{
	"id": "ec991849-7568-4be0-ad4f-082da7cafe61",
	"created_at": "2026-04-06T00:06:53.91406Z",
	"updated_at": "2026-04-10T03:20:50.343511Z",
	"deleted_at": null,
	"sha1_hash": "07425ca50812b32d3712db66487e6de89c63e0fb",
	"title": "Your Data Is Under New Lummanagement: The Rise of LummaStealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2183334,
	"plain_text": "Your Data Is Under New Lummanagement: The Rise of\r\nLummaStealer\r\nBy Cybereason Security Services Team\r\nArchived: 2026-04-05 15:04:54 UTC\r\nCybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis\r\nreports investigate these threats and provide practical recommendations for protecting against them.\r\nIn this Threat Analysis report, Cybereason Security Services investigate the rising activity of the malware\r\nLummaStealer.\r\nKEY POINTS\r\nLumma-nary in the Field of Theft: LummaStealer has gained momentum recently, with infections\r\nrapidly rising across multiple regions and sectors, highlighting its adaptability and widespread impact on\r\ndata security.\r\nA Thousand Paths, the Same Destination: Infection vectors for LummaStealer are increasingly diverse,\r\nleveraging advanced social engineering tactics and impersonation techniques to deceive victims and\r\ninfiltrate systems, reinforcing the need for vigilance.\r\nRise of MaaS: LummaStealer underscores the persistent risk of Malware-as-a-Service (MaaS), which\r\noffers low entry barriers for cybercriminals. With user-friendly platforms, MaaS enables even minimally\r\nskilled attackers to execute high-volume campaigns, presenting a substantial threat landscape.\r\nINTRODUCTION\r\nBasic LummaStealer Infection Flow\r\nMalware-as-a-Service (MaaS)\r\nRecent years have seen organizations around the globe move from software solutions created, delivered, and\r\nmaintained in-house to cloud-based Software-as-a-Service (SaaS) offerings that, for a subscription fee, allow for\r\nthe scalable deployment of software resources that update automatically and can be accessed from anywhere.\r\nMalware developers have learned from this model and introduced Malware-as-a-Service (MaaS) offerings to\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 1 of 25\n\nprospective attackers. Like SaaS, these typically operate on a subscription-basis, giving attackers access to a full\r\nsuite of malicious capabilities which, depending on the offering, can include complex, modular payloads, initial\r\naccess vectors, and a command and control infrastructure from which to manage their attacks. This takes a lot of\r\nthe technical overhead away from the attacker, lowering the bar for attack implementation and allowing them to\r\nfocus on their operational goals. From a few hundred dollars a month, almost anyone can be given the tools to\r\nstart a highly effective and efficient attack campaign.\r\nIn recent weeks the Cybereason Global SOC has seen a marked increase in attacks that utilize one such MaaS\r\noffering – LummaStealer. Historically priced between $250 per month for basic access and up to $20,000 for an\r\nall-inclusive license, LummaStealer has facilitated infections worldwide through both innovative and traditional\r\nsocial engineering tactics. These infections, if unaddressed, pose severe risks to individuals and organizations,\r\npotentially leading to significant data breaches and exploitation.\r\nWhat is LummaStealer\r\nLummaStealer (also known as Lummac, LummaC2 Stealer, and Lumma Stealer) is a relatively new information-stealing malware that first surfaced in 2022. It targets Windows systems and has gained attention for its ability to\r\ncollect a wide range of sensitive data, such as credentials, cookies, cryptocurrency wallets, and other personally\r\nidentifiable information. The malware is typically distributed via phishing emails, cracked software, or malicious\r\ndownloads. The stealer is marketed on underground forums and is used to target individuals, cryptocurrency users,\r\nas well as small and medium-sized businesses (SMBs).