Tag: lumma stealer

40 Attack Reports | 0 Vulnerabilities

Attack reports

Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication

Proofpoint has identified Amatera Stealer, a rebranded version of ACR Stealer with enhanced capabilities and evasion techniques. Distributed via ClearFake website injects, it utilizes sophisticated attack chains and web injects. Amatera Stealer employs NTSockets for stealthy C2 communication, WoW64…
rhadamanthys
lumma stealer
malware-as-a-service
clickfix
acr stealer
information stealer
clearfake
2025-06-18
web injects
amatera stealer
ntsockets
wow64 syscalls
Published: June 18, 2025
Downloadable IOCs: 12

GitHub's Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools

Cybercriminals are exploiting GitHub's reputation to distribute malware, particularly targeting gamers and children. They create repositories offering game hacks, cracked software, and crypto tools, which actually contain Lumma Stealer variants. The attack chain begins with users searching for thes…
social engineering
malware distribution
lumma stealer
cybersecurity
github
2025-06-18
cracked software
game hacks
crypto tools
Published: June 18, 2025
Downloadable IOCs: 4

The strange tale of ischhfd83: When cybercriminals eat their own

This investigation uncovered a large-scale campaign involving backdoored GitHub repositories targeting game cheaters and inexperienced cybercriminals. The threat actor, possibly linked to a Distribution-as-a-Service operation, uses multiple types of backdoors and a convoluted infection chain leadin…
backdoor
obfuscation
rat
infostealer
remcos
lumma stealer
asyncrat
github
telegram
2025-06-04
Published: June 4, 2025
Downloadable IOCs: 52

Global operation disrupts Lumma Stealer

ESET collaborated with Microsoft and other partners in a global operation to disrupt Lumma Stealer, a prominent malware-as-a-service infostealer. ESET's contribution involved analyzing tens of thousands of malware samples to extract key data like C&C servers and affiliate identifiers. The operation…
infostealer
lumma stealer
credential theft
malware-as-a-service
disruption
2025-05-26
c&c infrastructure
Published: May 26, 2025
Downloadable IOCs: 113

Danabot: Analyzing a fallen empire

ESET Research shares insights into Danabot, an infostealer recently disrupted by law enforcement. The malware, tracked since 2018, evolved from a banking trojan to a versatile tool for data theft and malware distribution. Operated as a malware-as-a-service, Danabot offered features like data steali…
infostealer
lockbit
data theft
darkgate
zloader
botnet
lumma stealer
matanbuchus
cybercrime
danabot
latrodectus
malware-as-a-service
smokeloader
banking trojan
systembc
buran
rescoms
recordbreaker
ursnif
2025-05-23
2025-05-25
nonransomware
proxy servers
crisis
c&c infrastructure
malware-as-service
Published: May 25, 2025
Downloadable IOCs: 1

How Lumma Stealer sneaks into organizations

Lumma Stealer, a sophisticated information-stealing malware, has gained prominence in cybercriminal circles since 2022. It employs various distribution methods, with fake CAPTCHA pages being a notable vector. These pages mimic legitimate services and trick users into executing malicious commands. T…
obfuscation
powershell
anti-analysis
lumma stealer
autoit
information stealer
cryptocurrency theft
fake captcha
2025-04-21
Published: April 21, 2025
Downloadable IOCs: 15

Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

A phishing campaign targeting organizations in the hospitality industry has been identified, impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, targets individuals likely to work with Bo…
xworm
phishing
social engineering
lumma stealer
asyncrat
danabot
venomrat
clickfix
netsupport rat
booking.com
2025-03-13
credential-stealing
2025-04-13
Published: April 13, 2025
Downloadable IOCs: 0

Where to Find Aspiring Hackers

This analysis focuses on Proton66, a bulletproof hosting network enabling cybercrime operations and serving as a hub for aspiring cybercriminals. It examines the activities of a threat actor known as 'Coquettte,' who is linked to the Horrid hacking group. The investigation reveals a fake cybersecur…
amadey
lumma stealer
cybercrime
vidar
infostealers
penguish
rugmi
2025-04-04
rescoms
proton66
bulletproof hosting
recordbreaker
horrid hacking group
amateur hackers
fake cybersecurity
rugmi malware
Published: April 4, 2025
Downloadable IOCs: 0

Proactive ClickFix Threat Hunting with Hunt.io

ClickFix is a browser-based delivery technique that uses deceptive prompts and clipboard hijacking to trick users into executing malicious commands. Cybercriminals and advanced actors employ this method to deploy malware, primarily information stealers. The technique involves luring users with fake…
powershell
cryptbot
lumma stealer
credential theft
clickfix
captcha
information stealers
malware delivery
threat hunting
browser-based attacks
2025-04-04
clipboard hijacking
Published: April 4, 2025
Downloadable IOCs: 0

Amateur Hacker Leverages Bulletproof Hosting Server to Spread Malware

A novice cybercriminal, known as 'Coquettte', has been discovered using a Russian bulletproof hosting provider, Proton66, to distribute malware. The hacker's activities include deploying the Rugmi malware loader through a fake cybersecurity product website and selling guides for illegal substances …
amadey
lumma stealer
vidar
rugmi
2025-04-03
rescoms
amateur hacker
proton66
cybercrime incubator
bulletproof hosting
fake antivirus
raccoon stealer v2
illegal guides
horrid collective
Published: April 3, 2025
Downloadable IOCs: 6

YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake …
social engineering
spearphishing
powershell
cryptocurrency
lumma stealer
credential theft
youtube
2025-03-25
clickflix
Published: March 25, 2025
Downloadable IOCs: 5

Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker's First Choice

Threat actors are increasingly using legitimate remote monitoring and management (RMM) tools as initial payloads in email campaigns. This trend aligns with a decrease in the use of traditional loaders and botnets by initial access brokers. RMMs can be exploited for data collection, financial theft,…
screenconnect
rmm
remcos
lumma stealer
asyncrat
remote access
cybercrime
grandoreiro
email campaigns
netsupport
astaroth
initial access
2025-03-12
guildma
atera
mispadu
bluetrait
fleetdeck
Published: March 12, 2025
Downloadable IOCs: 15

AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution

A campaign using fake GitHub repositories to distribute SmartLoader and Lumma Stealer malware has been uncovered. The attackers create convincing repositories using AI-generated content to deceive users into downloading malicious files disguised as gaming cheats, cracked software, and system tools.…
social engineering
lumma stealer
information theft
github
ai-generated content
2025-03-11
obfuscated scripts
smartloader
Published: March 11, 2025
Downloadable IOCs: 14

Malvertising campaign leads to info stealers hosted on GitHub

A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms.…
malvertising
lumma stealer
github
lumma
netsupport rat
information stealer
multi-stage attack
doenerium
2025-03-06
living-off-the-land
Published: March 6, 2025
Downloadable IOCs: 3

Fake CAPTCHA Lures Victims: Lumma Stealer Abuses Clipboard and PowerShell

A new malware campaign using fake CAPTCHA pages to deliver Lumma Stealer has been identified. The attack leverages ClickFix, a deceptive tactic involving phishing and fake reCAPTCHA pages impersonating Cloudflare verification. The infection chain begins with a fake CAPTCHA page tricking victims int…
lumma stealer
clickfix
fake captcha
2025-02-25
Published: February 25, 2025
Downloadable IOCs: 11

Lumma Stealer Malware Thrives as Unique Patterns Uncovered in the Infostealer's Domain Clusters

Recent research reveals Lumma Stealer command and control domain clusters share specific technical characteristics, enabling mapping of entire infrastructure clusters. The infostealer's logs are being shared for free on Leaky[.]pro, a new hacking forum, offering billions of stolen credential record…
malvertising
infostealer
lumma stealer
credential theft
youtube
malspam
sectoprat
c2 infrastructure
2025-02-22
domain clusters
Published: February 22, 2025
Downloadable IOCs: 0

An Update on Fake Updates: Two New Actors, and New Mac Malware

Proofpoint has identified two new cybercriminal threat actors, TA2726 and TA2727, operating web inject campaigns. TA2726 acts as a traffic distribution service for TA569 and TA2727, while TA2727 delivers various malware payloads including a new MacOS information stealer called FrigidStealer. The la…
lumma stealer
socgholish
deerstealer
2025-02-18
fake updates
macos malware
frigidstealer
traffic distribution
gholoader
doiloader
marcher
web inject
Published: February 18, 2025
Downloadable IOCs: 10

Lumma Stealer Chronicles: PDF-themed Campaign Using Compromised Educational Institutions' Infrastructure

An ongoing malware campaign is distributing Lumma Stealer, an information-stealing malware, through malicious LNK files disguised as PDF documents. The campaign exploits compromised educational institutions' infrastructure to host these files. When executed, the LNK files initiate a multi-stage inf…
phishing
lumma stealer
information stealing
maas
lnk files
multi-stage infection
2025-02-17
steam profiles
educational institutions
pdf-themed
Published: February 17, 2025
Downloadable IOCs: 24

ClickFix Scam Exposed! Protect Your Data Before It's Too Late

Cybercriminals are exploiting DeepSeek's popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek's branding to appear legitimate and bypass security …
phishing
social engineering
lumma stealer
credential theft
vidar stealer
clickfix
captcha
deepseek
2025-02-11
Published: February 11, 2025
Downloadable IOCs: 7

