Microsoft takes down malware found on 394,000 Windows PCs

Info-stealer malware has been on the rise recently, and that’s evident from the billions of user records leaked online in the past year alone. This type of malware targets everything from your name, phone number, and address to financial details and cryptocurrency. Leading the charge is the Lumma info-stealer.

I have been reporting on this malware since last year, and security researchers have called it one of the most dangerous info-stealers, infecting millions. There have been countless incidents of Lumma targeting people’s personal data (more on this later), but the good news is that Microsoft has taken it down.

The Redmond-based company announced that it has dismantled the Lumma Stealer malware operation with the help of law enforcement agencies around the world.

A person is using a laptop in a dark room

What you need to know

Microsoft confirmed that it has successfully taken down the Lumma Stealer malware network in collaboration with law enforcement agencies around the world. In a blog post, the company revealed that its Digital Crimes Unit had tracked infections on more than 394,000 Windows devices globally between March 16 and May 16.

Lumma was a go-to tool for cybercriminals, often used to siphon off sensitive information like login credentials, credit card numbers, bank account details, and cryptocurrency wallet data. The malware’s reach and impact made it a favored choice among threat actors for financial theft and data breaches.

To disrupt the malware’s operation, Microsoft obtained a court order from the U.S. District Court for the Northern District of Georgia, which allowed the company to take down key domains that supported Lumma’s infrastructure. This was followed by the U.S. Department of Justice stepping in to seize control of Lumma’s core command system and shut down marketplaces where the malware was being sold.

International cooperation played a major role as well. Japan’s cybercrime unit helped dismantle Lumma’s locally hosted infrastructure, while Europol assisted in actions against hundreds of domains used in the operation. In total, over 1,300 domains were seized or redirected to Microsoft-managed sinkholes to prevent further damage.

Microsoft says this takedown effort also included support from industry partners such as Cloudflare, Bitsight, and Lumen, who helped dismantle the broader ecosystem that enabled Lumma to thrive.

A Windows laptop on a wooden table

NEW MALWARE EXPLOITS FAKE UPDATES TO STEAL DATA

More about the Lumma info-stealer

Lumma is a Malware-as-a-Service (MaaS) that has been marketed and sold through underground forums since at least 2022. Over the years, its developers have released multiple versions to continually improve its capabilities. I first reported on Lumma back in February last year, when it was used by hackers to access Google accounts using expired cookies that contained login information.

Lumma continued targeting users, with reports in October 2024 revealing it was impersonating fake human verification pages to trick Windows users into sharing sensitive information. The malware wasn’t limited to Windows. In January 2024, security researchers found that the info-stealer malware was targeting 100 million Mac users, stealing browser credentials, cryptocurrency wallets, and other personal data.

A Windows laptop on a wooden table

HOW TO REMOVE MALWARE ON A PC (2025)

6 ways you can protect yourself from info-stealer malware

To protect yourself from the evolving threat of info-stealer malware, which continues to target users through sophisticated social engineering tactics, consider implementing these six essential security measures:

1) Be skeptical of CAPTCHA prompts: Legitimate CAPTCHA tests never require you to press Windows + R, copy commands, or paste anything into PowerShell. If a website instructs you to do this, it’s likely a scam. Close the page immediately and avoid interacting with it.

2) Don’t click links from unverified emails and use strong antivirus software: Many info-stealer attacks start with phishing emails that impersonate trusted services. Always verify the sender before clicking on links. If an email seems urgent or unexpected, go directly to the company’s official website instead of clicking any links inside the email.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

My top pick is TotalAV.

TotalAV is easy to set up and offers real-time protection for paid users, keeping your devices safe around the clock. It includes tools to block phishing scams, remove ransomware and spyware, and clean up adware and junk files. The software also features a browser manager, system tune-up tools, and protects across Windows, Mac, Android, and iOS devices.

GET MY EXCLUSIVE CYBERGUY TOTALAV DEAL:

$19 your first year (protects 5 devices)

Please note:
1) If you're having difficulty seeing either of the above deals, do this:

- If you're on a mobile device, hold down the link above, "Copy Link", and then paste it into a private or incognito browser.

- If you're on a laptop or desktop, right click the link, "Copy Link", and then paste it into a private or incognito browser.

2) During registration you may see optional upsells you can decline. Our top pick is the core antivirus product.

3) If you need help after your purchase, you can reach TotalAV directly through their official support page here.

3) Enable two-factor authentication: Enable two-factor authentication (2FA) whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your phone, in addition to your password.

4) Keep devices updated: Regularly updating your operating system, browser, and security software ensures you have the latest patches against known vulnerabilities. Cybercriminals exploit outdated systems, so enabling automatic updates is a simple but effective way to stay protected.

5) Monitor your accounts for suspicious activity and change your passwords: If you’ve interacted with a suspicious website, phishing email, or fake login page, check your online accounts for any unusual activity. Look for unexpected login attempts, unauthorized password resets, or financial transactions that you don’t recognize. If anything seems off, change your passwords immediately and report the activity to the relevant service provider. Also, consider using a password manager to generate and store complex passwords.

One of the best password managers out there is NordPass. It is secure, user-friendly, and uses zero-knowledge architecture with military-grade XChaCha20 encryption to protect your data. NordPass works across Windows, macOS, Linux, Android, iOS, and major browsers and includes features like:

Unlimited password storage
Secure sharing
Password health reports
Auto-fill and emergency access
Data breach monitoring to alert you if your credentials have been exposed
A Security Dashboard with tools like the Data Breach Scanner and Password Health Checker to identify weak, reused, or compromised passwords

Use NordPass to check if your email or passwords have shown up in known data breaches, and take immediate action if they have.

CyberGuy Exclusive Deal: Save 52% now with CyberGuy’s exclusive NordPass offer – Get 1 extra month FREE with a 2-year plan. Try 30 days risk-free for only $1.43 per month!

6) Invest in a personal data removal service: Consider using a service that monitors your personal information and alerts you to potential breaches or unauthorized use of your data. These services can provide early warning signs of identity theft or other malicious activities resulting from info-stealer malware

or similar attacks. While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time.

Incogni, a service I trust 100% and use myself, helps automate the process by submitting removal requests to hundreds of data brokers and people-search sites on your behalf.

Incogni automatically contacts data brokers on your behalf and requests the removal of your personal information. It also continues monitoring those sites and submits new removal requests if your data reappears.

Incogni currently removes personal data from 420+ data broker and people-search websites, and its Unlimited plan allows you to request removals from as many additional sites as you need.
Incogni has also received third-party assurance from Deloitte, validating its marketing claims.
The goal is simple: make it much harder for strangers, scammers, and cybercriminals to find your personal information online.

CyberGuy Exclusive: 60% off

CyberGuy readers get 60% off Incogni’s annual plans using the links in this article.

The service also includes a 30-day money-back guarantee, so you can try it risk-free and see how much of your information is exposed online.

```

Kurt’s key takeaway

Microsoft’s takedown of the Lumma Stealer malware network is a major win in the fight against info-stealers, which have fueled a surge in data breaches over the past year. Lumma had become a go-to tool for cybercriminals, targeting everything from browser credentials to crypto wallets across Windows and Mac systems. I’ve been tracking this malware since early 2024, and its ability to impersonate human verification pages and abuse expired cookies made it especially dangerous.

Do you feel tech companies are doing enough to protect users from malware like this? Let us know in the comments below.

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

Print this article