Saturday, February 15, 2025
Homecyber securityCybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer

Cybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer

Published on

SIEM as a Service

Follow Us on Google News

In a recent investigation, Trend Micro’s Managed XDR team identified a sophisticated malware campaign exploiting GitHub’s release infrastructure to distribute Lumma Stealer, along with SectopRAT, Vidar, and Cobeacon malware.

This campaign underscores the evolving tactics of attackers leveraging trusted platforms to deliver malicious payloads.

Abuse of Trusted Platforms

The attack begins with users downloading files via temporary secure URLs hosted on GitHub’s release mechanism.

Files such as Pictore.exe and App_aeIGCY3g.exe both confirmed to be Lumma Stealer variants exfiltrate sensitive data, including credentials, cryptocurrency wallets, and system details, while establishing connections to command-and-control (C&C) servers.

GitHub Infrastructure
Downloading the Lumma Stealer binary Pictore.exe from its Github repository

The malicious binaries, signed with revoked certificates, exploit GitHub repositories for distribution while leveraging PowerShell scripts and shell commands to establish persistence and evade detection.

Further analysis revealed that the campaign overlaps with tactics used by the Stargazer Goblin group, a known threat actor employing compromised websites and GitHub for payload distribution.

Consistent URL patterns and the redirection of victims to GitHub-hosted malware highlight deliberate planning.

Modular Malware Deployment

The infection chain is complex and employs modular deployment. The initial Lumma Stealer files dynamically dropped and executed additional malware, including:

  • SectopRAT: Facilitates remote access and further exfiltration through processes such as browser data theft and persistence mechanisms (e.g., startup entries and scheduled tasks).
  • Vidar: Copies browser data and cloud storage files, establishing connections to external C&C servers for data exfiltration.
  • Lumma Stealer Variant: Employs obfuscated PowerShell scripts to contact malicious domains, download payloads, and extract sensitive user details.

The attackers demonstrated advanced evasion techniques by using Electron-based frameworks for malware execution and custom settings to bypass sandboxing.

GitHub Infrastructure
The chain of events in an attack involving Vidar

Connections to IP addresses such as 192[.]142[.]10[.]246 and domains like lumdukekiy[.]shop facilitated external communication.

Additionally, reconnaissance commands and code execution flags were used to gather system and environment information stealthily.

The campaign marks a notable evolution in malware distribution tactics, with attackers leveraging GitHub to bypass security defenses and normalize malicious payloads.

The deployment of multiple malware families, including Lumma Stealer, illustrates a strategic shift toward modular, multi-purpose attacks.

Trend Micro’s Managed XDR platform proved instrumental in uncovering this campaign, emphasizing the importance of robust cyber threat intelligence and proactive monitoring in mitigating modern cyber threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...