{
	"id": "fdf34e2a-7511-4ed6-a378-5bb2223961e3",
	"created_at": "2026-04-06T00:07:49.049995Z",
	"updated_at": "2026-04-10T03:23:52.133977Z",
	"deleted_at": null,
	"sha1_hash": "1825a1b9651f65220c4ebded8c6b0681e1f3a334",
	"title": "Hundreds of fake Reddit sites push Lumma Stealer malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2078719,
	"plain_text": "Hundreds of fake Reddit sites push Lumma Stealer malware\r\nBy Bill Toulas\r\nPublished: 2025-01-23 · Archived: 2026-04-05 17:13:57 UTC\r\nHackers are distributing close to 1,000 web pages mimicking Reddit and the WeTransfer file sharing service that lead to\r\ndownloading the Lumma Stealer malware.\r\nOn the fake pages, the threat actor is abusing the Reddit brand by showing a fake discussion thread on a specific topic. The\r\nthread creator asks for help to download a specific tool, another user offers to help by uploading it to WeTransfer and\r\nsharing the link, and a third thanks him to make everything appear legitimate.\r\nhttps://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/\r\nPage 1 of 5\n\nPhony Reddit site\r\nSource: BleepingComputer\r\nUnsuspecting victims clicking on the link are taken to a fake WeTransfer site that mimicks the interface of the popular file-sharing service. The ‘Download’ button leads to the Lumma Stealer payload hosted on “weighcobbweo[.]top.”\r\nhttps://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/\r\nPage 2 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/\r\nPage 3 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAll sites used in this campaign contain a string of the brand they impersonate followed by random numbers and characters to\r\nappear legitimate at a quick glance. The top-level-domains are either “.org” or “.net.”\r\nAll sites part of the campaign contain a string of the brand they impersonate followed by random numbers and characters to\r\nappear legitimate at a quick glance. The top-level-domains are either “.org” or “.net.”\r\nFake WeTransfer portal\r\nSource: BleepingComputer\r\nThese fake websites were found by Sekoia researcher crep1x, who shared a complete list of web pages participating in the\r\nscheme. In total, there are 529 pages impersonating Reddit and 407 posing as the official WeTransfer service serving a\r\ndownload.\r\nThe researcher told BleepingComputer that he was unable to retrieve any clues about the previous stages of the infection\r\nchain, but the specific topics used indicate some form of elaboration.\r\nThe attack might begin with malvertising, SEO poisoning, malicious websites, direct messages on social media, and other\r\nmeans.\r\nA year ago, the same researcher discovered a similar campaign where 1,300 sites abused the AnyDesk brand to push the\r\nVidar Stealer malware.\r\nRisk of info-stealer malware\r\nLumma Stealer is a potent tool with advanced evasion and data theft mechanisms. The malware is sold to hackers who\r\ndistribute it through various methods, including GitHub comments, deepfake nude generator sites, and malvertising.\r\nInfo-stealing malware can collect, among other things, passwords stored on web browsers and session tokens that can be\r\nused to hijack accounts without knowing the credentials.\r\nThis type of threat is commonly used to exfiltrate sensitive login data from companies and the details are usually sold on\r\nhacker forums.\r\nMost recently, infostealers enabled high-impact attacks on PowerSchool, HotTopic, CircleCI, and Snowflake.\r\nhttps://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/\r\nhttps://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/"
	],
	"report_names": [
		"hundreds-of-fake-reddit-sites-push-lumma-stealer-malware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434069,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1825a1b9651f65220c4ebded8c6b0681e1f3a334.pdf",
		"text": "https://archive.orkl.eu/1825a1b9651f65220c4ebded8c6b0681e1f3a334.txt",
		"img": "https://archive.orkl.eu/1825a1b9651f65220c4ebded8c6b0681e1f3a334.jpg"
	}
}