Threat Research

Lumma Stealer: Danger lurking in fake game updates from itch.io and Patreon

GDataSecurity
Lumma Stealer: Danger lurking in fake game updates from itch.io and Patreon

Researchers discovered a campaign using spam comments on Itch.io that link to Patreon-hosted downloads containing a nexe-compiled Node.js executable which performs multi-stage obfuscation, anti-analysis checks, and ultimately loads a LummaStealer payload. The malicious mains.js and modules.node components use heavy sandbox/VM detection and a reflective loading technique to execute the LummaStealer variant on victim systems. #Itchio #LummaStealer

Keypoints

  • Attackers spam legitimate Itch.io game comment sections with templated messages claiming “game updates” that link to Patreon-hosted downloads named “Updated Version.zip”.
  • The downloaded archive commonly contains a nexe-compiled executable (game.exe) that unpacks to an obfuscated JavaScript file (mains.js) rather than a real game update.
  • mains.js is heavily obfuscated and implements six anti-analysis modules (VM checks, username checks, process checks, video controller checks, refresh-rate checks, and disk model checks) to evade sandbox/analysis environments.
  • The malware writes a DLL named modules.node to %temp%, which exposes Node.js native exports and is used to dynamically load a Base64-decoded LummaStealer payload.
  • Reflective-style loading via Node API functions (napi_create_function, napi_set_named_property, napi_register_module_v1) is used to execute the LummaStealer payload in-memory.
  • Samples show variations in obfuscation and anti-analysis commands (e.g., using wmic vs. PowerShell) but share unique identifiers and templated comment wording, indicating a single ongoing campaign that keeps creating new Itch.io accounts.

MITRE Techniques

  • [T1497 ] Virtualization/Sandbox Evasion – The malware performs multiple VM/sandbox checks (memory, CPU, usernames, processes, video controllers, refresh rate, disk model) and exits if indicators are present (‘os.totalmem() and os.cpus().length’ and lists of sandbox usernames and VM-related disk names).
  • [T1082 ] System Information Discovery – The sample collects system resources to determine suitability for execution (uses ‘os.totalmem()’ and ‘os.cpus().length’ to check memory and CPU core count).
  • [T1057 ] Process Discovery – The malware enumerates running processes and compares them against a long list of analysis/debugging tools, using ‘tasklist /fo csv’ to obtain process output (‘tasklist /fo csv’).
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The malware uses Windows command-line utilities to query system properties such as video controller and disk models (‘wmic path win32_VideoController get name /value’, ‘wmic diskdrive get model /value’).
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – Some samples use PowerShell to obtain video controller information as an alternate method (‘powershell -Command “Get-CimInstance Win32_VideoController | Select-Object -ExpandProperty Name”‘).
  • [T1105 ] Ingress Tool Transfer – Malicious payloads are delivered to victims by downloading archives and executables from Patreon links posted in Itch.io comments (archive named ‘Updated Version.zip’).
  • [T1204.002 ] User Execution: Malicious File – The campaign relies on users trusting comment-supplied “game updates” and executing the provided game.exe (the download is labeled as an update and contains a main executable ‘game.exe’).
  • [T1036 ] Masquerading – Malicious downloads are named and presented as legitimate game updates (templated comments claiming “game updates” and a file named ‘Updated Version.zip’) to trick users.
  • [T1620 ] Reflective Code Loading – The malicious modules.node DLL exposes Node API functions and is used to load and execute a Base64-decoded LummaStealer payload via napi_create_function and napi_set_named_property (‘napi_create_function and napi_set_named_property’ and ‘napi_register_module_v1’).

Indicators of Compromise

  • [File Hashes ] Known malicious sample hashes – 79250523a057a7dd9a6080099c8c2f83eb683ab9b37ecab149fc73524f7c4bd1 (Updated Version.zip), 102b99b00a60f33246bd89bd2b3cb9cfae2844d453484e932b3a5ca634fb308c (game.exe), and 3 more hashes.
  • [File Names ] Malicious filenames observed in downloads – Updated Version.zip, game.exe, mains.js, modules.node, and an embedded LummaStealer payload file.
  • [File Hashes / Components ] Additional component hashes and detections – mains.js SHA256: 80e538cabade94e1883f9e72bb608dc02f79808aec48136b5bbb00c2a1717f64; modules.node SHA256: 1d405b03bc5913b6b43c06550ef0b9b02196b270625e4dc5fa0c37e8a424be25 (Detection: Win64.Trojan.Agent.Y6OBDP); LummaStealer payload SHA256: a2bacb00dfdb338b496d3128705f76c8cc935e6bd33e06271fb3e34d769d0a2b (Detection: Win64.Trojan-Stealer.LummaStealer.V34XV4).
  • [Platforms / URLs ] Distribution vectors and contexts – malicious Itch.io comment spam linking to Patreon-hosted download URLs (templated “game update” Patreon links in comments; specific Patreon URLs not listed in article).

Read more: https://www.gdatasoftware.com/blog/2025/12/38310-lumma-stealer-itchio-patreon

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint