The malware is used by malign actors to steal bank account information, credit card data, passwords, and cryptocurrency wallets, the company says.
Tech giant Microsoft warned that nearly 400,000 computers with its Windows operating system were infected with a type of malware and that it is taking legal action against the perpetrator.
In a blog post, the company said it broke down the Lumma Stealer malware project with assistance from law enforcement officials around the world. The Lumma malware is heavily used by malign actors, the company said, adding that it is used to steal bank account information, credit card data, passwords, and cryptocurrency wallets.
Between March 16 and May 16, around 394,000 computers with Windows were found to have the malware around the world, the company said.
“Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims,” Microsoft said in its post Wednesday. “Moreover, more than 1,300 domains seized by or transferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be redirected to Microsoft sinkholes.”
A court order granted in the U.S. District Court of the Northern District of Georgia allowed Microsoft to seize and take down “approximately 2,300 malicious domains that formed the backbone of Lumma’s infrastructure,” while the Department of Justice also “seized the central command structure for Lumma and disrupted the marketplaces where the tool was sold to other cybercriminals.”
Other companies like Cloudflare, Lumen, and Bitsight also assisted in taking down the malware operation.
Lumma is a type of malware-as-a-service that has been marketed and sold via “underground forums” over the past three years, according to Microsoft. Several versions were released over the past several years, becoming a “go-to tool for cybercriminals and online threat actors.”
“The malware impersonates trusted brands, including Microsoft, and is deployed via spear-phishing emails and malvertising, among other vectors,” Microsoft said.
In an example, Microsoft said a phishing campaign in March 2025 enabled bad actors to dupe people into believing they were part of the online travel service Booking.com before using the malware to commit financial crimes.
