high🔑Stealer

investigatedMarch 5, 2026publishedMarch 5, 2026

LummaC2 v4.0 Dissected: CFF Obfuscation, Heaven's Gate Syscalls, and Trigonometric Anti-Sandbox in a MaaS Infostealer

#stealer#lumma#phishing#social-engineering#c2#ransomware#apt

TL;DR: A LummaC2 v4.0 information stealer sample from September 2023 employs Control Flow Flattening with 32-bit state constants, Heaven's Gate for WoW64 ntdll syscall bypass, MurmurHash2 API hashing (seed 0x20), and a novel trigonometry-based anti-sandbox technique that computes atan2 on mouse cursor deltas to detect non-human movement. The binary's Import Address Table was progressively reconstructed across 10 new_imp PE sections by its loader. Both C2 domains -- bearboll[.]fun and slimtvsocico[.]fun -- were part of a 150+ domain campaign documented by Silent Push and later swept up in the May 2025 Microsoft/DOJ/Europol takedown of 2,300 Lumma domains. Despite that operation, LummaC2 rebuilt within weeks and remains one of the most active stealers globally in 2026.

Sample Overview

Property	Value
SHA-256	`02045e58aba74d3619e3bb428f033ca51fb21735d36cf8f62cb7e08a21c7e4bc`
SHA-1	`594b4ace64f5470d9aea8ddbc2d92c0abbf7f707`
MD5	`2cf964844a29df5ac9e708858f534e4c`
Size	550,672 bytes (537.8 KB)
Format	PE32 executable (GUI) Intel 80386, 14 sections
Compile Time	2023-09-13 21:51:27 UTC (`0x65022EDF`)
Build ID	`kJQULo`
Campaign	`default`
C2 Primary	`bearboll[.]fun` (dead)
C2 Fallback	`slimtvsocico[.]fun` (dead)
Version	LummaC2 v4.0
MaaS Operator	Shamel ($250-$1,000/mo subscription)

The binary has ASLR enabled but DEP intentionally disabled. No Rich Header, no debug info, no digital signature, no resources -- a clean, stripped build with only the .text, .rdata, .data, .reloc sections plus 10 new_imp sections produced by the loader's IAT reconstruction.

PE Structure: 10-Stage IAT Reconstruction

The most immediately notable structural artifact is the presence of 10 identically-named new_imp sections appended to the PE. These are the footprint of the unpacker/loader that progressively rebuilt the Import Address Table:

Section     VA          VSize     RawSize   Entropy   Characteristics
.text       0x1000      0x6291C   0x62A00   6.84      CODE, EXEC, READ
.rdata      0x64000     0xBCB4    0xBE00    5.80      INIT_DATA, READ
.data       0x70000     0x2056    0x2200    3.05      INIT_DATA, READ, WRITE
.reloc      0x73000     0x1FE8    0x2000    6.56      INIT_DATA, DISCARDABLE, READ
new_imp #1  0x75000     0x1000    0x1000    4.73      INIT_DATA, READ, WRITE
new_imp #2  0x76000     0x1200    0x1200    4.70      INIT_DATA, READ, WRITE
new_imp #3  0x78000     0x1400    0x1400    4.63      INIT_DATA, READ, WRITE
new_imp #4  0x7A000     0x1A00    0x1A00    4.68      INIT_DATA, READ, WRITE
new_imp #5  0x7C000     0x1C00    0x1C00    4.46      INIT_DATA, READ, WRITE
new_imp #6  0x7E000     0x1E00    0x1E00    4.38      INIT_DATA, READ, WRITE
new_imp #7  0x80000     0x2000    0x2000    4.44      INIT_DATA, READ, WRITE
new_imp #8  0x82000     0x2400    0x2400    4.49      INIT_DATA, READ, WRITE
new_imp #9  0x85000     0x3600    0x3600    4.65      INIT_DATA, READ, WRITE
new_imp #10 0x89000     0x3600    0x3510    4.42      INIT_DATA, READ, WRITE

Each new_imp section contains the same DLL names and function names in increasing quantities -- from 66 strings (5 DLLs) in section 1 to 530 strings (full reconstruction) in section 10. All have characteristics 0xC0000000 (initialized data, read+write) with no executable code. The final reconstruction yields 449 unique imported functions across 15 DLLs.

The .text entropy of 6.84 sits below the 7.5+ threshold for packed data, confirming the code is obfuscated via CFF but not packed.

Control Flow Flattening: The State Machine

LummaC2 v4.0's signature obfuscation is Control Flow Flattening, where each function is transformed into a dispatcher loop that selects code blocks via a state variable compared against large 32-bit constants.

From the C2 check function at 0x41EBBC:

mov  dword ptr [ebp-0x10], 0x26CFC4F5   ; initial state
; ... dispatcher loop:
cmp  eax, 0xF0FD0D8D                    ; state comparison
jg   0x41EC43
cmp  eax, 0xC5B885AC
jg   0x41ECEF
; ... cascading cmp/je/jg/jle for each state block

Opaque predicates further confuse static analysis. These mathematical expressions evaluate to deterministic results at runtime but defeat decompilers:

shr  esi, 0xF
lea  esi, [esi+esi*4]
shl  esi, 4
add  esi, 0x49
shr  esi, 2
and  esi, 0x7FFFF8

Jump targets are also obfuscated through multiplication chains:

imul ecx, dword ptr [esp+4], 0xF800
imul ecx, dword ptr [esp+4], 0xC9
shr  ecx, 0x17
imul eax, ecx, 0x33

All stealer-relevant strings -- browser paths, wallet names, API endpoints, HTTP headers -- are XOR-encrypted and only decrypted at runtime through the CFF state machine. Zero browser, wallet, or credential-related strings appear in plaintext anywhere in the binary.

MurmurHash2 API Hashing

The binary resolves API function addresses dynamically using MurmurHash2 with seed 0x20. The telltale multiplicative constant 0x5BD1E995 appears at 5 locations in .text:

0x3D332, 0x3D8CB, 0x3DA27, 0x3DA9A, 0x3DC2C

This eliminates all plaintext API name references from the binary. Functions are resolved by computing MurmurHash2(api_name, len, 0x20) and walking the export table of loaded DLLs until a hash match is found.

Anti-Analysis Arsenal

Heaven's Gate (WoW64 Transition)

Two instances of the Heaven's Gate technique at file offset 0x433 (VA 0x401033):

lcall 0x33, 0x40103E   ; far call to CS:0x33 (64-bit code segment)

This transitions from 32-bit WoW64 execution to native 64-bit mode, allowing direct ntdll syscalls that bypass user-mode hooks placed by EDR/AV products. The function reads fs:[0xC0] (the WoW64 transition address) and uses it as the x64 trampoline.

PEB-Based Anti-Debug

Three PEB access patterns for debugger detection:

Offset	Instruction	Purpose
`0x3E027`	`mov eax, fs:[0x30]`	PEB access
`0x48DE4`	`mov reg, fs:[0x30]`	PEB access
`0x5496B`	Direct PEB read	PEB access

Checks PEB+0x02 (BeingDebugged flag) and PEB+0x68 (NtGlobalFlag). IsDebuggerPresent is also imported with 11 references across IAT sections.

CPUID Environment Detection

Eight CPUID instructions for hypervisor and VM detection:

0x230BB, 0x231DE, 0x351A7, 0x374F1, 0x38160, 0x3F36B, 0x3F3A7, 0x3F41F

Checks include CPUID leaf 1 bit 31 of ECX (hypervisor present bit) and leaf 0 vendor string comparison against known VM signatures vs. GenuineIntel/AuthenticAMD.

RDTSC Timing Checks

Two RDTSC instructions at 0x16710 and 0x16F6B measure execution time between code points. Deltas exceeding a threshold (indicating single-stepping or breakpoint-heavy debugging) trigger altered behavior.