\r\nTactics, Techniques and Procedures (TTPs)\r\nDelivery:\r\nPhishing Emails – LummaStealer is commonly distributed through phishing emails\r\ncontaining malicious attachments or links. \r\nMalicious Downloads – It is often bundled with cracked software or fake updates available\r\non shady websites. \r\nExecution:\r\nOnce executed, LummaStealer begins harvesting sensitive information from the victim's\r\ndevice. It silently operates in the background, bypassing traditional antivirus detection\r\nmethods. \r\nInformation Theft:\r\nCredentials and Cookies – It targets browsers to steal saved credentials, cookies, and browser\r\nhistory. \r\nSystem Information – It gathers details about the victim’s machine, including hardware, OS\r\nversion, and IP address.\r\nExfiltration:\r\nCommand-and-Control (C2) – Stolen data is exfiltrated to remote servers controlled by the\r\nthreat actor through encrypted channels. \r\nPersistence:\r\nLummaStealer has not historically been known to create persistence, meaning that it did not\r\nattempt to maintain access after a system reboot. Recently, however, execution flows that\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 2 of 25\n\ninclude a registry-based persistence mechanism have been observed. \r\nAttribution\r\nAs previously described, LummaStealer operates within the cybercrime ecosystem primarily as a Malware-as-a-Service (MaaS) offering. This model allows various threat actors to subscribe to and utilize the malware for their\r\nown malicious activities, making it difficult to attribute the malware to a single group. However, some recent\r\nreports suggest that cybercriminal groups potentially backed by Russia or China have been using LummaStealer in\r\ntargeted attacks, particularly against logistics and transportation companies in North America. These campaigns\r\ninvolve phishing attacks and the use of LummaStealer to conduct espionage, primarily gathering sensitive data\r\nlike credentials, cryptocurrency wallets, and even targeting two-factor authentication (2FA) browser extensions.\r\nIn addition to espionage-related campaigns, LummaStealer has been linked to financially motivated attacks, often\r\ntargeting cryptocurrency users by stealing wallet information and exfiltrating valuable data to remote command-and-control (C2) servers. The malware's use of advanced obfuscation techniques helps it evade detection,\r\ncomplicating efforts by security teams to mitigate its impact.\r\nAttribution is murky due to LummaStealer's presence in the underground market, but its use in sophisticated\r\nphishing campaigns and infrastructure overlap indicates possible coordination among state-affiliated\r\ncybercriminal groups. While there is no concrete evidence directly linking specific advanced persistent threats\r\n(APTs) to LummaStealer, it is clear that its accessibility via MaaS makes it a popular tool for a wide variety of\r\nthreat actors.\r\nTECHNICAL ANALYSIS\r\nExample Of A LummaStealer Infection Flow Beginning From A Fake CAPTCHA Challenge \r\nInitial Infection\r\nWhile each individual attacker with a LummaStealer license can develop their own strategies, most instances\r\nobserved both historically and in the newest wave primarily rely on either social engineering techniques or\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 3 of 25\n\nmasquerading for initial infection. Commonly observed social engineering techniques revolve around deceiving\r\nthe victim into infecting themselves. These techniques include (but are not limited to) posts to forums purporting\r\nto answer a question, GitHub comments, and YouTube videos that all contain a link to a LummaStealer payload.\r\nYouTube Video Claiming To Be For Cracked Paid Software That Leads To A LummaStealer Payload\r\nMasquerading techniques have some overlap with social engineering, but rely on pretending to be one type of\r\nresource when they are in fact a LummaStealer payload or related command. Instances of this include websites\r\nmasquerading as CAPTCHA challenges, executables advertised as cracked versions of paid software, and\r\nexecutables the attacker says are one kind of file (i.e. a tool that other potential attackers can use) but turn out to\r\nbe a LummaStealer payload.