. Several versions were released over the past several years, becoming a “go-to tool for cybercriminals and online threat actors.”
“The malware impersonates trusted brands, including Microsoft, and is deployed via spear-phishing emails and malvertising, among other vectors,” Microsoft said.
In an example, Microsoft said a phishing campaign in March 2025 enabled bad actors to dupe people into believing they were part of the online travel service Booking.com before using the malware to commit financial crimes.
“Lumma has also been used to target gaming communities and education systems and poses an ongoing risk to global security, with reports from multiple cybersecurity companies outlining its use in attacks against critical infrastructure, such as the manufacturing, telecommunications, logistics, finance, and healthcare sectors,” Microsoft said.
The DOJ also confirmed on Wednesday that it has seized five internet domains used by malicious cyber actors to operate the LummaC2 information-stealing malware service. The FBI’s Dallas Field Office is investigating the case.
“The growth and resilience of Lumma Stealer highlight the broader evolution of cybercrime and underscore the need for layered defenses and industry collaboration to counter threats,” Microsoft said in a separate blog post on the malware.
Microsoft’s statement comes as Britain and allies, including the United States, separately issued an advisory on Wednesday, warning of a Russian state-sponsored cyber campaign targeting the delivery of support to Ukraine and Western logistics entities and technology companies.
