{
	"id": "cf1a9bad-365f-4f6b-b955-c60bb40bb4fd",
	"created_at": "2026-04-06T00:19:12.608407Z",
	"updated_at": "2026-04-10T03:23:51.445982Z",
	"deleted_at": null,
	"sha1_hash": "965d4dab1270ecee305b7a19512ef5005afc1274",
	"title": "Deceptive Cracked Software Spreads Lumma Variant on YouTube | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6624186,
	"plain_text": "Deceptive Cracked Software Spreads Lumma Variant on YouTube\r\n| FortiGuard Labs\r\nBy Cara Lin\r\nPublished: 2024-01-08 · Archived: 2026-04-05 22:07:53 UTC\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Microsoft Windows\r\nImpact: The information collected can be used for future attacks\r\nSeverity Level: High\r\nFortiGuard Labs recently discovered a threat group using YouTube channels to distribute a Lumma Stealer variant.\r\nWe found and reported on a similar attack method via YouTube in March 2023. These YouTube videos typically\r\nfeature content related to cracked applications, presenting users with similar installation guides and incorporating\r\nmalicious URLs often shortened using services like TinyURL and Cuttly. To circumvent straightforward web filter\r\nblacklists, the attackers exploit open-source platforms like GitHub and MediaFire instead of deploying their\r\nmalicious servers. In this case, the shared links lead to the direct download of a new private .NET loader\r\nresponsible for fetching the final malware, Lumma Stealer.\r\nLumma Stealer targets sensitive information, including user credentials, system details, browser data, and\r\nextensions. It has been advertised on the dark web and a Telegram channel since 2022, with over a dozen observed\r\ncommand-and-control (C2) servers in the wild and multiple updates. Figure 1 shows Lumma Stealer's C2 server\r\ntelemetry, illustrating a global presence with a peak observed in December.\r\nIn this article, we will elaborate on each stage's behaviors that facilitated the stealer's distribution.\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 1 of 19\n\nFigure 1: Telemetry of Lumma Stealer’s C2\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 2 of 19\n\nFigure 2: Attack flow\r\nInitial Infection Vector\r\nThe hacker initially breaches a YouTuber's account and uploads videos masquerading as sharing cracked software.\r\nFigure 3 shows the video descriptions in which a malicious URL is embedded, enticing users to download a ZIP\r\nfile that harbors malicious content for the next stage of the attack. The videos were uploaded earlier this year, but\r\nthe files on the file-sharing site receive regular updates (Figure 4), and the number of downloads keeps growing.\r\nThis indicates that the ZIP file is always new and that this method effectively spreads malware.\r\nFigure 3: The hacked YouTube Channel with a similar fake software installation guide\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 3 of 19\n\nFigure 4: The malicious files updated on MediaFire\r\nThe ZIP file, “installer_Full_Version_V.1f2.zip,” contains an LNK file that calls PowerShell to download a .NET\r\nexecution file via the GitHub repository “New” owned by John1323456 (Figure 6). The abbreviated URL,\r\n“hxxp://cutt[.]ly/lwD7B7lp,” connects to “hxxps://github[.]com/John1323456/New/raw/main/Installer-Install-2023_v0y.6.6[.]exe.” The other two repositories, “LNK” and “LNK-Ex,” also include NET loaders and spread\r\nInfoStealer as the final payload.\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 4 of 19\n\nFigure 5: Malicious LNK file content\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 5 of 19\n\nFigure 6: .NET executable on GitHub\r\n.NET Executable – Installer-Install-2023_v0y.6.6.exe\r\nThe private .NET loader is obfuscated with SmartAssembly. It first gets the system’s environment value, shown in\r\nFigure 7. Once the number of the data is correct, it proceeds to load the PowerShell script. Otherwise, it exits the\r\nprogram.\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 6 of 19\n\nFigure 7: Getting the system’s information by GetEnvironmentVariables()\r\nFigure 8 shows the construction of a dictionary that defines the following properties of the ProcessStartInfo object\r\nthat the malicious code uses to execute discreetly and avoid raising suspicion from its victims:\r\nRedirectStandardInput: This property set to true enables the redirection of the standard input stream of the\r\nprocess.\r\nCreateNoWindow: This property set to true indicates that the process should not create a visible window\r\nwhen it starts. It allows the executed command or script to run without displaying a command prompt\r\nwindow.\r\nUseShellExecute: This property set to false specifies that the process should not use the user's default shell\r\nfor execution. Instead, the process is executed directly.\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 7 of 19\n\nFigure 8: The ProcessStartInfo dictionary\r\nNext, the ProcessStartInfo object is employed to launch the PowerShell process, wherein the PowerShell script is\r\ndirected to the process's standard input. Figure 9 illustrates a portion of the code and the newly generated process.\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 8 of 19\n\nFigure 9: Creates process and loads the PowerShell script\r\nFigure 10 shows the partial PowerShell code from the private .NET loader. The script encodes the server IP\r\naddress in Base64 and encompasses four servers. It assesses the system date, choosing the appropriate IP to\r\nretrieve encrypted binary data. To obfuscate analysis, the script incorporates a substantial amount of extraneous\r\ncode. Figure 11 shows captured traffic downloaded from the first server, 176[.]113[.]115[.]224:29983.\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 9 of 19\n\nFigure 10: Downloaded encrypted data from a server\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 10 of 19\n\nFigure 11: The encrypted data from a remote server\r\nAfter receiving the data, the script decrypts it using AES CBC, followed by GZip decompression to obtain the\r\nDLL file for the next stage. It then invokes the DLL file with a specific method and type via\r\n“[System.Reflection.Assembly]::Load(),” as shown in Figure 12.\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 11 of 19\n\nFigure 12: Loads decrypted data for the next stage\r\nDLL File – Agacantwhitey.dll\r\nFigure 13 shows the targeted function “PerkyRiggal,” which is pivotal in inspecting the system and environment.\r\nIt employs several PNG files in the Resources section to decipher the ultimate payload of Lumma Stealer. To\r\navoid detection, the file encodes all its strings using the \"BygoLarchen\" method. Figure 14 demonstrates the\r\nfunction of decoding the target text with a predefined key string.\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 12 of 19\n\nFigure 13: Targeted method and Resources in Agacantwhitey.dll\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 13 of 19\n\nFigure 14: The method for decoding strings\r\nIt checks the following items to achieve Anti-VM and Anti-Debug:\r\nVerifies the user's active window by invoking “GetForegroundWindow” and assesses whether it contains\r\nany of the specified remote debugger strings, “x32dbg,” “x64dbg,” “windbg,” “ollydbg,” “dnspy,”\r\n“immunity debugger,” “hyperdbg,” “debug,” “debugger,” “cheat engine,” “cheatengine,” “ida.”\r\nChecks for the following modules about security appliances or sandboxes, “SbieDll.dll” (Sandboxie),\r\n“cmdvrt64.dll” (Comodo Antivirus), “cuckoomon.dll” (Cuckoo Sandbox), and “SxIn.dll” (360 Total\r\nSecurity). It then attempts to locate wine_get_unix_file_name to determine if Wine is being used in an\r\nanalysis environment.\r\nExamines the presence of the following sandbox usernames: “Johnson,” “Miller,” “malware,” “maltest,”\r\n“CurrentUser,” “Sandbox,” “virus,” “John Doe,” “test user,” “sand box,” and “WDAGUtilityAccount.”\r\nDetects the presence of popular virtualization platforms via WMI queries “Select * from\r\nWin32_ComputerSystem” to retrieve information about the computer system, including the manufacturer\r\nand model. It then examines the manufacturer names, such as “innotek gmbh” (associated with VirtualBox)\r\nand “microsoft corporation” (often linked to Hyper-V), along with the model names “VirtualBox” and\r\n“vmware.” It also checks for directory “C:\\Program Files\\VMware” and “C:\\Program\r\nFiles\\oracle\\virtualbox guest additions.”\r\nChecks if the following files exist in folder “C:\\Windows\\system32\\,” which are indicative of a virtualized\r\nenvironment presence: “balloon.sys,” “netkvm.sys,” “vioinput,” “viofs.sys,” “vioser.sys,”\r\n“VBoxMouse.sys,” “VBoxGuest.sys,” “VBoxSF.sys,” “VBoxVideo.sys,” “vmmouse.sys,” and\r\n“vboxogl.dll.”\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 14 of 19\n\nChecks the following system services: \"vmbus,\" \"VMBusHID,\" and \"hyperkbd.\"\r\nInspects the following process names: \"vboxservice,\" \"VGAuthService,\" \"vmusrvc,\" and \"qemu-ga.\"\r\nAfter completing all environment checks, the program decrypts the resource data and invokes the\r\n\"SuspendThread\" function. This function is employed to transition the thread into a \"suspended\" state, a crucial\r\nstep in the process of payload injection (see Figure 15).