{
	"id": "a86dcacf-cfc0-4973-b326-37f3637b9218",
	"created_at": "2026-04-06T00:19:28.62262Z",
	"updated_at": "2026-04-10T03:30:33.514731Z",
	"deleted_at": null,
	"sha1_hash": "55e4fc90ec2bc98c09c30e11b68e5edf2f18ccba",
	"title": "Lumma Stealer Campaign Targets League of Legends World Championship Fans Through Social Media Ads",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1645318,
	"plain_text": "Lumma Stealer Campaign Targets League of Legends World\r\nChampionship Fans Through Social Media Ads\r\nBy Alina BÎZGĂ\r\nArchived: 2026-04-05 20:40:13 UTC\r\nAs the League of Legends (LoL) World Championship kicks off, Bitdefender Labs is warning that cybercriminals\r\nare exploiting the event to launch sophisticated malware campaigns targeting unsuspecting gamers across Europe.\r\nThrough carefully crafted social media advertisements, hackers are enticing fans to download what appears to be\r\nthe popular multiplayer online battle arena (MOBA) game. However, what awaits victims is not a fun gaming\r\nexperience, but rather a dangerous piece of malware known as Lumma Stealer.\r\nThe Malicious Campaign\r\nThe malvertisement campaign, spotted by Bitdefender Labs researcher Ionut Baltariu, promotes a free download\r\nof League of Legends, which is ironic since the PC-only game is already free to play. However, with the LoL\r\nWorld Championship capturing the attention of millions of gamers, the timing is perfect for cybercriminals. Fans\r\neager to immerse themselves in the excitement may fall for this trap, assuming it is an official promotion tied to\r\nthe official e-sports event.\r\nhttps://www.bitdefender.com/blog/hotforsecurity/lumma-stealer-campaign-targets-league-of-legends-world-championship-fans-through-social-media-ads/\r\nPage 1 of 5\n\nhttps://www.bitdefender.com/blog/hotforsecurity/lumma-stealer-campaign-targets-league-of-legends-world-championship-fans-through-social-media-ads/\r\nPage 2 of 5\n\nUpon clicking the ad, victims are taken to a page that mimics an older version of the League of Legends download\r\npage.\r\nThis phishing page uses typosquatting, a technique where the domain is slightly altered to resemble the official\r\nsite, making it harder to detect. Once the user clicks the download link, they are directed to a Bitbucket repository\r\nthat contains a malicious archive.\r\nhttps://www.bitdefender.com/blog/hotforsecurity/lumma-stealer-campaign-targets-league-of-legends-world-championship-fans-through-social-media-ads/\r\nPage 3 of 5\n\nThe Malicious Payload: Lumma Stealer\r\nAccording to Bitdefender Lab researcher Andrei Mogage, the downloaded archive contains an executable along\r\nwith a legitimate Windows file, user32.dll. The executable acts as a dropper for the Lumma Stealer, a dangerous\r\npiece of malware known for its extensive ability to harvest data from infected devices.\r\nLumma Stealer is one of the many types of data-stealing malware that can be rented or bought on underground\r\nforums as part of the MaaS (Malware-as-a-Service) economy. It's designed to extract a wide range of sensitive\r\ninformation, including:\r\nPasswords\r\nCredit card details\r\nCryptocurrency wallets\r\nBrowser session cookies\r\nWhat makes Lumma particularly dangerous is its stealthy approach. Once deployed, it injects itself into a\r\nlegitimate Windows process, bitlockertogo.exe, to remain undetected by basic antivirus software.\r\nStolen Data and Its Impact\r\nThis malvertising campaign has already targeted over 4000 people, focusing primarily on male adults—the typical\r\ndemographic for League of Legends. Once cybercriminals access sensitive information, they can steal social\r\nmedia accounts, which allows them to perpetuate malware distribution and other scams through compromised\r\nprofiles. Stolen data can also be sold on underground markets which can facilitate identity theft and phishing\r\nattacks against victims.\r\nHow to Protect Yourself: Bitdefender as a Shield Against Malvertising\r\nAdopting strong cybersecurity practices is crucial to protecting yourself from falling victim to this or similar\r\nmalware campaigns.\r\nAlways verify URLs: Before clicking any links, especially from ads you see on Facebook, double-check\r\nthe URL for misspellings or inconsistencies.\r\nAvoid downloading software from unofficial sources: Always download games and software from\r\nofficial websites or platforms like Steam.\r\nBe cautious with online ads: Cybercriminals often use legitimate-looking ads to trick users into visiting\r\nharmful websites or handing over personal information\r\nUse security software: Reliable antivirus and security tools can help detect and block malicious files and\r\nphishing attempts.\r\nOne of the most effective ways to safeguard against Lumma malware and other online threats is to use a trusted\r\nsecurity solution like Bitdefender.\r\nBitdefender detects and blocks the malicious executable as Trojan.Agent.GMTH.\r\nhttps://www.bitdefender.com/blog/hotforsecurity/lumma-stealer-campaign-targets-league-of-legends-world-championship-fans-through-social-media-ads/\r\nPage 4 of 5\n\nBitdefender security solutions provide industry-leading protection against malicious ads, phishing websites, and\r\nmalware that often lurks behind seemingly legitimate online promotions through:\r\n1. Real-Time Threat Detection: Bitdefender’s advanced algorithms can detect malicious activity in real-time, blocking harmful websites and suspicious ads before they have a chance to infect your system.\r\n2. Web Protection: Bitdefender’s anti-phishing and anti-fraud features ensure that you never fall prey to\r\ntyposquatted domains or fake download pages. By analyzing website URLs, Bitdefender can flag and\r\nblock any malicious attempts to mimic legitimate sites like League of Legends.\r\n3. Multi-Layered Ransomware Protection: Should malware like Lumma Stealer try to deploy additional\r\npayloads such as ransomware, Bitdefender’s multi-layered defenses will stop the threat in its tracks,\r\nensuring that your login credentials, financial information, and social media accounts remain secure.\r\n4. Automatic Updates: Having up-to-date protection is essential in today’s threat landscape. Bitdefender\r\ncontinuously updates its virus databases to ensure your system stays protected from the latest threats,\r\nincluding malware distributed via malvertising campaigns.\r\nFor on-demand checks of scams or potentially malicious and fraudulent content, why not give Bitdefender Scamio\r\na try for free!\r\nOur next-gen AI scam detector is always ready to help you instantly check links, QR codes or even screenshots to\r\nget an instant analysis.\r\nScamio can be accessed on any device or operating system via web browser, Facebook Messenger, or\r\nWhatsApp. You can also help others stay safe by sharing Scamio with them in France, Germany, Spain, Italy,\r\nRomania, Australia, and the UK\r\nWith Bitdefender’s suite of security products, you can browse, play, and connect online without worrying about\r\nlurking threats in the background. You can enjoy the perks of customizable user profiles designed to reduce\r\nsystem workload and slowdowns for an uninterrupted gaming experience.\r\nWe’ll temporarily halt pop-ups and alerts and postpone any automatic updates or scheduled systems scans so you\r\ncan fully enjoy your game session while continuing to benefit from award-winning threat detection.\r\nSource: https://www.bitdefender.com/blog/hotforsecurity/lumma-stealer-campaign-targets-league-of-legends-world-championship-fans-throug\r\nh-social-media-ads/\r\nhttps://www.bitdefender.com/blog/hotforsecurity/lumma-stealer-campaign-targets-league-of-legends-world-championship-fans-through-social-media-ads/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bitdefender.com/blog/hotforsecurity/lumma-stealer-campaign-targets-league-of-legends-world-championship-fans-through-social-media-ads/"
	],
	"report_names": [
		"lumma-stealer-campaign-targets-league-of-legends-world-championship-fans-through-social-media-ads"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434768,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55e4fc90ec2bc98c09c30e11b68e5edf2f18ccba.pdf",
		"text": "https://archive.orkl.eu/55e4fc90ec2bc98c09c30e11b68e5edf2f18ccba.txt",
		"img": "https://archive.orkl.eu/55e4fc90ec2bc98c09c30e11b68e5edf2f18ccba.jpg"
	}
}