Trigonometry-Based Anti-Sandbox

This is LummaC2 v4.0's most distinctive evasion technique. The binary imports GetCursorPos from USER32.dll and contains an FPATAN instruction at file offset 0x5B0F1 (VA 0x45BCF1) used in atan2 computation.

The technique:

Sample mouse cursor positions at intervals via GetCursorPos
Compute the angle between consecutive positions using atan2(dy, dx)
Check if the resulting angle distribution forms a realistic human movement pattern
If movement appears scripted (straight lines, no movement, or mathematically uniform), terminate execution

Sandbox environments typically fail this check because they either do not simulate mouse movement or generate trivially detectable patterns (linear sweeps, fixed coordinates).

C2 Configuration and Communication

Config Layout in .data

The Lumma configuration structure sits in the .data section at file offset 0x6EC00:

Offset 0x6EC00-0x6EE5F : Encrypted configuration blobs (20+ fields, 3-122 bytes each)
Offset 0x6EE60         : Build ID "kJQULo" + 25 bytes 'x' padding
Offset 0x6EE81         : C2 domain "bearboll.fun" + 19 bytes 'x' padding
Offset 0x6EEA2         : C2 domain "slimtvsocico.fun" + 15 bytes 'x' padding
Offset 0x6F290         : Campaign ID "default" + 24 bytes 'x' padding

The x padding after each field indicates the config format allows domains up to ~32 characters. The default campaign ID means the operator did not customize the build tag -- consistent with a lower-tier MaaS subscription.

C2 Domain Selection Logic

At VA 0x41F418, the malware probes the fallback domain first:

mov  eax, 0x4702A2          ; VA of "slimtvsocico.fun"
push eax
call 0x41EBBC               ; connectivity check function
add  esp, 4
mov  ecx, 0x470281          ; VA of "bearboll.fun" (primary)
test eax, eax
je   0x41F434               ; if check failed -> use bearboll.fun
mov  ecx, 0x4702A2          ; if check succeeded -> use slimtvsocico.fun
mov  [0x4702C4], ecx        ; store selected C2 domain

The selected domain address is stored at VA 0x4702C4 for use throughout the stealer's operation.

C2 Endpoints and Protocol

The C2 communication function spans approximately VA 0x41CA00-0x41F400 and contains 22 WinHTTP API call sites. Known LummaC2 v4.0 endpoints (encrypted in the binary):

Endpoint	Purpose	Method
`/api`	Initial check-in (build ID + HWID)	GET
`/c2conf`	Configuration retrieval	GET (JSON response)
`/c2sock`	Data exfiltration	POST (multipart/form-data, ZIP)

Check-in format: lid=kJQULo&j=<md5_of_hwid>&ver=4.0

Stolen data is compressed using a built-in minizip library (evidenced by 40+ ZIP-related error strings in .rdata including "CRC-32 check failed", "compression failed", "decompression failed or archive is corrupted") and exfiltrated as a ZIP archive via the /c2sock endpoint.

Import Table: Stealer Capabilities Mapped

The fully reconstructed IAT reveals the stealer's complete operational scope:

DLL	Count	Key Functions	Purpose
KERNEL32.dll	196	`CreateRemoteThread`, `VirtualAllocEx`, `WriteProcessMemory`, `QueueUserAPC`	Process injection
KERNEL32.dll	--	`CreateProcessA/W`, `WinExec`	Process execution
KERNEL32.dll	--	`IsDebuggerPresent`, `OutputDebugStringW`	Anti-debug
ADVAPI32.dll	57	`CryptAcquireContextA`, `CryptCreateHash`, `CryptHashData`	Password/cookie hashing
ADVAPI32.dll	--	`RegOpenKeyExA/W`, `RegQueryValueExA/W`, `RegEnumKeyExW`	Registry access
ADVAPI32.dll	--	`OpenProcessToken`, `AdjustTokenPrivileges`	Privilege escalation
GDI32.dll	48+	`BitBlt`, `CreateCompatibleBitmap`, `GetDIBits`	Screenshot capture
USER32.dll	8	`GetCursorPos`, `EnumDisplayDevicesA`, `GetDesktopWindow`	Fingerprinting + anti-sandbox
WINHTTP.dll	9	`WinHttpOpen`, `WinHttpConnect`, `WinHttpSendRequest`	C2 communication
shell32.dll	25	`SHGetFolderPathA/W`, `SHGetSpecialFolderPathA/W`	Browser/wallet path discovery
IPHLPAPI.DLL	1	`GetAdaptersInfo`	Network adapter enumeration
CRYPT32.dll	1	`CryptStringToBinaryA`	Base64 decoding

