Beware Lumma Stealer Distributed via Discord CDN

Threat actors are distributing the information-stealer Lumma Stealer via Discord by hosting malicious installers on Discord’s CDN and luring victims with direct-message social engineering. The malware executes a downloaded binary that contacts the C2 domain gapi-node[.]io, harvests browser data and cryptocurrency wallets, and can load additional payloads and perform sandbox/bot detection. #LummaStealer #Discord

Keypoints

Actors abuse Discord’s CDN to host Lumma Stealer installers and use Discord API bots to communicate with and control infections.
Distribution uses unsolicited direct messages that lure victims with small payments or Discord Nitro, prompting them to download a file.
The observed malicious binary was named “4_iMagicInventory_1_2_s.exe” and was downloaded multiple times when the link was accessed.
When executed, the sample connects to the C2 domain gapi-node[.]io and attempts to steal browser data and cryptocurrency wallets.
Lumma Stealer operators can load additional files (secondary payloads) from the malware and advertise the capability in underground forums.
The operators claim the malware uses AI/deep learning to detect “bots” (presumed researchers or sandbox environments) and filter worthless infections.
The latest observed sample hash is SHA256: 674d96c42621a719007e64e40ad451550da30d42fd508f6104d7cb65f19cba51.

MITRE Techniques

[T1566.002] Spearphishing Link – Attackers “typically use random Discord accounts to send direct messages to victims” to trick them into clicking and downloading a payload. [‘…typically use random Discord accounts to send direct messages to victims…’]
[T1204.002] User Execution: Malicious File – Victims are “prompted to download a file” and execute it, enabling execution of the infostealer. [‘…victim would be prompted to download a file.’]
[T1105] Ingress Tool Transfer – The malicious installer “triggered multiple downloads of the malicious file ‘4_iMagicInventory_1_2_s.exe’” from a hosted URL. [‘…triggered multiple downloads of the malicious file “4_iMagicInventory_1_2_s.exe”…’]
[T1102] Web Service – Operators are “abusing Discord’s content delivery network (CDN) to host and spread Lumma Stealer, while also using the social platform’s application programming interface (API) to create bots” for distribution and control. [‘…abusing Discord’s content delivery network (CDN) to host and spread Lumma Stealer…’]
[T1071.001] Application Layer Protocol: Web Protocols – The sample connects to a remote command-and-control domain “gapi-node[.]io” to communicate and receive instructions. [‘…connects to a malicious domain, gapi-node[.]io…’]
[T1555.003] Credentials from Web Browsers – The malware “tries to steal cryptocurrency wallets and browser data from the user,” harvesting stored credentials and browser artifacts. [‘…tries to steal cryptocurrency wallets and browser data from the user.’]
[T1041] Exfiltration Over C2 Channel – Stolen data is sent back to attackers; “Some of these bots also send stolen data to private Discord servers or channels.” [‘…also send stolen data to private Discord servers or channels.’]
[T1497.001] Virtualization/Sandbox Evasion – Operators claim the malware can detect “bots” using AI/deep learning to filter out analysis environments and researchers. [‘…ability to detect “bots” using artificial intelligence and deep learning to filter out fruitless infections…’]

Indicators of Compromise

[Domain] C2 and communication – gapi-node[.]io
[File name] Malicious installer observed – 4_iMagicInventory_1_2_s.exe
[SHA256] Sample hash – 674d96c42621a719007e64e40ad451550da30d42fd508f6104d7cb65f19cba51

Attackers create and use Discord accounts (including compromised accounts) to send targeted direct messages that promise payment or Discord Nitro in exchange for a short task, leading victims to click links hosted on Discord’s CDN. When victims follow the link, the site serves one or more copies of a malicious installer (observed as “4_iMagicInventory_1_2_s.exe”), which the user is socially engineered to download and run.

Once executed on the host, the binary performs collection routines focused on browser-stored credentials and cryptocurrency wallet artifacts, then contacts the command-and-control domain gapi-node[.]io for instructions and data transfer. The malware framework also supports fetching and loading additional files — a mechanism operators use to deliver secondary payloads — and can exfiltrate harvested data back to attacker-controlled Discord servers or channels via API-driven bots.

Operators publicly advertise advanced features in underground forums, including the ability to deploy secondary payloads and an AI/deep-learning-based check to identify and bypass analysis sandboxes or researcher “bots.” Observable technical indicators from the investigation include the filename 4_iMagicInventory_1_2_s.exe, the C2 domain gapi-node[.]io, and the SHA256 sample hash 674d96c42621a719007e64e40ad451550da30d42fd508f6104d7cb65f19cba51.