{ "id": "bd861d37-abaf-4b01-a82f-670e21a826ad", "created_at": "2026-04-06T01:31:06.68459Z", "updated_at": "2026-04-10T03:21:44.780554Z", "deleted_at": null, "sha1_hash": "580bb8841f70d61292e42eee5a2550a255f511f2", "title": "LUMMASTEALER Delivered Via PowerShell Social Engineering", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 454023, "plain_text": "LUMMASTEALER Delivered Via PowerShell Social Engineering\r\nBy Ryan Hicks\r\nPublished: 2024-11-12 · Archived: 2026-04-06 01:02:13 UTC\r\nKey Takeaways\r\nKroll has observed LUMMASTEALER being deployed through social engineering via PowerShell, as\r\nsimilarly observed with recent CLEARFAKE campaigns.\r\nThe campaign uses a series of PowerShell scripts to connect to adversary domains and execute\r\nLUMMASTEALER, whilst creating persistence through the registry.\r\nStatic analysis has shown a current trend of LUMMASTEALER using \".shop\" domains as initial\r\nCommand and Control (C2) to send stolen data.\r\nThe Kroll Security Operations Center (SOC) has recently detected and remediated a trend of incidents that\r\ninvolved socially engineering a victim into pasting a PowerShell script into the “Run” command window to begin\r\na compromise. These incidents have typically begun with the victim user attempting to find “YouTube to mp3”\r\nconverters, or similar, then being redirected to the malicious webpages.\r\nWithin Kroll observations, this has led to LUMMASTEALER being downloaded to the host where further actions\r\nwere attempted but unsuccessful due to security measures in place. This technique is very similar in nature to the\r\nKroll Cyber Threat Intelligence (CTI) team's previous reporting on CLEARFAKE. However, instead of browser\r\nupdates, the lure is a fake “human verification” button. Clicking \"I'm not a robot\" will copy some PowerShell code\r\nto the victims clipboard where they are asked to paste into the Run command window.\r\nhttps://www.kroll.com/en/insights/publications/cyber/lummastealer-delivered-via-powershell-social-engineering\r\nPage 1 of 4\n\nFigure 1: Social engineering lure for user PowerShell execution\r\nFigure 2: Contents of lure webpage, containing PowerShell code copied by victim\r\nWhen the PowerShell code is run, it invokes PowerShell to connect to a URL using a hidden window. The\r\ncontents of that text file are then pushed to the $text variable which is then invoked. The contents of this text file\r\nhttps://www.kroll.com/en/insights/publications/cyber/lummastealer-delivered-via-powershell-social-engineering\r\nPage 2 of 4\n\nare shown below. Across multiple observed cases, the structure of this script remains consistent, with just the\r\ndomain and filenames changing.\r\nFigure 3: Contents of text file from initially contacted domain\r\nThis script does the following:\r\nUsing BITS, it fetches an archive file from the same domain as originally contacted.\r\nThis file is downloaded to the APPDATA directory under a different name (“yANrdNKT.zip” in this\r\ninstance).\r\nThe executable inside the archive is extracted and executed using Start-Process.\r\nThe original archive file is deleted.\r\nThe executable is added under the \"CurrentVersion\\Run\" registry key under a random name (RATU0Beb)\r\nfor persistent execution of the executable.\r\nAnalysis\r\nStatic analysis of the LUMMASTEALER sample provided additional Indicators of Compromise (IOCs) in the\r\nform of hardcoded domains that would be used by LUMMASTEALER as C2. These follow the current\r\nLUMMASTEALER trend of using the \".shop\" top level domain and likely used for initially forwarding data\r\ncollected by LUMMASTEALER before being sent to the second level C2 IP address for analysis centrally by the\r\nthreat actor.\r\nIndicators of Compromise\r\nURLs hosting script file\r\nhxxps://pub-9c4ec7f3f95c448b85e464d2b533aac1.r2[.]dev/peltgon.zip\"\r\nhxxps://finalsteptogo[.]com/uploads/il222.zip\r\nCommand and Control Servers (Hardcoded in LUMMASTEALER sample)\r\nsurroundeocw[.]shop\r\npumpkinkwquo[.]shop\r\ncandleduseiwo[.]shop\r\nabortinoiwiam[.]shop\r\nhttps://www.kroll.com/en/insights/publications/cyber/lummastealer-delivered-via-powershell-social-engineering\r\nPage 3 of 4\n\nracedsuitreow[.]shop\r\npriooozekw[.]shop\r\ndeallyharvenw[.]shop\r\ndefenddsouneuw[.]shop\r\ncovvercilverow[.]shop\r\nHashes\r\n3ecf03bfdfb8805eb1f861b1ae0dea8df86db75d348af95d37db29dde76090e3 - Text file containing PowerShell\r\nscript\r\n67bc834359f4bfb1cfb84fe849ec83efd637583ea3b5c52ff9d5fbe48065e1f3 - Alternate text file containing\r\nPowerShell script\r\na7df731caf52e32df239afd3b9d33fe4e0bfb092f44e4da73fa247b5edafc1e5 – LUMMASTEALER executable\r\ndb109403561d796d9c712bbdf636638b09419845e55444bd2ff31fe9935dacdd - Archive file containing\r\nLUMMASTEALER\r\nRecommendations\r\nIt is crucial that users are educated on the threat of browsing and attempting to download unverified software.\r\nBusinesses should consider monitoring and/or alerting for suspicious PowerShell commands including:\r\nUse of \"Start-BitsTransfer\" connecting to an external IP address/domain\r\nUse of Invoke-Expression\r\nNew entries added to the CurrentVersion\\Run Registry Key\r\nSource: https://www.kroll.com/en/insights/publications/cyber/lummastealer-delivered-via-powershell-social-engineering\r\nhttps://www.kroll.com/en/insights/publications/cyber/lummastealer-delivered-via-powershell-social-engineering\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.kroll.com/en/insights/publications/cyber/lummastealer-delivered-via-powershell-social-engineering" ], "report_names": [ "lummastealer-delivered-via-powershell-social-engineering" ], "threat_actors": [], "ts_created_at": 1775439066, "ts_updated_at": 1775791304, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/580bb8841f70d61292e42eee5a2550a255f511f2.pdf", "text": "https://archive.orkl.eu/580bb8841f70d61292e42eee5a2550a255f511f2.txt", "img": "https://archive.orkl.eu/580bb8841f70d61292e42eee5a2550a255f511f2.jpg" } }