Alert

Lumma Stealer malware affecting thousands

Dec 10, 2025

The National Cyber Security Centre (NCSC) has alerted thousands of New Zealanders to let them know their device has been infected with malware known as Lumma Stealer. We’re encouraging all those affected to take action to secure their device and keep their online accounts secure.

5 min read

What happened

The NCSC is aware that malware, known as Lumma Stealer, successfully stole the password and login details for thousands of New Zealanders’ online accounts.

Lumma Stealer is known to affect Windows devices.

Malware is malicious software that affects devices. Information stealer malware often targets information such as passwords, login details and other sensitive data.

What this means

If you have received an email from the NCSC (from the address no-reply@comms.ncsc.govt.nz) telling you that your device is affected, you will need to take the steps below to remove the malware and secure your device. You will also need to secure the accounts you accessed from the affected device.

What to look for

This type of malware can be difficult to detect and notice. You might have noticed signs such as:

  • unusual account activity (logins, changes to settings, getting locked out of accounts), or
  • unknown or unauthorised transactions.

Your antivirus software may have already alerted you that there was malware on your device and taken steps to remove it. If this is the case, you will still need to take steps to change the passwords on the accounts accessed on the device.

Removing malware

There are different options you can take to remove the malware, depending on your level of knowledge and confidence.

  • Contact an IT provider for support

    If you do not feel comfortable scanning and removing the malware from your device, you can hire an IT provider to assist. 

    Choosing an IT provider

  • Run a scan on your device and remove the malware

    If you are comfortable doing so, run a scan on your Windows computer or other device.

    Windows Defender is the pre-installed antivirus software for Windows, and it is completely free. To run a scan:

    1. Perform any outstanding operating system and Windows Defender updates.
    2. Run Windows Defender in offline mode – go to Settings, Windows Security. Click on Virus & threat protection. Click on the blue link 'Scan Options' and choose ‘Microsoft Defender Antivirus (offline scan)’. Your device will reboot and perform the scan. Follow any prompts if required.  
    3. Check results – if malware is detected, Windows Defender may give you steps to resolve the malware, such as deleting the software.  
    4. Reboot your device – Once the scan is complete and any malware found has been removed, your device should reboot.

    For extra reassurance, consider using a second reputable antivirus/anti-malware product to scan your device to ensure the malware is removed. 

  • Factory reset your device

    Another option is to perform a factory reset which will clear the device of all data including malware.

    While this is the most effective method to remove malware, it will permanently delete any data that you have not backed up.

    Please ensure you back up any data you want to preserve such as photos. It is recommended that you do not back up apps and programs. There is a chance that if you back these up you will reinstall the malware.

    Before restoring your files and documents to your computer, these should be checked/scanned for malware using an up-to-date product first to ensure you don’t restore any malware.

    Ensure you disable the AutoPlay setting before connecting a USB with your backup files. This can usually be found in your Windows settings under ‘devices’ and helps ensure that any malicious files you may have backed up are not automatically run.

    Once connected, run a scan with your antivirus/anti-malware product.

Next steps

After you are sure the device is free from malware, you can now perform the following actions:

  • Reconnect the device to the internet.
  • Immediately update the device.
  • Secure any accounts you used the device to access, by changing passwords and resetting your two-factor authentication method. This may require disabling then reenabling two-factor authentication if you have had this enabled previously.
  • In particular, the NCSC recommends securing key accounts such as:
    • Bank or financial service accounts
    • Government service accounts (RealMe, myIR, MyMSD etc.)
    • Email (Gmail, Outlook etc.)
    • Social media (Facebook, Instagram, X, etc.)
  • Log out of all devices to ensure that if anyone has already signed into your account using stolen credentials, they will not be able to access the account once the passwords have been reset. If you are unsure how to do this, please refer to the relevant service provider’s guidance.
  • Examine account activity, especially for the above listed accounts to see if there have been any suspicious transactions, sign-ins, etc. If you notice anything out of the ordinary, reach out to the service provider and they will be able to assist you.
  • It’s important to check your email’s settings for unknown or suspicious changes. Please see links in the More information section to how to do this from various email providers.

Prevention

While Lumma Stealer malware is known to impact Windows devices, we recommend you review the security of all your devices, particularly ones you use to access valuable accounts like your online banking.

There are some basic security steps you can take to avoid malware.

Protect yourself against malware

More information

Remove malware from your device

Malware

Advice from email providers on how to secure your accounts:

Google account security check up(external link)

Keep your Apple account secure(external link)

How to keep your Microsoft account secure(external link)