Reversing LummaC2: Inside the Stealer That Survived a Global Takedown

This report analyzes LummaC2 (Lumma Stealer), the world's most prolific infostealer, detailing its modular MaaS model, extensive data-stealing targets, sophisticated anti-analysis and EDR-evasion techniques (control flow flattening, Heaven's Gate, ntdll remapping, ETW-Ti disabling, trigonometry-based mouse checks), resilient delivery and C2 mechanisms (ClickFix, EtherHiding on BSC, Steam profile fallback), the May 2025 global takedown and rapid recovery, and practical detection/mitigation recommendations including behavioral detection for Heaven's Gate, ntdll remapping, PEB access, LOLBin restrictions, credential hygiene, and YARA rules for key indicators.