{
	"id": "10e763b4-3f63-4520-9712-c04fba7c881f",
	"created_at": "2026-04-06T00:19:26.861943Z",
	"updated_at": "2026-04-10T13:11:44.46984Z",
	"deleted_at": null,
	"sha1_hash": "2b5f7f5b1f393d1f705397e019fccb7ddccff957",
	"title": "Lampion Trojan Utilizes New Delivery through Cloud-Based Sharing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 139203,
	"plain_text": "Lampion Trojan Utilizes New Delivery through Cloud-Based Sharing\r\nArchived: 2026-04-05 13:47:34 UTC\r\nBy Andy Mann and Dylan Main, Cofense Phishing Defense Center\r\nAnalysts at the Cofense Phishing Defense Center (PDC) have recently analyzed an email asking users to download a “Proof\r\nof Payment” as well as other documents. While it is important to never click on the link(s) or download the attachment(s) of\r\nany suspicious email, if the recipient interacts with the link, it downloaded the malware Lampion.\r\nThe Lampion banking trojan has been around since 2019, but this is the first time it has been analyzed by the PDC. While it\r\nhas not yet been determined who exactly is behind the malware, it is known for using a VBS loader. Fortunately, threat\r\nactors have been spotted by PDC analysts using a new form of delivery for that very VBS file. Using the trusted cloud\r\nplatform used for payments, WeTransfer, threat actors are attempting to gain the trust of users while taking advantage of the\r\nservice provided by the popular site. By leveraging a trusted payment site, it’s not surprising to see threat actors align their\r\nemail messages for this process. A well-conditioned user quickly reported this email which mitigated the threat of malware\r\ninfection.\r\nFigure 1: Email Body\r\nEnglish translation: Good afternoon, I send proof of payment and documents on the link: hXXps://we[.]tl/t-pNvQIG8UJS I\r\nsubscribe with high esteem and best regards\r\nIn Figure 1, the threat actor used a very simple email message to engage the recipient. The strongest tactic taken would be\r\nspoofing a legitimate company, which could potentially be a result of compromised credentials. The email sent to the\r\nrecipient is sent a proof of payment and other documents, which are accessible at the URL hXXps://we[.]tl/t-pNvQIG8UJS.\r\nWhen the recipient interacts with the URL, they are directed to the page where they can download a ZIP file containing the\r\ndocuments referenced in the email.\r\nhttps://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing\r\nPage 1 of 3\n\nFigure 2: Contents of the ZIP File\r\nFigure 3: Strings from the First Wscript Process\r\nOnce the ZIP file is downloaded, its contents can be extracted to reveal a folder containing the two files seen in Figure 2.\r\nThe VBS file, Comprovativo de pagamento de fatura_517-TEG_22-08-2022 20-09-24_28.vbs, is the file of concern as this\r\nlaunches the script, to lead the malicious process. Next, it will initiate a wscript process. Analyzing the strings in the\r\nmemory of this process will result in finding references to two different VBS files, seen in Figure 3. This initial process\r\ncreated these files in the AppDataLocalTemp and AppDataRoaming directories. There are four VBS files created in total,\r\neach with random letters as a filename. The scripts in AppDataRoaming are less relevant. One file appears to be empty or\r\nwas deleted during the process while the other is small with minimal functionality. The script, xjfgxhakusp.vbs, in\r\nAppDataLocalTemp is far more important.\r\nFigure 4: URLs Leading to DLLs\r\nWhile there are two VBS files in AppDataLocalTemp, the smaller script is only meant to initiate the other, larger script,\r\nxjfgxhakusp.vbs. It is a strange extra step taken by the threat actor. Upon running the larger script, another wscript process is\r\ninitiated. This second wscript process reaches out to the two payload URLs in Figure 4. Both download the final DLL files.\r\nThe bottom URL will download a password-protected ZIP that holds the DLL, but the password is hardcoded into the\r\nmalicious process itself. The DLLs are then finally injected into the memory. As a banking Trojan, the Lampion mainly\r\nlooks to steal the targets' valuable information.\r\nWhile email security continues to evolve to protect the organization, threat actors are constantly looking for opportunities to\r\nland in the inbox. This is why it is critical to provide your users with simulations aligned with the latest threats. Customers\r\nof the Cofense PDC can ease or confirm their suspicions by reporting suspicious emails to the PDC where an analyst will\r\nanalyze the email for emerging threats. Contact us to learn more.\r\nIndicators of Compromise IP\r\nhXXps://we[.]tl/t-pNvQIG8UJS 13[.]249[.]39[.]48\r\nhXXps://wetransfer[.]com/downloads/d8c6430f0c15ee79cb72ea2083f4a07420220830135534/b872b1 108[.]128[.]47[.]24\r\nhXXps://aculpaedopt[.]s3[.]us-east-2[.]amazonaws[.]com/soprateste.zip?\r\n=ttvuawzgbpiqawlaarfnlxatyebabbwpriceiqupxmmzuix\r\n52[.]219[.]104[.]24\r\nhXXps://aculpaedopt[.]s3[.]us-east-2[.]amazonaws[.]com/oftvwaiyg?\r\n=wiyjxpnveuzmgakjpgcjitnjwxaizzzbzmibklzkokxitcgpmso\r\n52[.]219[.]177[.]178\r\nhttps://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing\r\nPage 2 of 3\n\nAll third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain\r\nthe property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense\r\nand the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections\r\nare based on observations at a point in time based on a specific set of system configurations. Subsequent updates or\r\ndifferent configurations may be effective at stopping these or similar threats. Past performance is not indicative of future\r\nresults. \r\nThe Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed\r\non this blog are registered trademarks or trademarks of Cofense Inc. \r\nSource: https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing\r\nhttps://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing"
	],
	"report_names": [
		"lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434766,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b5f7f5b1f393d1f705397e019fccb7ddccff957.pdf",
		"text": "https://archive.orkl.eu/2b5f7f5b1f393d1f705397e019fccb7ddccff957.txt",
		"img": "https://archive.orkl.eu/2b5f7f5b1f393d1f705397e019fccb7ddccff957.jpg"
	}
}