Back to Intelligence

3AM and Lumma Stealer Botnet Takedown: Detection and Remediation Guide

SA
Security Arsenal Team
May 30, 2026
6 min read

In a massive coordinated operation, Dutch law enforcement recently dismantled a botnet infrastructure that had compromised approximately 17 million devices worldwide. The operation targeted a "Cybercrime-as-a-Service" network spreading the 3AM (Metamorfo) banking trojan and the Lumma Stealer information harvester.

While the seizure of the Command and Control (C2) servers is a significant victory, it does not automatically clean the infected endpoints. Millions of devices remain infected with dormant or active payloads. For defenders, this is a critical window of opportunity: the C2 disruption prevents data exfiltration, but the malware persistence mechanisms remain. Immediate action is required to identify compromised hosts, eradicate the stealers, and reset credentials before the actors re-establish infrastructure.

Technical Analysis

Affected Platforms

The botnet was platform-agnostic, impacting:

  • Windows: Primary target for Lumma Stealer and 3AM trojan.
  • Android: Secondary infection vector via SMSishing (smishing) campaigns.
  • iOS: Impacted via malicious profile installations or phishing scams.

Malware Breakdown

  1. 3AM (Metamorfo): A sophisticated banking trojan designed to harvest financial credentials. It often spreads via malicious attachments (e.g., ISO files) and uses process injection to evade detection. It establishes persistence via Registry run keys or scheduled tasks.
  2. Lumma Stealer (LummaC2): An information stealer available as a Malware-as-a-Service (MaaS). It targets browser cookies, passwords, cryptocurrency wallets, and 2FA session tokens. It typically propagates through fake software cracks or fraudulent browser updates.

Exploitation Status

  • Active: The infrastructure was live and actively handling data from 17 million devices prior to the takedown.
  • CISA KEV Status: While not explicitly listed as a single CVE, the delivery methods (phishing, social engineering) are constant threats. The specific malware signatures are now widely distributed in vendor feeds.

Attack Chain

  1. Initial Access: Phishing emails or smishing messages containing malicious links or attachments.
  2. Execution: User opens attachment (e.g., .ISO, .PDF with embedded script) or runs fake installer.
  3. Persistence: Malware copies itself to AppData or Temp folders and creates Registry Run keys.
  4. C2 Communication: Infected beaconing to the now-dismantled Dutch server.
  5. Objective: Data theft (credentials, cookies, wallet data).

Detection & Response

This threat requires a focus on behavioral indicators associated with info-stealers and banking trojans. Defenders should hunt for unauthorized browser database access and suspicious process lineage.

SIGMA Rules

YAML
---
title: Potential Lumma Stealer Browser Cookie Access
id: a4b3c2d1-5566-7788-99aa-bbccddeeff00
status: experimental
description: Detects non-browser processes accessing browser cookie databases, a common TTP of Lumma Stealer.
references:
 - https://securityaffairs.com/192890/malware/botnet-of-17-million-devices-dismantled-in-the-netherlands.html
author: Security Arsenal
date: 2024/11/20
tags:
 - attack.credential_access
 - attack.t1555.003
logsource:
 category: file_access
 product: windows
detection:
 selection:
   TargetFilename|contains:
     - '\Google\Chrome\User Data\Default\Network'
     - '\Google\Chrome\User Data\Default\Cookies'
     - '\Mozilla\Firefox\Profiles'
     - '\Microsoft\Edge\User Data\Default\Cookies'
 filter:
   Image|contains:
     - '\chrome.exe'
     - '\msedge.exe'
     - '\firefox.exe'
 condition: selection and not filter
falsepositives:
  - Legitimate backup software
  - Third-party security scanners
level: high
---
title: Metamorfo/3AM Trojan Persistence via Run Keys
id: b5c4d3e2-6677-8899-00bb-ccddeeff0111
status: experimental
description: Detects suspicious executables in AppData or Temp folders establishing persistence via Registry Run keys.
references:
 - https://securityaffairs.com/192890/malware/botnet-of-17-million-devices-dismantled-in-the-netherlands.html
author: Security Arsenal
date: 2024/11/20
tags:
 - attack.persistence
 - attack.t1547.001
logsource:
 category: registry_set
 product: windows
detection:
 selection:
   TargetObject|contains:
     - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
     - 'SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
   Details|contains:
     - '\AppData\Roaming\'
     - '\AppData\Local\Temp\'
     - '.exe'
 condition: selection
falsepositives:
  - Legitimate software installers
  - IT management tools
level: medium
---
title: Suspicious PowerShell Execution from Office Product
id: c6d5e4f3-7788-9900-11cc-ddeeff012222
status: experimental
description: Detects common delivery mechanism for 3AM trojan involving Office apps spawning PowerShell.
references:
 - https://securityaffairs.com/192890/malware/botnet-of-17-million-devices-dismantled-in-the-netherlands.html
author: Security Arsenal
date: 2024/11/20
tags:
 - attack.initial_access
 - attack.t1566.001
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   ParentImage|endswith:
     - '\WINWORD.EXE'
     - '\EXCEL.EXE'
     - '\POWERPNT.EXE'
   Image|endswith:
     - '\powershell.exe'
     - '\pwsh.exe'
   CommandLine|contains:
     - 'DownloadString'
     - 'IEX'
     - 'Invoke-Expression'
 condition: selection
falsepositives:
  - Legitimate macro automation
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for processes accessing sensitive browser data files
DeviceFileEvents
| where ActionType == "FileAccessed"
| where TargetFileName has_any ("Default\\Cookies", "Default\\History", "places.sqlite")
| where InitiatingProcessFileName !in ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe")
| where Timestamp > ago(7d)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, TargetFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious executables in user profile AppData launching from unusual parents
SELECT Pid, Name, Exe, Username, Cmdline, Parent.Pid AS ParentPid, Parent.Name AS ParentName
FROM pslist()
WHERE Exe =~ '^C:\\Users\\.*\\AppData\\(Roaming|Local)\\.*\.exe$'
  AND NOT Parent.Name IN ('explorer.exe', 'svchost.exe', 'services.exe', 'cmd.exe', 'powershell.exe')
  AND NOT Name =~ 'GoogleUpdate.exe'

Remediation Script (PowerShell)

PowerShell
# Script to identify and quarantine potential 3AM/Lumma artifacts
# Requires Administrator privileges

Write-Host "Starting scan for Info-Stealer and Banking Trojan persistence mechanisms..." -ForegroundColor Cyan

# 1. Check for suspicious Run Keys
$suspiciousPaths = @("$env:APPDATA", "$env:LOCALAPPDATA\Temp")
$runKeys = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run", "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue

Foreach ($key in $runKeys.PSObject.Properties) {
    if ($key.Value -match "^C:\") {
        if ($suspiciousPaths | Where-Object { $key.Value -like "$_*" }) {
            Write-Host "[ALERT] Suspicious persistence found: $($key.Name) pointing to $($key.Value)" -ForegroundColor Red
            # Optional: Remove-ItemProperty -Path "HKCU:\..." -Name $key.Name -Force
        }
    }
}

# 2. Scan for recent executables in Temp (common for droppers)
$recentExes = Get-ChildItem -Path $env:TEMP -Filter "*.exe" -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
if ($recentExes) {
    Write-Host "[WARN] Found recent executables in Temp directory:" -ForegroundColor Yellow
    $recentExes | Format-Table FullName, LastWriteTime
}

Write-Host "Scan complete. If alerts were found, verify file hashes and reset credentials." -ForegroundColor Green

Remediation

Given the nature of this botnet (Info-stealers and Banking Trojans), simple "patching" is insufficient. The focus must be on credential hygiene.

  1. Credential Reset: Assume all credentials saved in browsers on infected machines are compromised. Force a password reset for all corporate accounts accessed from affected devices.
  2. MFA Enforcement: Ensure Multi-Factor Authentication is enforced. If session tokens were stolen (Lumma capability), invalidating active sessions via the IdP (Identity Provider) is necessary.
  3. Isolation and Reimaging: If a device is confirmed positive for 3AM or Lumma, do not attempt to clean it. Isolate the device from the network and reimage it. These malware families often have rootkit capabilities or leave secondary backdoors.
  4. Browser Cleanup: Instruct users to clear cookies, cache, and saved passwords from their browsers on all devices, not just the infected one, if they synchronized passwords (e.g., via Google Chrome sync).
  5. IOC Sweep: Update your EDR/AV signatures to include the specific IOCs released by the Dutch police (often hosted on platforms like Abuse.ch or NCSC Netherlands) and perform a full scan.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringbotnetlumma-stealermetamorfoinfo-stealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action