Lumma Developers Claim They Can Restore Expired Google Cookies
The creators of the Lumma stealer (also known as LummaC2) are promoting a new feature that allegedly allows them to restore expired Google cookies, which can then be used to hack victims’ accounts. Normally, session cookies have a limited lifespan for security reasons, to prevent abuse if they are stolen. These cookies can allow anyone who possesses them to access the user’s account.
Restoring such cookies would enable Lumma operators to gain unauthorized access to any Google account, even after the legitimate user has logged out and their session has expired.
This feature was first noticed by cybersecurity researcher Alon Gal from Hudson Rock, who spotted the advertisement on a hacker forum. On November 14, Lumma’s developers announced an update that allows users to “restore ‘dead’ cookies using keys from Restore files (applicable only to Google cookies).”
The announcement clarifies that each key can only be used twice, so cookie restoration can only be performed once per key. This new feature is available exclusively to subscribers of the “Corporate” plan, which costs $1,000 per month.
According to Bleeping Computer, Lumma’s claims have not yet been confirmed or refuted by cybersecurity experts or Google representatives, so it remains unclear whether the feature works as advertised. However, journalists note that the creators of another stealer, Rhadamanthys, recently claimed to have added similar functionality in a recent update. This increases the likelihood that malware developers have indeed discovered and are exploiting a vulnerability.
Bleeping Computer reporters have repeatedly tried to contact Google specialists for comments on the hackers’ claims and the potential vulnerability related to session cookies, but have not received a response.
Interestingly, a few days after Bleeping Computer reached out to Google, Lumma’s developers released another update, claiming it bypasses some recently introduced Google restrictions that were meant to prevent cookie restoration.
Journalists also attempted to ask the hackers how exactly the feature works and what vulnerabilities it exploits. The group declined to answer these questions but stated that their competitors, the creators of Rhadamanthys, simply copied the feature from Lumma.
In summary, if stealers have truly learned how to restore expired Google cookies as advertised, users will not be able to protect their accounts except by preventing their systems from being infected with the malware that steals these cookies in the first place.