Lumma Stealer's GitHub-Based Delivery Explored via Managed Detection and Response

Trend Micro's Managed XDR team investigated a sophisticated campaign distributing Lumma Stealer through GitHub. The attackers exploited GitHub's release infrastructure to deliver various malware, including SectopRAT, Vidar, and Cobeacon. The campaign used compromised websites for redirection to Git…
lumma stealer
information stealing
2025-01-31
Published: January 31, 2025
Downloadable IOCs: 0

Hundreds of fake Reddit sites push Lumma Stealer malware

A widespread campaign involving nearly 1,000 fake web pages mimicking Reddit and WeTransfer has been discovered, aiming to distribute the Lumma Stealer malware. The attackers create convincing fake Reddit discussions and WeTransfer download pages to trick users into downloading the malicious payloa…
lumma stealer
2025-01-24
reddit impersonation
wetransfer impersonation
Published: January 24, 2025
Downloadable IOCs: 936

Banshee: The Stealer That "Stole Code" From MacOS XProtect

A new version of the Banshee macOS stealer, linked to Russian-speaking cybercriminals, has been monitored since September. This version went undetected for over two months, using a string encryption algorithm identical to Apple's XProtect antivirus engine. The malware targets browser credentials, c…
phishing
cryptocurrency
macos
lumma stealer
github
string encryption
banshee
2025-01-09
xprotect
Published: January 9, 2025
Downloadable IOCs: 25

Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising

A large-scale fake captcha campaign has been distributing Lumma info-stealer malware through malvertising techniques. The campaign, relying on a single ad network, delivers over 1 million daily ad impressions, causing thousands of daily victims to lose their accounts and money. The malicious activi…
malvertising
powershell
lumma stealer
fake captcha
2024-12-18
Published: December 18, 2024
Downloadable IOCs: 50

Technical Analysis of RiseLoader

RiseLoader, a new malware loader family observed in October 2024, implements a custom TCP-based binary network protocol similar to RisePro. It uses VMProtect for obfuscation and has been observed dropping malware families like Vidar, Lumma Stealer, XMRig, and Socks5Systemz. The malware collects inf…
xmrig
cryptocurrency
lumma stealer
malware loader
vidar
risepro
socks5systemz
2024-12-16
riseloader
Published: December 16, 2024
Downloadable IOCs: 0

NodeLoader Exposed: The Node.js Malware Evading Detection

Zscaler ThreatLabz discovered a malware campaign using Node.js applications for Windows to distribute cryptocurrency miners and information stealers. Named NodeLoader, this malware family employs Node.js compiled executables to deliver second-stage payloads like XMRig, Lumma, and Phemedrone Stealer…
social engineering
node.js
lumma stealer
evasion techniques
information stealers
2024-12-13
game streaming
cryptocurrency miners
nodeloader
Published: December 13, 2024
Downloadable IOCs: 0

Threat Actor Targets Manufacturing Industry With Malware

A sophisticated cyberattack campaign targeting the manufacturing industry has been identified, utilizing a deceptive LNK file disguised as a PDF document. The attack leverages multiple Living-off-the-Land Binaries and Google Accelerated Mobile Pages to evade detection. The threat actor employs vari…
powershell
lumma stealer
dll sideloading
lnk file
process injection
manufacturing
code injection
2024-12-05
amadey bot
amp url
Published: December 5, 2024
Downloadable IOCs: 0

Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader

A new malware called Pronsis Loader has been discovered, with similarities to D3F@ck Loader. Both use JPHP-compiled executables, but Pronsis uses NSIS for installation instead of Inno Setup. Pronsis Loader typically delivers Lumma Stealer and Latrodectus payloads. It employs defense evasion techniq…
lumma stealer
latrodectus
d3f@ck loader
pronsis loader
2024-12-04
jphp
Published: December 4, 2024
Downloadable IOCs: 0

Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape

Proofpoint researchers have identified a surge in the ClickFix social engineering technique across the threat landscape. This technique uses dialogue boxes with fake error messages to trick users into copying, pasting, and running malicious content on their computers. Multiple threat actors are emp…
xworm
phishing
social engineering
powershell
darkgate
lumma stealer
asyncrat
danabot
latrodectus
netsupport
cybersecurity
clickfix
threat actors
brute ratel c4
2024-11-18
malware delivery
lucky volunteer
recaptcha phish
threat landscape
Published: November 18, 2024
Downloadable IOCs: 0

Fake AI video generators infect Windows, macOS with infostealers

Threat actors are using fake AI image and video generators to distribute Lumma Stealer and AMOS information-stealing malware on Windows and macOS. These malicious programs masquerade as an AI application called EditProAI, targeting users through search results and social media advertisements. The m…
social engineering
windows
infostealer
macos
lumma stealer
credential theft
ai
2024-11-16
deepfake
Published: November 16, 2024
Downloadable IOCs: 0

Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA

Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
powershell
cryptocurrency
lumma stealer
information-stealing
data exfiltration
fileless
maas
process hollowing
fake captcha
2024-10-21
Published: October 21, 2024
Downloadable IOCs: 23

Tricks and Treats: New Pixel-Level Deception

GHOSTPULSE malware has evolved to embed malicious data within pixel structures of PNG files, replacing its previous IDAT chunk technique. Recent campaigns involve social engineering tactics, tricking victims with CAPTCHA validations that trigger malicious commands through keyboard shortcuts. The ma…
social engineering
lumma stealer
captcha
2024-10-18
ghostpulse
keyboard shortcuts
yara rules
configuration extractor
pixel-level deception
png files
crc32
gdi+
Published: October 18, 2024
Downloadable IOCs: 9

HijackLoader evolution: abusing genuine signing certificates

A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
loader
powershell
lumma stealer
infection chain
dll sideloading
hijackloader
installer
path
samples
lumma
2024-10-15
zip archive
sha256
fake captcha
harfanglab edr
hider
gate
Published: October 15, 2024
Downloadable IOCs: 69

Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware

A threat actor is targeting transportation and logistics companies in North America with malware campaigns. The actor uses compromised email accounts to inject malicious content into existing conversations, making messages appear legitimate. Campaigns primarily deliver Lumma Stealer, StealC, NetSup…
lumma stealer
danabot
2024-09-24
transportation
Published: September 24, 2024
Downloadable IOCs: 23

Malware Distributed Using Falcon Sensor Update Phishing Lure

CrowdStrike Intelligence uncovered a phishing campaign impersonating CrowdStrike and distributing malicious files containing a Microsoft Installer (MSI) loader. The loader executes the commodity stealer 'Lumma Stealer' packed with 'CypherIt'. This campaign is likely linked to a previous 'Lumma Stea…
phishing
stealer
lumma stealer
malspam
lumma
2024-07-29
Published: July 29, 2024
Downloadable IOCs: 32

Fake update puts visitors at risk

This intelligence report discusses SocGholish, a JavaScript downloader used by threat actors to deliver malware payloads disguised as fake browser updates. It analyzes the recent tactics, techniques, and procedures employed by threat groups like Evil Corp in compromising WordPress websites, fingerp…
malware
cobalt strike
zloader
lumma stealer
socgholish
wordpress
downloader
redline stealer
2024-07-24
netsupport rat
egregor
ryuk
fake update
badspace
Published: July 24, 2024
Downloadable IOCs: 10

A Social Engineering Tactic to Deploy Malware

McAfee Labs uncovered a sophisticated social engineering technique, dubbed 'ClickFix,' for deploying malware such as DarkGate and Lumma Stealer. Victims are lured to compromised websites displaying error messages with instructions to paste scripts in PowerShell, facilitating malware downloads and e…
darkgate
lumma stealer
2024-07-15
clickfix
Published: July 15, 2024
Downloadable IOCs: 7

From Clipboard to Compromise: A PowerShell Self-Pwn

This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
malware
social engineering
powershell
xmrig
darkgate
lumma stealer
matanbuchus
2024-06-17
netsupport
malicious script
jaskago
compromise
amadey loader
vidar stealer
Published: June 17, 2024
Downloadable IOCs: 14

Fake Browser Updates delivering BitRAT and Lumma Stealer

This report details a malicious campaign where adversaries used fake browser update prompts to lure victims into downloading and executing malware. The infection chain begins with injected malicious JavaScript code on compromised websites that redirect users to pages mimicking legitimate browser up…
lumma stealer
2024-06-03
bitrat
Published: June 3, 2024
Downloadable IOCs: 13

Profiling Trafficers: Cerberus

This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
malware
infostealer
russia
2024-05-05
2024-05-06
2024-05-07
lumma stealer
2024-05-08
aurora stealer
redline
hacking
cybercrime
rhadamanthys stealer
casbaneiro
metamorfo
dracula stealer (samurai)
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 24

HijackLoader Updates

HijackLoader, also known as IDAT Loader, is a modular malware loader capable of executing multiple payloads. It utilizes a variety of modules for code injection, execution, and evasion techniques. This report analyzes the updated version of HijackLoader, which includes new modules for bypassing Win…
rat
evasion
rhadamanthys
stealer
remcos
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
amadey
lumma stealer
injection
modular
racoon stealer v2
malware loader
meta stealer
Published: May 7, 2024
Downloadable IOCs: 11
Click here to see more Attack Reports