LummaC2 [1] [2] [3] [4] [5] [6] [7] [8], also known as Lumma Stealer, is an advanced malware that has recently released its latest version, LummaC2 v4.0 [1] [4] [6] [7] [8]. This new version introduces an innovative anti-sandbox technique that utilizes trigonometry to analyze the position of the cursor [2]. By capturing cursor positions and performing trigonometric calculations [8], LummaC2 v4.0 can distinguish human users from automated analysis tools, allowing it to evade detection in sandbox environments commonly used for malware analysis. This novel anti-sandbox technique poses a significant challenge for security analysis tools [8], highlighting the need for robust sandboxing solutions and advanced analysis techniques [8].


In addition to its anti-sandbox capabilities, LummaC2 v4.0 is designed for information theft, with a particular focus on sensitive data such as login credentials and credit card details. It requires customers to use a crypter to conceal its raw form and prevent leaks [7], further enhancing its ability to evade detection. The ongoing presence of LummaC2 v4.0 in underground forums since December 2022 and its continuous updates indicate an ongoing threat that could result in significant financial losses [4].

LummaC2 v4.0 has undergone significant updates [8], including obfuscation [8], encryption [8], and the use of dynamic configuration files [8]. The threat actor selling LummaC2 v4.0 discourages distributing unaltered samples to maintain control and avoid detection [8]. This dynamic malware strain is actively being developed, constantly enhancing its code base and incorporating more advanced features and security measures in the future [4]. Its introduction of trigonometry as an anti-sandbox measure demonstrates a high level of sophistication [4], demanding sustained scrutiny and proactive defense strategies [4].

The new anti-sandbox technique used by LummaC2 involves delaying the detonation of the malware until human mouse activity is detected. It relies on trigonometry to analyze the positions of the cursor and determine if they indicate human behavior. The malware captures multiple cursor positions and checks if each position is different from the previous one [3]. If all the calculated angles formed between consecutive vectors are lower than 45º, the malware considers it has detected human mouse behavior and continues with its execution [3]. If any of the angles is bigger than 45º [3], the process starts again by ensuring mouse movement and capturing new cursor positions [3]. This technique allows LummaC2 to evade detection and extract valuable information from infected hosts [3] [6] [7].


Overall, LummaC2 v4.0 is a highly sophisticated and constantly evolving malware that poses a significant threat to security analysis tools. Its use of trigonometry as an anti-sandbox measure demonstrates the need for robust sandboxing solutions and advanced analysis techniques to effectively detect and mitigate its impact. It is predicted that future malware may incorporate AI to learn about user behavior before launching [5], requiring sandboxes to also use AI to simulate human behavior [5].