Executive Summary
In January 2026, an ongoing wave of Lumma Stealer infections demonstrated a distinctive post-infection pattern on Windows hosts. After initial data exfiltration, compromised machines retrieved a malicious PowerShell payload from Pastebin, which led to repeated execution of mshta commands against a .cc command and control (C2) domain—fileless-market[.]cc. The malware automatically created dozens of scheduled tasks, each triggering outbound HTTPS connections to the C2 infrastructure over many hours, elevating the risk of persistent infiltration and extended data leakage. This approach resulted in a marked increase in C2 traffic and operational risk for affected organizations.
This case is relevant now as it highlights a trend of increasingly persistent infostealer operations leveraging fileless persistence, public paste sites, and escalated task creation for resilience. Security teams must be alert to novel automation and scripting techniques that facilitate stealthy C2 traffic and recurring infections, especially as infostealers like Lumma gain popularity in the cybercriminal ecosystem.
Why This Matters Now
The Lumma Stealer attack showcases the evolution of persistent, automated infostealer threats that exploit scheduled tasks and public scripting sites to evade detection. This method amplifies data exfiltration and increases dwell time, posing urgent risks to enterprise visibility, compliance, and response capabilities.
Attack Path Analysis
The Lumma Stealer infection began with the execution of a malicious PowerShell command, gaining an initial foothold on the Windows host. While privilege escalation is not explicitly detailed, it is plausible that local persistence was achieved using scheduled tasks. Lateral movement was not directly observed but could be attempted via east-west traffic if the adversary sought to expand access. The malware maintained robust command & control by repeatedly contacting a remote domain using scheduled tasks. Data exfiltration likely occurred early via outbound HTTPS sessions to threat actor infrastructure, with continued egress for possible secondary payload retrieval or beaconing. The impact was persistent unauthorized access and data theft, resulting in sustained communications with external malicious infrastructure.
Kill Chain Progression
Initial Compromise
Description
The attacker compromised the endpoint by delivering and executing a malicious PowerShell script fetched from a Pastebin URL, which launched a follow-up infection.
Related CVEs
CVE-2024-21412
CVSS 8.1A security feature bypass vulnerability in Microsoft Defender SmartScreen allows attackers to deliver information stealers such as Lumma Stealer.
Affected Products:
Microsoft Windows – 10, 11, Server 2019, Server 2022
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques listed are for rapid enrichment, filtering, and search engine optimization; full STIX/TAXII enrichment will be enabled in production integrations.
PowerShell
Scheduled Task/Job: Scheduled Task
Ingress Tool Transfer
Application Layer Protocol: Web Protocols
Phishing: Spearphishing Link
Signed Binary Proxy Execution: MSHTA
Automated Exfiltration
Exfiltration Over Web Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Automated Log Review
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Incident Detection & Monitoring
Control ID: Art. 21(2)d
DORA – ICT Risk Management Framework
Control ID: Article 9.2(a)
CISA ZTMM 2.0 – Continuous Monitoring and Analytics
Control ID: NIST.SP.800-207.SR.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Lumma Stealer's data exfiltration capabilities pose severe risks to financial institutions, requiring enhanced egress security and threat detection to prevent credential theft and regulatory violations.
Health Care / Life Sciences
Infostealer malware threatens patient data confidentiality through scheduled task persistence, necessitating zero trust segmentation and encrypted traffic monitoring for HIPAA compliance protection.
Computer Software/Engineering
Software companies face intellectual property theft and supply chain compromise risks from persistent C2 communications, requiring multicloud visibility and anomaly detection capabilities.
Government Administration
Government entities are vulnerable to credential harvesting and lateral movement attacks, demanding comprehensive east-west traffic security and intrusion prevention systems for sensitive operations.
Sources
- Infection repeatedly adds scheduled tasks and increases traffic to the same C2 domain, (Wed, Jan 14th)https://isc.sans.edu/diary/rss/32628Verified
- Infection repeatedly adds scheduled tasks and increases traffic to the same C2 domainhttps://isc.sans.edu/diary/Infection%2Brepeatedly%2Badds%2Bscheduled%2Btasks%2Band%2Bincreases%2Btraffic%2Bto%2Bthe%2Bsame%2BC2%2Bdomain/32628Verified
- Hackers exploit Microsoft Defender SmartScreen bug CVE-2024-21412 to deliver ACR, Lumma, and Meduza Stealershttps://securityaffairs.com/166152/security/cve-2024-21412-flaw-info-stealers.htmlVerified
- Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealershttps://thehackernews.com/2024/07/microsoft-defender-flaw-exploited-to.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
The layered application of Zero Trust segmentation, egress enforcement, and anomaly detection controls would have substantially contained this kill chain by preventing unauthorized outbound connections, isolating workloads, and enabling early detection of persistent malicious behavior.
Control: Cloud Firewall (ACF)
Mitigation: Blocked malicious script retrieval from known or suspicious external sources.
Control: Zero Trust Segmentation
Mitigation: Limited persistence attempts to only sanctioned applications and processes.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized east-west traffic between workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Detected and blocked repeated C2 communications to unapproved external destinations.
Control: Encrypted Traffic (HPE)
Mitigation: Enforced secure, monitored data-in-transit policies and detected anomalous outbound data flows.
Rapid detection of abnormal persistence or C2 patterns enabled prompt incident response.
Impact at a Glance
Affected Business Functions
- Data Security
- IT Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive information including credentials, financial data, and personal identifiable information due to Lumma Stealer infection.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce strong outbound internet and FQDN filtering to prevent retrieval and execution of malicious scripts from known threat sources.
- • Apply zero trust microsegmentation to restrict internal movement and isolate infected workloads, reducing lateral attack potential.
- • Continuously monitor for anomalous scheduled task creation and repetitive outbound connections using real-time threat detection tools.
- • Enable robust egress security controls to detect and block unapproved encrypted data flows, even over HTTPS.
- • Centrally manage and enforce least-privilege identity and access policies to limit persistence mechanisms and scheduled task abuse.
