Blog
Recent
LastPass Labs

Lumma Persists and Acreed Rises Following Law Enforcement Actions

Mike KosakPublishedAugust 05, 2025
bg
Subscribe for the latest from LastPass blog

By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.

Lumma Persists and Acreed Rises Following Law Enforcement Actions

The May 21 announcement of a law enforcement operation in conjunction with Microsoft targeting LummaC2 that resulted in the seizure of over 2,300 malicious domains was rightly celebrated as a major victory against the ongoing scourge of infostealers, a family of malware that has risen to prominence over the last few years for both its ubiquity and its central role in numerous major breaches. This disruption of the infostealer ecosystem led to the rise of a new infostealer, Acreed.1 While the rumors of LummaC2’s demise turned out to be a bit exaggerated (as highlighted in this recent excellent report from TrendMicro),Acreed has maintained a foothold within the infostealer market while remainingrelatively elusive for defenders. Let’s take a closer look at what we know about Acreed

Acreed began offering credentials for sale in the dark web marketplace, Russian Market, in mid-February of this year. Since its introduction, only one account on Russian Market has offered stolen credentials associated with Acreed for sale. The account, which is anonymized to some degree as all accounts are on Russian Market, leverages the username “Nu####ez.” This threat actor has been posting logs on Russian Market since at least early 2024 and had previously been associated largely with the sale logs associated with LummaC2. However, earlier this year, Nu####ez began offering logs stolen via the new Acreed stealer. While postings were initially erratic, Nu####ez began posting more Acreed logs regularly beginning in early May. A few weeks later, law enforcement conducted the LummaC2 takedown operation, leading to a sharp increase in Acreed’s percentage share in logs posted on Russian Market. Some of this reflected the quick drop in available logs due to the LummaC2 disruption, but there was a commensurate increase in available Acreed logs as well. 

Interestingly, Acreed does not seem to be available for sale like LummaC2 or other infostealers-as-a-service, nor were we, in conjunction with our friends at Flashpoint, able to find any samples in the wild. As such, it appears the malware is used in a limited fashion, though indications from the log files provide enough data to support the hypothesis that Acreed is indeed its own infostealer and not a simple renaming of logs stolen with another malware. As Flashpoint found, Acreed uses a unique directory and file naming convention that could be used to potentially identify samples in the wild or during runtime (see below). 

Acreed stealer log files (Source: Flashpoint)

Its relatively limited usage is further evidenced by the total available logs on Russian Market, which total over 19,000 infections in 2025 as of late July, compared to over 175,000 infections for LummaC2, according to Flashpoint analysis. 

While samples are not available to analyze, Flashpoint was able to develop a YARA rule that could help detect if the malware is compiling logs on victim systems based on the available data. LastPass will continue to monitor activity associated with both Acreed and LummaC2 and post updates as new information becomes available and take all practicable actions to help protect our customers and disrupt these infostealer operations. 

 

Share this post via:share on linkedinshare on xshare on facebooksend an email