\r\nExecution\r\nOnce initial infection has occurred, some infections have been observed using mshta.exe and powershell.exe to\r\ndownload and open a ZIP archive containing software that will run the LummaStealer payload.\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 4 of 25\n\nSecondary PowerShell Script Example\r\nAdditionally, as in the example above, sometimes this activity attempts to create persistence for the malicious\r\nbinary via a registry entry at the location HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.\r\nNo matter how the infection begins, once executed LummaStealer attempts to gather sensitive information on the\r\nmachine including browser and cryptocurrency wallet data. It then encrypts this data and exfiltrates it to a C2\r\ndomain.\r\nObserved Payloads\r\nCybereason has observed six different initial payloads eventually establishing connections to C2 domains and\r\nexecuting LummaStealer. These payloads include:\r\nDLL side-loading using vulnerable/cracked software\r\nMSI file with AutoIT script\r\nPython based DLL (Pythonw setup.exe and DLL)\r\nVulnerable/cracked software with LummaStealer payload\r\nMSI file with Executable and RAR\r\nZIP file with PDF file decoy\r\nThese payloads are discussed in further depth in the “Payload Comparison” section below.\r\nCommand and Control (C2) \r\nDifferent command and control servers appear to be utilized by LummaStealer samples.\r\nDomains Hosted Behind CDNs\r\nMultiple domains observed in cases of LummaStealer infection were hosted with Bunny.net and DigitalOcean,\r\nContent Delivery Network (CDN) providers. Using a CDN for malware command and control (C2) is\r\nadvantageous as it helps disguise malicious traffic as legitimate. CDNs host a wide range of legitimate content, so\r\nmalware traffic blends with normal web activity, making detection harder. Moreover, by using CDNs attackers\r\ninherit trusted SSL/TLS certificates from reputable providers, further making it appear as if the traffic is secure\r\nand legitimate.  \r\nIn the case of C2s hosted with Bunny.net, the domains matched the following heuristics:\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 5 of 25\n\nSSL/TLS certificate name b-cdn.net\r\nDomain name of type: ^[a-z]+[1-9]b-cdn.net$ or ^[a-z]+0[1-9]b-cdn.net$\r\n \r\nDomains With The .shop TLD\r\nSome of the observed domains had a Top-Level Domain named .shop and were following the below heuristic\r\npattern:\r\nDomain name 13 characters long (including at least one q, w, x, y or z)\r\nA record: 104.21.0.0/16\r\nTLD: .shop\r\nExploitation Of The Video Game Platform Steam\r\nThe video game platform Steam has been often documented to be abused by attackers to spread malware and in\r\nturns to be exploited to exfiltrate data or send additional malicious commands.  \r\nIn the case of LummaStealer, the malware will be redirected to a Steam account profile page. As documented by\r\nAhnLabs, the “actual_persona_name_ tag” will then be used to decrypt the C2 domains.\r\nThis gives threat actors more stealth in its victims’ networks as the steam.com domain will very likely not be\r\nblacklisted.\r\nUse Of The Legitimate File Sharing Platform DropBox\r\nDropBox is a legitimate file sharing platform which has also been abused by attackers to lure their victims to\r\ndownload additional malware. In the case of LummaStealer, the functionality dl.dropboxusercontent[.]com –\r\nwhich allows for the easy download of files through DropBox – was exploited to download additional pieces of\r\nmalware.\r\nSimilarly to the use of other legitimate platforms such as Steam, abusing DropBox gives more discretion to\r\nattackers as there are many legitimate use cases.