Hackers are now turning on each other in a deceptive new campaign targeting cybercriminals. The operation revolves around a fake OnlyFans tool, which promises to help steal accounts but instead deploys Lumma, a sophisticated information-stealing malware. Discovered by Veriti Research, this campaign illustrates the ironic twists in the world of cybercrime, where hackers can inadvertently become victims of their own tools. The malware, known as Lumma, is distributed via various means, including malvertising and, more recently, through GitHub comments, allowing it to spread rapidly among cybercriminals.
The malware’s primary function is to steal sensitive data, including passwords, credit card information, cookies, and two-factor authentication (2FA) codes from compromised systems. It is primarily used by cybercriminals as a service, offering a range of functionalities to those willing to pay between $250 to $1000 per month for access. Lumma’s innovative evasion mechanisms make it difficult to detect, while its ability to restore expired Google session tokens adds another layer of complexity to its operation. In addition to stealing data, Lumma serves as a loader, capable of installing additional malicious payloads onto compromised systems.
The specific attack described in the research began with the delivery of a fake OnlyFans “checker” tool. Cybercriminals typically use such tools to validate stolen login credentials for services like OnlyFans, but in this case, the tool delivered Lumma malware instead. The malicious payload, which was hosted on a GitHub repository, infects the victim’s computer with Lumma, enabling the attacker to collect valuable data. This operation highlights the growing trend of cybercriminals using familiar, trusted tools to spread malware among their own ranks, exploiting their trust to deliver harmful payloads.
Veriti’s investigation also revealed that the cybercriminal behind the Lumma campaign hosted multiple other malicious payloads on the same GitHub account. These included tools designed to target Disney+ account thieves, Instagram hackers, and even those attempting to build botnets. The malware communicates with command-and-control servers through “.shop” domains, exfiltrating stolen data to the attacker. This type of operation is not new, as there have been previous instances where cybercriminals have targeted their peers with malware disguised as legitimate tools. The trend underscores the increasing complexity and unpredictability of the cybercriminal ecosystem, where no one is truly safe.
Reference:
