Cybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer

In a recent investigation, Trend Micro’s Managed XDR team identified a sophisticated malware campaign exploiting GitHub’s release infrastructure to distribute Lumma Stealer, along with SectopRAT, Vidar, and Cobeacon malware.

This campaign underscores the evolving tactics of attackers leveraging trusted platforms to deliver malicious payloads.

Abuse of Trusted Platforms

The attack begins with users downloading files via temporary secure URLs hosted on GitHub’s release mechanism.

Files such as Pictore.exe and App_aeIGCY3g.exe both confirmed to be Lumma Stealer variants exfiltrate sensitive data, including credentials, cryptocurrency wallets, and system details, while establishing connections to command-and-control (C&C) servers.

The malicious binaries, signed with revoked certificates, exploit GitHub repositories for distribution while leveraging PowerShell scripts and shell commands to establish persistence and evade detection.

Further analysis revealed that the campaign overlaps with tactics used by the Stargazer Goblin group, a known threat actor employing compromised websites and GitHub for payload distribution.

Consistent URL patterns and the redirection of victims to GitHub-hosted malware highlight deliberate planning.

Modular Malware Deployment

The infection chain is complex and employs modular deployment. The initial Lumma Stealer files dynamically dropped and executed additional malware, including:

• SectopRAT: Facilitates remote access and further exfiltration through processes such as browser data theft and persistence mechanisms (e.g., startup entries and scheduled tasks).
• Vidar: Copies browser data and cloud storage files, establishing connections to external C&C servers for data exfiltration.
• Lumma Stealer Variant: Employs obfuscated PowerShell scripts to contact malicious domains, download payloads, and extract sensitive user details.

The attackers demonstrated advanced evasion techniques by using Electron-based frameworks for malware execution and custom settings to bypass sandboxing.

Connections to IP addresses such as 192[.]142[.]10[.]246 and domains like lumdukekiy[.]shop facilitated external communication.

Additionally, reconnaissance commands and code execution flags were used to gather system and environment information stealthily.

The campaign marks a notable evolution in malware distribution tactics, with attackers leveraging GitHub to bypass security defenses and normalize malicious payloads.

The deployment of multiple malware families, including Lumma Stealer, illustrates a strategic shift toward modular, multi-purpose attacks.

Trend Micro’s Managed XDR platform proved instrumental in uncovering this campaign, emphasizing the importance of robust cyber threat intelligence and proactive monitoring in mitigating modern cyber threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free