C2 Infrastructure Intelligence

Domain Registration and TLS Timeline

Both domains follow identical infrastructure patterns: PDR registrar, Cloudflare proxy (dual TLS certificates from Let's Encrypt E1 and Google Trust Services GTS CA 1P5), wildcard coverage, and .fun TLD.

2023-09-12 12:27:29 UTC  slimtvsocico.fun GTS CA 1P5 cert issued
2023-09-12 12:28:56 UTC  slimtvsocico.fun LE E1 cert issued        (+87 sec)
2023-09-13 17:21:26 UTC  bearboll.fun GTS CA 1P5 cert issued       (+29 hrs)
2023-09-13 17:22:12 UTC  bearboll.fun LE E1 cert issued             (+46 sec)
2023-09-13 21:51:27 UTC  Binary compiled                            (+4.5 hrs)
2023-09-24              First tagged as phishing (OTX)
2023-09-30              SANS ISC + InQuest detection
2023-10-02              Silent Push report (150+ Lumma IOCs)
2023-12-11              slimtvsocico.fun certs expire
2023-12-12              bearboll.fun certs expire
2025-05-21              Microsoft/DOJ/Europol takedown (2,300 domains)
2026-01-21              Still appearing on active blocklists

Dual certificates issued within seconds of each other is the standard Lumma C2 fingerprint -- Cloudflare-proxied domains receive both cert types automatically. The Silent Push report identified this sample's domains as part of an 86-domain .fun TLD batch including chocomeat[.]fun, veinsmoter[.]fun, treepledeeple[.]fun, and orkograkula[.]fun.

OTX Intelligence

bearboll[.]fun: 15 OTX pulses. First identified 2023-09-24. Tagged: lummac2, lumma, infostealer. Featured in ThreatFox and multi-family IOC sets. Still appearing on active blocklists as of January 2026.
slimtvsocico[.]fun: 5 OTX pulses. First identified 2023-09-29 via SANS ISC honeypot. Confirmed Lumma C2 by Silent Push fingerprinting (nginx welcome page on root). Tagged: infostealers, lumma, ecrime.

Known Lumma Hosting Infrastructure

IP	ASN	Notes
`157.90.248.179`	Hetzner	Documented Lumma C2
`213.252.244.62`	--	IOC database
`195.123.219.211-212`	--	IOC database
`89.185.84.37`	--	IOC database
--	AS207713 (GIR-AS, RU)	Known Lumma hosting AS

The MaaS Ecosystem

LummaC2 is operated by Shamel (also "Lumma"), a Russian-based developer active since August 2022, selling via Telegram (1,000+ subscribers) and Russian-language forums (RAMP, XSS).

Tier	Price	Notes
Experienced	$250/mo	Basic builds
Professional	$500/mo	Additional features
Corporate	$1,000/mo	Full feature set
Source Code	$20,000	One-time purchase

This sample's default campaign tag and standard build configuration suggest a lower-tier customer (likely $250-500/mo) who did not customize the build beyond selecting two C2 domains.

v4.0 Feature Set

Control Flow Flattening obfuscation (no external packer needed)
MurmurHash2 API hashing (seed 0x20)
Heaven's Gate (WoW64 syscall bypass)
XOR-encrypted strings (runtime decryption)
Trigonometry-based anti-sandbox (GetCursorPos + atan2)
Dynamic configuration via /c2conf
ZIP-compressed exfiltration via /c2sock
Steganographic PNG delivery capability

May 2025 Takedown and 2026 Resurgence

On May 21, 2025, Microsoft's Digital Crimes Unit -- partnering with DOJ, FBI, Europol, ESET, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry -- seized approximately 2,300 Lumma C2 domains. The takedown revealed 394,000 Windows infections between March and May 2025 alone, with FBI estimates placing total infections at 10 million globally. Lumma had become associated with ransomware operators including Octo Tempest.

