Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics

Pulse ID: 6818f46dd65fe9f5628b6deb
Pulse Link: https://otx.alienvault.com/pulse/6818f46dd65fe9f5628b6deb
Pulse Author: cryptocti
Created: 2025-05-05 17:25:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #LummaStealer #MaaS #OTX #OpenThreatExchange #bot #cryptocti

Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics

Pulse ID: 6814bb1dc645da1b5d4e1228
Pulse Link: https://otx.alienvault.com/pulse/6814bb1dc645da1b5d4e1228
Pulse Author: cryptocti
Created: 2025-05-02 12:31:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #LummaStealer #MaaS #OTX #OpenThreatExchange #bot #cryptocti

How Lumma Stealer sneaks into organizations

Lumma Stealer, a sophisticated information-stealing malware, has gained prominence in cybercriminal circles since 2022. It employs various distribution methods, with fake CAPTCHA pages being a notable vector. These pages mimic legitimate services and trick users into executing malicious commands. The malware uses complex infection chains involving PowerShell scripts, JavaScript, and AutoIt components to evade detection. Once installed, Lumma Stealer targets a wide range of sensitive data, including cryptocurrency wallets, browser credentials, and financial information. The malware's stealthy execution and anti-analysis techniques make it a significant threat to both individuals and organizations.

Pulse ID: 680680f666b6192de781c7f1
Pulse Link: https://otx.alienvault.com/pulse/680680f666b6192de781c7f1
Pulse Author: AlienVault
Created: 2025-04-21 17:31:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #Browser #CAPTCHA #CyberSecurity #InfoSec #Java #JavaScript #LummaStealer #Malware #Mimic #OTX #OpenThreatExchange #PowerShell #bot #cryptocurrency #AlienVault

Since the apparition of the #Interlock ransomware, the Sekoia #TDR team observed its operators evolving, improving their toolset (#LummaStealer and #BerserkStealer), and leveraging new techniques such as #ClickFix to deploy the ransomware payload.

https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/

Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

A phishing campaign targeting organizations in the hospitality industry has been identified, impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, targets individuals likely to work with Booking.com in North America, Oceania, Asia, and Europe. The attack uses fake emails and webpages to trick users into executing malicious commands, leading to the download of various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. The campaign aims to steal financial data and credentials for fraudulent use, showing an evolution in the threat actor's tactics to bypass conventional security measures.

Pulse ID: 67fb93e8ebc93d6ded395f39
Pulse Link: https://otx.alienvault.com/pulse/67fb93e8ebc93d6ded395f39
Pulse Author: AlienVault
Created: 2025-04-13 10:37:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #AsyncRAT #CyberSecurity #DanaBot #Email #Europe #FinancialData #Hospital #ICS #InfoSec #LummaStealer #Malware #NetSupport #NetSupportRAT #NorthAmerica #OTX #OpenThreatExchange #Phishing #RAT #SocialEngineering #Venom #Worm #XWorm #bot #AlienVault

#100DaysOfKQL

Day 92 - Low Prevalence Unsigned DLL Sideloaded in AppData Folder

Thanks to today's #ClickFix / #Lumma (#LummaStealer) infection combo for giving me an idea!

https://github.com/SecurityAura/DE-TH-Aura/blob/main/100DaysOfKQL/Day%2092%20-%20Low%20Prevalence%20Unsigned%20DLL%20Sideloaded%20in%20AppData%20Folder.md