\r\nINFECTION VECTOR CASE STUDY\r\nGiven that LummaStealer is a MaaS offering, infection vectors vary widely depending on the tactics of individual\r\nthreat actors. Here we will highlight some infection vectors observed around the globe in recent weeks.  \r\nCase 1: Masquerading\r\nCrowdStrike Sensor Masquerading\r\nIn order to take advantage of the confusion brought about during the CrowdStrike outage in July 2024, threat\r\nactors created the phishing domain crowdstrike-office365[.]com and used it to spread malicious MSI files\r\nmasquerading as Crowdstrike Falcon sensor updates that would remediate sensor issues. The MSI file had many\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 6 of 25\n\nlayers of obfuscation and the final payload was an AutoIT script. The AutoIT script created an encrypted version\r\nof the LummaStealer payload. \r\nFake CAPTCHA Challenges\r\nThe attackers created a fake human verification HTML page to lure the victim to download the payload from the\r\nmalicious domain.\r\nPhishing URLs Redirection\r\nThe fake HTML page hosts the following script:\r\nMalicious Function From Fake Human Verification HTML Page\r\nThe function verify will execute the depreciated document.executecommand(\"copy\") command and automatically\r\ncopy the PowerShell command in the screenshot provided to the clipboard when the victim clicks the \"I'm not a\r\nrobot\" button. In this case, the Powershell command execution will download the LummaStealer payload from the\r\ndomain propller.b-cdn[.]net/propller.\r\nAs soon as we load the fake HTML page, it loads the following image with the “I’m not a robot” button.\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 7 of 25\n\nFake Human Verification HTML Page - \"I'm not a robot\" Button\r\nWhen the button is clicked , we get the below verification steps as a popup.\r\nFake Human Verification HTML Page - Verification Steps\r\nWe followed the instructions to initiate the PowerShell process and downloaded the payload.\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 8 of 25\n\nFake Human\r\nVerification HTML  Page - Run Command\r\nMasquerading As Cracked Software\r\nAs previously outlined, LummaStealer binaries have been spread on social media sites via posts that claim to lead\r\nto cracked versions of legitimate paid software. In one case observed by the Cybereason Global SOC, a threat\r\nactor made use of a compromised account to create a post advertising a cracked version of the popular video\r\nediting software Adobe Premiere. Following a link in the comments of the video claiming to lead to the cracked\r\nsoftware’s download link brings the victim to a Youtube post, which itself has a link to the file hosting service\r\nMediaFire and a password to open a zip file that can be downloaded there.\r\nLink To\r\nMediafire\r\nThreat actors often make use of such services to host their binaries as they are low cost, easily changed, and can\r\nblend in with regular traffic more easily than obvious C2 domains.\r\nCase 2: Social Engineering\r\nGitHub Comments\r\nGitHub comments have been leveraged to spread LummaStealer. The attacker shared a link in the Github\r\ncomments posing as fixes to various product bugs. For example, in the below screenshots, the attacker shared the\r\nmalicious link as a comment in Github discussions.\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 9 of 25\n\nGithub - Targeted Pages\r\nThe attacker added a comment with a link to download the zip file from the mediafire domain.\r\nGithub Message\r\nThe ZIP file contains a windows executable and a Malicious DLL (msvcp110.dll). The windows executable loads\r\nthe LummaStealer DLL via DLL side-loading. The Windows executable has the hardcoded C2 address\r\n146.19.128[.]68 and established connections to the many C2 domains (Ex: carrtychaintnyw[.]shop,\r\nquotamkdsdqo[.]shop])\r\nDiscord CDN Abuse\r\nThreat actors have also tried to spread LummaStealer using Discord, a popular chat platform. They have used\r\nrandom/compromised accounts to target the victims and sent direct messages asking for help to investigate/help to\r\ncomplete personal projects. The project was hosted on the Discord CDN network. The Discord’s content delivery\r\nnetwork was used to host and spread LummaStealer. (Ex: cdn.discordapp[.]com/attachments/).