Microsoft Says 394,000 Windows Computers Infected by Lumma Malware Globally

Microsoft has confirmed that a significant number of Windows computers have been infected with the Lumma Stealer malware worldwide. In a recent blog post, the tech giant revealed that its digital crimes unit discovered over 394,000 Windows computers had fallen victim to this malicious software between March 16 and May 16.

The Lumma malware was a popular hacking tool among cybercriminals, which they used to steal sensitive information such as passwords, credit cards, bank accounts, and cryptocurrency wallets. Microsoft stated that its digital crimes unit collaborated with law enforcement officials across the globe to dismantle the infrastructure supporting this malicious software.

Dismantling Lumma's Infrastructure

Microsoft's digital crimes unit obtained a court order from the U.S. District Court for the Northern District of Georgia, which allowed them to seize control of several key web domains underpinning Lumma's infrastructure. The U.S. Department of Justice then took over Lumma's "central command structure," effectively squashing the online marketplaces where bad actors purchased and distributed this malware.

The cybercrime control center of Japan played a crucial role in facilitating the suspension of locally-based Lumma infrastructure, while Microsoft collaborated with industry partners such as Cloudflare, Bitsight, and Lumen to disrupt the malicious tool's communications with victims. As a result, more than 1,300 domains seized by or transferred to Microsoft will be redirected to Microsoft sinkholes.

The Impact of Lumma

Microsoft warned that hackers have been using Lumma malware via underground online forums since at least 2022, continuously improving its capabilities. This has made it a go-to tool for cybercriminals and online threat actors due to its ease of spread and ability to bypass some security defenses with the right programming.

The company highlighted an example of how criminals used Lumma in a March 2025 phishing campaign, which tricked people into believing they were part of the Booking.com online travel service. In reality, cybercriminals used the Lumma malware to carry out financial crimes in this scheme.

Cyberattacks on Critical Infrastructure

Microsoft noted that hackers have also used Lumma malware in attacks targeting various critical infrastructure sectors, including:

  • Online gaming communities
  • Education systems
  • Manufacturing
  • Logistics
  • Health care

The use of Lumma malware highlights the ongoing threat posed by sophisticated cyberattacks and emphasizes the importance of robust cybersecurity measures to protect individuals and organizations from such malicious activities.