\r\nFigure 15: Inject the final payload\r\nLumma Stealer Variant\r\nLumma stealer is a type of malware that can steal sensitive information from a user’s computer. It can target the\r\nsystem data, the browsers, crypto wallets, and browser extensions. It is written in C language and sold on\r\nunderground forums. To elude detection and analysis, it employs diverse obfuscation techniques. The malware\r\nestablishes communication with a command and control server, facilitating the exchange of instructions and\r\ntransmitting pilfered data.\r\nFigure 16 shows the method to contact a command and control (C2) server. Once it gets the first server that can\r\nset up a connection, it then sends out a POST message with hardcoded User-Agent “Mozilla/5.0 (Windows NT\r\n10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36“ and parameter\r\n“act=life” to check-in. The corresponding code is shown in Figure 17.\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 15 of 19\n\nFigure 16: Resolve the C2 server list\r\nFigure 17: Sending check-in message to C2 server\r\nNext, it sends a POST request with the Lumma ID and “act=receive-message,” shown in Figure 18. Then, the\r\ncompressed stolen data is uploaded to the C2 server with URI “/api.” Although the version is still “4.0,” Lumma\r\nStealer has recently updated its exfiltration to leverage HTTPS to better evade detection.\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 16 of 19\n\nFigure 18: POST request to C2 server with Lumma ID “JVryU4--LNK”\r\nFigure 19: The zip file\r\nConclusion\r\nIn this attack, the malicious actor targets YouTube channels to disseminate Lumma Stealer. The crafted installation\r\nZIP file serves as an effective bait to deliver the payload, exploiting the user's intention to install the application\r\nand prompting them to click the installation file without hesitation. URLs from open-source websites throughout\r\nthe scheme aim to diminish user awareness. The attackers further deploy a private .NET loader with environment\r\nchecks, various anti-virtual machine (Anti-VM), and anti-debugging functions. Users must exercise caution\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 17 of 19\n\nregarding unclear application sources and ensure legitimate applications from reputable and secure origins are\r\nused.\r\nFortinet Protections\r\nThe malware described in this report are detected and blocked by FortiGuard Antivirus as:\r\nW32/Stealer.QLD!tr\r\nMSIL/Agent.WML!tr\r\nMSIL/Kryptik.BJF!tr\r\nLNK/Agent.WML!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.\r\nThe URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.\r\nWe also suggest that organizations go through the free Fortinet Certified Fundamentals (FCF) in Cybersecurity\r\ntraining. The training is designed to help end users learn about today's threat landscape and will introduce basic\r\ncybersecurity concepts and technology.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nIP Addresses\r\n176[.]113[.]115[.]224\r\n176[.]113[.]115[.]226\r\n176[.]113[.]115[.]227\r\n176[.]113[.]115[.]229\r\n176[.]113[.]115[.]232\r\nHostnames\r\nNetovrema[.]pw\r\nopposesicknessopw[.]pw\r\npolitefrightenpowoa[.]pw\r\nchincenterblandwka[.]pw\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 18 of 19\n\nFiles\r\n48cbeb1b1ca0a7b3a9f6ac56273fbaf85e78c534e26fb2bca1152ecd7542af54\r\n483672a00ea676236ea423c91d576542dc572be864a4162df031faf35897a532\r\n01a23f8f59455eb97f55086c21be934e6e5db07e64acb6e63c8d358b763dab4f\r\n7603c6dd9edca615d6dc3599970c203555b57e2cab208d87545188b57aa2c6b1\r\nSource: https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nhttps://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube\r\nPage 19 of 19\n\n  https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube     \nFigure 8: The ProcessStartInfo dictionary     \nNext, the ProcessStartInfo  object is employed to launch the PowerShell process, wherein the PowerShell script is\ndirected to the process's standard input. Figure 9 illustrates a portion of the code and the newly generated process.\n   Page 8 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube"
	],
	"report_names": [
		"lumma-variant-on-youtube"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434752,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/965d4dab1270ecee305b7a19512ef5005afc1274.pdf",
		"text": "https://archive.orkl.eu/965d4dab1270ecee305b7a19512ef5005afc1274.txt",
		"img": "https://archive.orkl.eu/965d4dab1270ecee305b7a19512ef5005afc1274.jpg"
	}
}