\r\nWe found that Discord’s application programming interface (API) was used to spread the malicious file\r\n(Eng1aucnh33.zip) and establish connections to LummaStealer C2 domains (Ex: complainnykso[.]shop)\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 10 of 25\n\nDiscord API - Attachments\r\nCase 3: Hacker Tools Gone Wrong\r\nMultiple vendors have reported that LummaStealer has been propagated through hacktools. One particular\r\nexample describes how the malware was spread through a fake OnlyFans ‘checker’. A checker will allow the\r\nverification of stolen credentials and will then give access to private information and might lead to money theft.\r\nPAYLOAD COMPARISON\r\nIn addition to differences in initial infection strategies, LummaStealer payloads vary in their execution. Here we\r\nwill highlight several payloads observed by Cybereason and the execution flows they follow.\r\nDLL Side-Loading Using Vulnerable/Cracked Software\r\nThreat actors using LummaStealer target older versions of potentially unwanted applications that have a DLL\r\nside-loading vulnerability. The second stage ZIP file contains the vulnerable software and the LummaStealer DLL.\r\nThe software will load the malicious DLL via DLL side-loading. In the below example, the executable\r\n(iscrpaint.exe) is part of the iTop Screen Recorder tool. The exploited version of the tool (iscrpaint.exe) then loads\r\nthe malicious DLL (WebUI.dll).\r\nThe threat actors use DLL side-loading techniques to evade detection. This technique will execute the malicious\r\nLummaStealer DLL in the context of a legitimate application, making it more difficult to detect.\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 11 of 25\n\nLummaStealer - DLL side-loading\r\nMSI File With AutoIT Script\r\nAs we discussed earlier in the above case study section, threat actors created malicious Crowdstrike phishing\r\ndomains and used them to spread a Microsoft Software Installer file (.msi). The MSI file was packed with AutoIT\r\nexecutable (.pif) and obfuscated AutoIT script. The script execution will load the shellcode to create the final\r\nLummaStealer payload.\r\nLummaStealer -\r\nAutoIT Variant\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 12 of 25\n\nWe also observed another instance in which an executable setup.exe (original name: Adobe PDF Broker)\r\nsideloaded a malicious DLL (sqlite.dll). The DLL will initiate the process (strcmp.exe). The original name of the\r\nprocess (strcmp.exe) is BtDaemon.exe. BTDaemon is a BluetoothDaemon and will drop the AutoIT script along\r\nwith the AutoIT executable.\r\nLummaStealer - AutoIT Variant\r\nPython Based DLL (Pythonw setup.exe \u0026 DLL)\r\nIn this variation of the payload, the ZIP file was packed with Pythonw compiler (setup.exe) and a LummaStealer\r\nDLL (python310.dll). The Pythonw compiler (setup.exe) was used to launch the DLL.\r\nLummaStealer - PythonW variant\r\nA similarity observed between these two variants (use of Python and the use of AutoIT) is that the process\r\n(more.com) is used to then execute further malicious activity that will then lead to the connection to the command\r\nand control servers. This behavior has also been described by other researchers. \r\nVulnerable/Cracked Software Bundled With LummaStealer Payload\r\nDuring our investigations, we found that the older version of vulnerable/cracked software was trojanized and was\r\npacked with an obfuscated payload (EXE file). For example, the cracked software (0DollarERP.exe) had a\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 13 of 25\n\nmalicious executable obfuscated inside a JSON file format. The malicious executable would eventually connect to\r\nthe LummaStealer C2 domain.