Unmasking The 64-bit Variant of the Infamous Lumma Stealer

Pulse ID: 69d726a781917e6d96862311
Pulse Link: https://otx.alienvault.com/pulse/69d726a781917e6d96862311
Pulse Author: Tr1sa111
Created: 2026-04-09 04:10:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #LummaStealer #OTX #OpenThreatExchange #bot #Tr1sa111

Unmasking The 64-bit Variant of the Infamous Lumma Stealer

Gen Threat Labs has identified Remus, a new 64-bit infostealer attributed to the Lumma Stealer family, emerging after Lumma's takedown and the doxxing of its alleged core members. First campaigns date back to February 2026, with the malware switching from Steam/Telegram dead drop resolvers to EtherHiding and employing new anti-analysis checks. Remus shares multiple characteristics with Lumma including identical string obfuscation techniques, AntiVM checks, direct syscall/sysenter handling, indirect control flow obfuscation, and a unique Application-Bound Encryption bypass. The analysis details test builds labeled Tenzor from September 2025, representing a transitional step between Lumma and Remus. While maintaining Lumma's stealing arsenal for browser passwords, cookies, and cryptocurrency, Remus introduces blockchain-based C2 resolution via EtherHiding, additional anti-sandbox checks targeting analysis tool DLLs, and enhanced device fingerprinting capabilities.

Pulse ID: 69d61cf42af050999ace2be6
Pulse Link: https://otx.alienvault.com/pulse/69d61cf42af050999ace2be6
Pulse Author: AlienVault
Created: 2026-04-08 09:16:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #Browser #Cookies #CyberSecurity #Encryption #EtherHiding #ICS #InfoSec #InfoStealer #LummaStealer #Malware #OTX #OpenThreatExchange #Password #Passwords #Steam #Telegram #Word #bot #cryptocurrency #doxxing #AlienVault

Phantom Footprints: Tracking GhostSocks Malware

GhostSocks is an emerging threat that turns compromised devices into residential proxy nodes, enabling attackers to evade detection. Originally marketed on Russian underground forums as Malware-as-a-Service, it has gained popularity due to its partnership with Lumma Stealer. Written in GoLang, GhostSocks uses SOCKS5 proxy protocol and TLS encryption to blend malicious traffic into normal network activity. It also incorporates backdoor functionality for running arbitrary commands and deploying additional payloads. Darktrace observed an increase in GhostSocks activity, detecting it alongside Lumma Stealer in customer networks. The malware's versatility in converting devices into proxy nodes while enabling covert network access illustrates how threat actors maximize the value of compromised infrastructure.

Pulse ID: 69cbf2e5f01a923f01d49ea8
Pulse Link: https://otx.alienvault.com/pulse/69cbf2e5f01a923f01d49ea8
Pulse Author: AlienVault
Created: 2026-03-31 16:14:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Darktrace #Encryption #Golang #InfoSec #LummaStealer #Malware #MalwareAsAService #OTX #OpenThreatExchange #Proxy #RAT #Russia #TLS #bot #socks5 #AlienVault

Nowy wariant metody ClickFix – cyberprzestępcy rezygnują z Win+R na rzecz Win+X i Terminala Windows

Badacze bezpieczeństwa z Microsoft Defender ostrzegają przed nowym wariantem kampanii malware, w której cyberprzestępcy za pomocą phishingu nakłaniają użytkowników do instalacji złośliwego oprogramowania typu infostealer (Lumma Stealer). Atak opiera się na technice ClickFix, polegającej na przekonaniu użytkownika do uruchomienia złośliwych poleceń PowerShell.TLDR: Schemat ataku jest dosyć prosty. Korzystając z socjotechniki...

#Aktualności #Clickfix #LummaStealer #Microsoft #Windows #WindowsDefender

https://sekurak.pl/nowy-wariant-metody-clickfix-cyberprzestepcy-rezygnuja-z-winr-na-rzecz-winx-i-terminala-windows/

CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modification

This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoring

How are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.

Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer

Follow @technadu for ongoing threat intelligence coverage.

#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse

DNS-based staging via ClickFix represents tactical evolution.

Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)

Campaign telemetry also discussed by Bitdefender and Kaspersky.

DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signaling

Detection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspection

Is your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.

#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

It's been a busy 24 hours in the cyber world with significant updates on the evolving "ClickFix" social engineering tactic, showing how attackers are getting creative with initial access and payload delivery. Let's take a look:

Evolving ClickFix Attacks: DNS Staging and Crypto Hijacks ⚠️

- Microsoft has detailed a new DNS-based ClickFix variant where victims are tricked into running `nslookup` commands, using DNS as a stealthy staging channel for payloads like ModeloRAT. This method blends malicious activity into normal network traffic, making detection harder.
- A separate, novel ClickFix campaign is leveraging Pastebin comments and Google Docs to socially engineer cryptocurrency users into executing malicious JavaScript directly in their browser. This allows attackers to hijack Bitcoin swap transactions and redirect funds to their wallets.
- These incidents highlight the evolving nature of ClickFix, moving beyond traditional OS-level command execution to sophisticated DNS staging and direct browser manipulation for financial theft, underscoring the critical need for user awareness and robust detection of procedural trust abuse.

📰 The Hacker News | https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/pastebin-comments-push-clickfix-javascript-attack-to-hijack-crypto-swaps/

#CyberSecurity #ThreatIntelligence #SocialEngineering #ClickFix #Malware #ModeloRAT #LummaStealer #CryptoScam #InfoSec #CyberAttack #IncidentResponse