Beyond Signatures: Detecting Lumma Stealer with an ML-Powered Sandbox

Sept. 26, 2025, 11:41 a.m.

Description

This analysis focuses on a new variant of Lumma Stealer, a malware that reemerged after a brief hiatus following a law enforcement operation. The article details the malware's code obfuscation, evasion techniques, and persistence mechanisms. It describes Netskope's machine learning-based detection approach, which utilizes a Cloud Sandbox enhanced with ML models to analyze runtime behavior, process trees, and other features. The specific sample analyzed is an NSIS installer file that abuses AutoIt for malicious purposes. The malware employs various anti-analysis techniques and establishes persistence through the Windows Startup folder. Netskope's multi-layered threat protection system successfully detected this Lumma Stealer variant.

External References

https://www.netskope.com/blog/beyond-signatures-detecting-lumma-stealer-with-an-ml-powered-sandbox
https://otx.alienvault.com/pulse/68d5ce750be50aef2715a20b
Tags
persistence
anti-analysis
lumma stealer
autoit
nsis
evasion techniques
machine learning
sandbox
2025-09-25

Date

  • Created: Sept. 25, 2025, 11:21 p.m.
  • Published: Sept. 25, 2025, 11:21 p.m.
  • Modified: Sept. 26, 2025, 11:41 a.m.

Indicators

  • ff7a1388fa59a9e1b43c5c88a1ee30e4abcec21a39882812a045aa9d9b865170
Download all indicators here!

Attack Patterns

  • Lumma Stealer

Additional Informations

  • Healthcare
  • Finance
  • Telecommunications