\r\nExamples of the vulnerable software observed include:\r\nAutooff\r\nRemBlankPwd\r\nDBeaver Ultimate.exe\r\n0DollarERP.exe\r\n0SpotifyMusic.exe\r\n0ScreenHunter.exe\r\n0qnewb.exe\r\n0Origami3.exe\r\nLummaStealer - Vulnerable Software\r\nVulnerable/Cracked Software Bundled With LummaStealer Payload\r\nMSI File With Executable \u0026 RAR\r\nIn the final variation, threat actors using LummaStealer made use of an MSI file as the initial payload. The MSI\r\nfile contains a ZIP file. The ZIP file is bundled with an installer executable and a RAR file. The RAR file contains\r\na second stage DLL to download the LummaStealer executable.\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 14 of 25\n\nLummaStealer - MSI/RAR Variant\r\nZIP File With PDF File Decoy\r\nThe Cybereason Global SOC also observed that the LummaStealer first stage was downloaded from the internet\r\nas a ZIP file. The ZIP file contains an executable and a DLL. The executable is a vulnerable version of Haihaisoft\r\nPDF Reader. The PDF Reader (hpreader.exe) created persistence by adding a registry key value pair to run\r\n(rundll32.exe) the DLL during machine startup. The ZIP file was downloaded from DropBox\r\n(dl.dropboxusercontent[.]com).\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 15 of 25\n\nLummaStealer - PDF File Decoy Variant\r\nSample Analysis\r\nIn one observed sample. the ZIP file (e74b1e485e42e8ba7a65ab6927e872a5) contains a setup file (setup.exe),\r\nLummaStealer DLL (tak_deco_lib.dll) and other resource files.\r\nThe original name of the setup file is, “Mp3tag - the universal Tag editor.” The original file (Mp3tag.exe) imports\r\nonly 19 DLLs (as per the Import Address Table), but the trojanized version contains 20 DLLs. The setup file\r\nimports the following functions from the LummaStealer DLL.\r\nExploited Version Of Mp3tag Software Loading The LummaStealer DLL\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 16 of 25\n\nFinal Payload\r\nThe final LummaStealer payload implementation varies in the above cases but focuses primarily on targeting\r\nbrowsers and applications. In one variant observed, the final payload contained a Powershell script and had many\r\nlayers of obfuscation. Execution of the script installed a malicious browser extension.\r\nThe Extension targets the Chrome, MS Edge, Opera, and Brave browser applications, collecting the following\r\ndata for exfiltration:\r\nBrowser clipboard, cookies, passwords, history, tabs, and cryptocurrency wallets\r\nGmail, Outlook, and Yahoo email application data\r\nUser file system data\r\nAdditionally, the extension has the ability to take screenshots of currently opened web pages and establish\r\nconnections to the C2 domain.\r\nMalicious Browser Extension Javascript Files\r\nBrowser Extension - Initiating Chrome \u0026 MS Edge Browser\r\nIndicators of Compromise - IOCs\r\nCybereason shared a list of indicators of compromise related to this research :\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 17 of 25\n\nIOC IOC type Description\r\nreport1[.]b-cdn[.]net \u003e 89[.]187[.]169[.]3\r\nDomain\r\nName / IP\r\nC2 Server\r\nMega03[.]b-cdn[.]net \u003e 84[.]17[.]38[.]250\r\nDomain\r\nName / IP\r\nC2 Server\r\nfilesblack404[.]b-cdn[.]net\r\nDomain\r\nName\r\nC2 Server\r\nzone02[.]b-cdn[.]net\r\nDomain\r\nName\r\nC2 Server\r\nclick1[.]b-cdn[.]net\r\nDomain\r\nName\r\nC2 Server\r\nMato-camp-v1[.]b-cdn[.]net \u003e 156.146.56[.]169)\r\nDomain\r\nName / IP\r\nC2 Server\r\nreport3[.]b-cdn[.]net\r\nDomain\r\nName\r\nC2 Server\r\nproffoduwnuq[.]shop \u003e 104[.]21[.]17[.]3\r\nDomain\r\nName / IP\r\nC2 Server\r\npardaoboccia[.]shop\r\nDomain\r\nName\r\nC2 Server\r\nnaggersanimism[.]shop\r\nDomain\r\nName\r\nC2 Server\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 18 of 25\n\nconservaitiwo[.]shop\r\nDomain\r\nName\r\nC2 Server\r\na3[.]bigdownloadtech[.]shop\r\nDomain\r\nName\r\nC2 Server\r\nsteppyplantnw[.]shop \u003e 104[.]21[.]20[.]40\r\nDomain\r\nName / IP\r\nC2 Server\r\nsteppyplantnw[.]shop \u003e 172[.]67[.]191[.]81\r\nDomain\r\nName / IP\r\nC2 Server\r\ndowncheck[.]nyc3[.]cdn[.]digitaloceanspaces[.]com \u003e\r\n172[.]64[.]145[.]29\r\nDomain\r\nName / IP\r\nC2 Server\r\nces[.]com \u003e 104[.]18[.]42[.]227\r\nDomain\r\nName / IP\r\nC2 Server\r\nclicktogo[.]click\r\nDomain\r\nName\r\nC2 Server\r\nmatteryshzh[.]cfd \u003e 172[.]67[.]151[.]251\r\nDomain\r\nName / IP\r\nC2 Server\r\nmatteryshzh[.]cfd \u003e 104[.]21[.]33[.]45\r\nDomain\r\nName / IP\r\nC2 Server\r\n172[.]67[.]193[.]251  IP Address C2 Server\r\n169[.]150[.]207[.]210 IP Address C2 Server\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 19 of 25\n\n188[.]114[.]96[.]12 IP Address C2 Server\r\n188[.]114[.]97[.]12 IP Address C2 Server\r\nhttps://steamcommunity[.]com/profiles/76561199724331900 URL Malicious Steam profile\r\nbfc1422d1c5351561087bd3e6d82ffbad5221dae SHA-1 Side-loaded DLL\r\n128a085b84667420359bfd5b7bad0a431ca89e35 SHA-1 Side-loaded DLL\r\n9f3651ad5725848c880c24f8e749205a7e1e78c1 SHA-1 Malicious executable\r\nf3e5a2e477cac4bab85940a2158eed78f2d74441  SHA-1 Malicious executable\r\na01fa9facf3a13c5a9c079d79974842abff2a3f2 SHA-1 Malicious executable\r\n99b8464e2aabff3f35899ead95dfac83f5edac51 SHA-1 Malicious executable\r\nafdefcd9eb251202665388635c0109b5f7b4c0a5 SHA-1 Malicious executable\r\nf89f91e33bf59d0a07dfb1c4d7246d74a05dd67d SHA-1 Malicious executable\r\n594d61532fb2aea88f2e3245473b600d351ee398 SHA-1\r\nZIP containing the\r\nmalicious executable\r\ne264ba0e9987b0ad0812e5dd4dd3075531cfe269 SHA-1\r\nRenamed AutoIT\r\nexecutable\r\nc07e49c362f0c21513507726994a9bd040c0d4eb SHA-1 MSI Installer\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 20 of 25\n\n128a085b84667420359bfd5b7bad0a431ca89e35 SHA-1 Python DLL\r\nf2c37ad5ca8877186c846b6dfb2cb761f5353305 SHA-1 Zip file (tera10.zip)\r\nCybereason Recommendations:\r\nCybereason recommends the following actions in the Cybereason Defense Platform:\r\nEnable Application Control to block the execution of malicious files. \r\nEnable Anti-Ransomware in your environment’s policies, set the Anti-Ransomware mode to\r\nPrevent, and enable Shadow Copy detection to ensure maximum protection against\r\nransomware.\r\nEnable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution\r\nprevention.\r\nCybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to\r\neverywhere. Learn more about Cybereason XDR powered by Google Chronicle, check out our Extended\r\nDetection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit\r\nfrom an operation-centric approach to security.\r\nMITRE ATT\u0026CK MAPPING\r\nTactic Techniques / Sub-Techniques Summary\r\nTA0042:\r\nResource\r\nDevelopment\r\nT1583.001 - Acquire Infrastructure:\r\nDomains\r\nThreat actors create domains to host payloads\r\nand support C2 communications\r\nTA0042:\r\nResource\r\nDevelopment\r\nT1588.001- Obtain Capabilities:\r\nMalware\r\nThreat actors buy LummaStealer licenses to\r\ninfect victims\r\nTA0042:\r\nResource\r\nDevelopment\r\nT1608.001 - Stage Capabilities:\r\nUpload Malware\r\nThreat actors upload malware to malicious\r\ndomains to be downloaded by victims\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 21 of 25\n\nTactic Techniques / Sub-Techniques Summary\r\nTA0042:\r\nResource\r\nDevelopment\r\nT1608.001 - Stage Capabilities:\r\nLink Target\r\nLinks leading to LummaStealer payloads are\r\ncommonly used\r\nTA0001: Initial\r\nAccess\r\nT1189 - Drive-by Compromise\r\nVictims accessing threat actor domains may\r\ndownload malicious payloads\r\nTA0001: Initial\r\nAccess\r\nT1566.002 - Phishing:\r\nSpearphishing Link\r\nThreat actors send victims malicious links\r\nTA0001: Initial\r\nAccess\r\nT1566.003 - Phishing:\r\nSpearphishing via Service\r\nThreat actors spread payloads via services such\r\nas Github, Steam, etc.\r\nTA0002:\r\nExecution \r\nT1059.001 - Command and\r\nScripting Interpreter: PowerShell\r\nPowerShell is utilized to download and execute\r\nLummaStealer payloads\r\nTA0002:\r\nExecution \r\nT1059.005 - Command and\r\nScripting Interpreter: Visual Basic\r\nHTA file execution has been observed used to\r\ndownload and execute LummaStealer payloads\r\nTA0002:\r\nExecution \r\nT1059.006 - Command and\r\nScripting Interpreter: Python\r\nMalicious Python DLLs have been used to\r\nexecute LummaStealer payloads\r\nTA0002:\r\nExecution \r\nT1059.010 - Command and\r\nScripting Interpreter: AutoHotKey\r\n\u0026 AutoIT\r\nAutoIT scripts have been used to execute\r\nLummaStealer payloads\r\nTA0002:\r\nExecution \r\nT1204.001 - User Execution:\r\nMalicious Link\r\nThreat actors rely largely on victims to access\r\nmalicious links\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 22 of 25\n\nTactic Techniques / Sub-Techniques Summary\r\nTA0002:\r\nExecution \r\nT1204.002 - User Execution:\r\nMalicious File\r\nThreat actors rely on users to execute malicious\r\nfiles and scripts to initiate the download and\r\nexecution of LummaStealer payloads\r\nTA0003:\r\nPersistence\r\nT1547.001 - Boot or Logon\r\nAutostart Execution: Registry Run\r\nKeys / Startup Folder\r\nRegistry-based persistence for LummaStealer\r\npayloads has been observed\r\nTA0005: Defense\r\nEvasion \r\nT1027.010 - Obfuscated Files or\r\nInformation: Command\r\nObfuscation\r\nObfuscated commands have been observed to\r\ndownload and execute LummaStealer payloads\r\nTA0005: Defense\r\nEvasion\r\nT1027.013 - Obfuscated Files or\r\nInformation: Encrypted/Encoded\r\nFile\r\nEncrypted commands have been observed to\r\ndownload and execute LummaStealer payloads.\r\nFiles are also encrypted prior to exfiltration.\r\nTA0005: Defense\r\nEvasion\r\nT1574.002 - Hijack Execution\r\nFlow: DLL Side-Loading\r\nLummaStealer payloads have been observed\r\nside-loaded into benign but vulnerable processes\r\nintroduced by the threat actor\r\nTA0009:\r\nCollection\r\nT1119 - Automated Collection\r\nLummaStealer automatically searches through\r\nuser files, browsers, and cryptocurrency wallet-related directories to collect sensitive\r\ninformation\r\nTA0011:\r\nCommand and\r\nControl\r\nT1132 - Data Encoding\r\nC2 communications are undertaken with\r\nLummaStealer-specific obfuscation techniques\r\nTA0010:\r\nExfiltration\r\nT1041 - Exfiltration Over C2\r\nChannel\r\nExfiltration occurs over a dedicated C2 channel\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 23 of 25\n\nABOUT THE RESEARCHER\r\nRalph Villanueva, Principal Security Analyst, Cybereason Global SOC\r\nRalph Villanueva is a Principal Security Analyst with the Cybereason Global SOC team. He works hunting and\r\ncombating emerging threats in the cybersecurity space. His interests include malware reverse engineering, threat\r\nintelligence, and APTs. He earned his Masters in Network Security from Florida International University.  \r\nGal Romano, Senior CTI Analyst\r\nGal is a Senior CTI Analyst with the Cybereason Security Operations team. With a robust six-year tenure in\r\ncybersecurity and experience as a SOC Manager, Gal has honed his skills in threat hunting and malware analysis.\r\nElena Odier, Threat Hunter\r\nElena Odier is a Security Analyst with the Cybereason Global SOC team. She is involved in MalOp Investigation,\r\nescalations and Threat Hunting. Previously, Elena worked in incident response at ANSSI (French National Agency\r\nfor the Security of Information Systems). \r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 24 of 25\n\nMHema Loganathan, GSOC Analyst\r\nHema Loganathan is a GSOC Analyst with the Cybereason Global SOC team. She is involved in MalOp\r\nInvestigation, Malware Analysis, Reverse Engineering and Threat Hunting. Hema has a Master of Science degree\r\nin Information Systems.\r\nSource: https://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nhttps://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer"
	],
	"report_names": [
		"threat-analysis-rise-of-lummastealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434013,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/07425ca50812b32d3712db66487e6de89c63e0fb.pdf",
		"text": "https://archive.orkl.eu/07425ca50812b32d3712db66487e6de89c63e0fb.txt",
		"img": "https://archive.orkl.eu/07425ca50812b32d3712db66487e6de89c63e0fb.jpg"
	}
}