Lumma Stealer Using Fake Google Meet & Windows Update Sites to Launch “Click Fix” Style Attack

Cybersecurity researchers continue to track sophisticated “Click Fix” style distribution campaigns that deliver the notorious Lumma Stealer malware to unsuspecting victims.

These increasingly sophisticated tactics, initially documented by Unit42 researchers Billy Melicher and Nabeel Mohamed, utilize social engineering techniques that trick users into executing malicious PowerShell scripts, ultimately leading to the deployment of this dangerous information-stealing malware.

Lumma Stealer

Lumma Stealer, also known as LummaC2 Stealer, is a potent information-stealing malware operating under a Malware-as-a-Service (MaaS) model that has been available on Russian-speaking underground forums since at least August 2022.

Developed by a threat actor using the aliases “Shamel” and “Lumma,” this sophisticated C-language malware targets an extensive range of sensitive data on compromised systems, including cryptocurrency wallets, web browser information, email credentials, financial data, and sensitive files.

The malware has shown remarkable adaptability, with recent versions implementing the ChaCha20 cipher for configuration decryption, demonstrating the developers’ commitment to evading analysis tools and detection mechanisms.

The “Click Fix” distribution method represents a particularly insidious social engineering technique first documented in 2024.

This method creates web pages that covertly insert malicious code into the victim’s clipboard when they interact with seemingly legitimate verification interfaces.

The technique stands out for its psychological manipulation: rather than relying on traditional malicious downloads, it instructs users themselves to paste preloaded malicious code into their Run prompt (accessed via Windows+R), essentially tricking victims into self-infection.

Evolving “Click Fix” Distribution Tactics

According to the Cyber Security News technical analysis, This approach involves web pages that insert scripts into the clipboard, prompting users to paste them into the Run dialog.

For instance, a Fake Google Meet Page hosted on Google Sites instructed users to verify their accounts by executing a PowerShell command.

This command retrieved a script from “tlgrm-redirect[.]icu/1.txt,” initiating a complex infection chain.

Another campaign involved a Fake Windows Update Site at “windows-update[.]site,” where users were prompted to execute a PowerShell command that retrieved a malicious payload from “overcoatpassably[.]shop.”

From a technical analysis perspective, recent campaigns have involved specific malicious files.

 These include a PowerShell script (SHA256: 909ed8a1351f9a21ebdd5d8efb4147145f12d5d24225dbd44cd2800a1f94a596) and a zip archive (SHA256: 0608775a345c5a0869418ffddd1f694cb888fe8acde6d34543516db1a01e3ef8) containing Lumma Stealer components.

This approach allows attackers to bypass corporate firewalls and maintain a false sense of security for potential victims.

Victims are tricked into executing PowerShell commands that download and execute payloads. These scripts often involve base64-encoded data, making them difficult to detect without specific monitoring tools.

Attackers use zip archives containing decoy files and legitimate executables to side-load malicious DLLs.

This technique provides excellent camouflage, as the process appears legitimate while the malicious activity occurs through the side-loaded DLL.

The malware communicates with command and control (C2) domains, including “web-security3[.]com,” “codxefusion[.]top,” “techspherxe[.]top,” and “farmingtzricks[.]top.”

These domains play a crucial role in the malware’s operation, facilitating data exfiltration and command execution.

The evolving tactics of Lumma Stealer highlight the ongoing challenge of defending against sophisticated malware campaigns.

By combining social engineering with technical evasion techniques, attackers continue to successfully bypass traditional security controls.

Organizations must maintain awareness of these emerging tactics and adapt their defensive strategies accordingly to mitigate the risks associated with Lumma Stealer.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!