The disruption was short-lived. The cat-and-mouse played out in real time:

May 19: Government seized 2 domains
May 20: Lumma admins registered 3 replacement panel domains
May 21: Government seized those 3 domains within 24 hours

By July 2025, the MaaS operation was back online. As of March 2026, LummaC2 is active and increasing globally with rebuilt infrastructure, improved OPSEC, and a new delivery chain -- CastleLoader, a heavily obfuscated script-based loader that executes LummaC2 entirely in memory, paired with ClickFix social engineering (fake CAPTCHA/browser fix pages) and migration to bulletproof hosting.

MITRE ATT&CK Mapping

Technique	ID	Evidence
Process Hollowing	T1055.012	`VirtualAllocEx` + `WriteProcessMemory` + `CreateRemoteThread`
Query Registry	T1012	`RegOpenKeyExA/W`, `RegQueryValueExA/W`
System Information Discovery	T1082	`GetVersionExA/W`, hardware profiling
Network Configuration Discovery	T1016	`GetAdaptersInfo`
Process Discovery	T1057	`K32EnumProcesses`
Screen Capture	T1113	`BitBlt` + `GetDIBits` chain
Steal Web Session Cookie	T1539	Browser cookie theft
Credentials from Web Browsers	T1555.003	Chromium + Firefox credential extraction
Deobfuscate/Decode Files	T1140	`CryptStringToBinaryA` (base64 decoding)
Binary Padding	T1027.001	`new_imp` sections, `x` padding in config
Software Packing	T1027.002	10-stage IAT reconstruction
Sandbox Evasion: System Checks	T1497.001	CPUID hypervisor detection, trig mouse checks
Native API	T1106	Heaven's Gate direct syscalls
Web Protocols	T1071.001	WinHTTP C2 communication
Archive via Library	T1560.002	Built-in minizip for exfiltration

Indicators of Compromise

File Hashes

SHA-256: 02045e58aba74d3619e3bb428f033ca51fb21735d36cf8f62cb7e08a21c7e4bc
SHA-1:   594b4ace64f5470d9aea8ddbc2d92c0abbf7f707
MD5:     2cf964844a29df5ac9e708858f534e4c

Network Indicators

bearboll[.]fun           (C2, primary)
slimtvsocico[.]fun       (C2, fallback)

TLS Certificate Serials

041a1520771083285b6b0a830bb5c0e76b78       bearboll.fun (Let's Encrypt E1)
008e1c6f8c536f31820ebacb3af6facebc         bearboll.fun (GTS CA 1P5)
04246cc9ba7447fd11d4e1f5397b138787a6       slimtvsocico.fun (Let's Encrypt E1)
57892ec2a2c795390e6595227ef2019a           slimtvsocico.fun (GTS CA 1P5)

PE Artifacts

Compile timestamp:  0x65022EDF (2023-09-13 21:51:27 UTC)
Entry point:        0x43F90C
Security cookie:    0x4707D0
Build ID:           kJQULo
Campaign ID:        default
MurmurHash2 const:  0x5BD1E995 at 5 locations
Heaven's Gate:      lcall 0x33, 0x40103E at VA 0x401033

Infrastructure Patterns (Campaign-Wide)

Registrar:     PDR
TLDs:          .fun, .xyz, .shop, .pw, .cyou, .click, .site
TLS:           Dual certs (Let's Encrypt E1 + Google Trust Services GTS CA 1P5)
Fingerprint:   "Welcome to nginx!" on root page
Hosting AS:    AS207713 (GIR-AS, RU)

Related Lumma C2 IPs

157.90.248.179
213.252.244.62
195.123.219.211
195.123.219.212
89.185.84.37