Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Lumma Stealer Exploits GitHub Repositories

February 3, 2025
Reading Time: 3 mins read
in Alerts
Lumma Stealer Exploits GitHub Repositories

Cybersecurity researchers have uncovered a sophisticated cyber campaign that abuses GitHub’s trusted infrastructure to distribute the Lumma Stealer malware. This malware, which is part of a growing trend where cybercriminals leverage legitimate platforms to execute malicious activities, targets sensitive user data such as login credentials, cryptocurrency wallets, and browser information. The attackers utilized GitHub repositories to host malicious files disguised as legitimate software. These files, such as Pictore.exe and App_aelGCY3g.exe, were signed with revoked certificates to make them appear credible, thereby evading initial detection.

The download links used for these files were pre-signed with short expiration parameters, further limiting detection and adding urgency to trick users into downloading the malware.

Once executed, the Lumma Stealer malware begins a series of malicious activities. It collects a wide array of data, including sensitive credentials, browser cookies, autofill information, and local system configurations. The malware communicates with command-and-control (C2) servers via HTTP POST requests, connecting to IPs such as 192[.]142[.]10[.]246 and 192[.]178[.]54[.]36. Lumma Stealer also employs PowerShell scripts and shell commands to ensure persistence on infected systems. These commands bypass detection by allowing unrestricted script execution. Additionally, the malware drops additional tools like SectopRAT and Vidar, which further compromise the system by stealing more data or injecting malicious processes.

The attack campaign behind Lumma Stealer is modular, combining several different malware families to enhance its capabilities. Once downloaded, Lumma Stealer extracts files from archives like app-64.7z using embedded utilities such as nsis7z.dll. These extracted files, including components like chrome_100_percent.pak and snapshot_blob.bin, suggest that Electron-based applications may be used for further malicious purposes. The malware’s adaptability allows it to spread through various vectors, including compromised websites and trusted platforms like GitHub, following similar tactics to those used by the Stargazer Goblin group.

To defend against threats like Lumma Stealer, experts recommend several protective measures. Users should always validate URLs and digital certificates before downloading any files and rely on endpoint security solutions to detect unauthorized shell commands. Blocking communication with known malicious IP addresses is essential, while regular system patching and enabling multi-factor authentication (MFA) further strengthen defenses. Additionally, training employees to recognize phishing attempts and other social engineering tactics is crucial to prevent initial infections. With these proactive steps, organizations can mitigate the risks posed by malware campaigns like Lumma Stealer.

Reference:
  • GitHub Trusted Infrastructure Used to Spread Lumma Stealer Malware

About Lumma Stealer:

Lumma Stealer, also known as LummaC2 Stealer, is a sophisticated information-stealing malware first observed in August 2022. Developed by the threat actor known as “Shamel” or “Lumma,” this malware is distributed through a Malware-as-a-Service (MaaS) model on Russian-speaking forums, targeting a range of sensitive data. Written in C language, Lumma Stealer primarily focuses on compromising cryptocurrency wallets and two-factor authentication (2FA) browser extensions. It exfiltrates stolen information by sending it to a command-and-control (C2) server via HTTP POST requests, using the user agent “TeslaBrowser/5.5.”

The malware’s capabilities extend beyond simple data theft; it includes a non-resident loader that can deliver additional malicious payloads in the form of EXE, DLL, or PowerShell scripts. This makes Lumma Stealer a versatile tool in the arsenal of cybercriminals, combining targeted data extraction with the potential for further compromise through additional malware delivery.

 

Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityFebruary 2025
ADVERTISEMENT

Related Posts

FreeDrain Phishing Steals Crypto Funds

FBI Warns Cybercriminals Exploit Routers

May 9, 2025
FreeDrain Phishing Steals Crypto Funds

X Scam Targets Crypto Users with Fake Ads

May 9, 2025
FreeDrain Phishing Steals Crypto Funds

FreeDrain Phishing Steals Crypto Funds

May 9, 2025
COLDRIVER Hackers Target Sensitive Data

COLDRIVER Hackers Target Sensitive Data

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

CoGUI Targets Consumer and Finance Brands

May 8, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial