#lummastealer — Public Fediverse posts on home.social

OTX Bot @[email protected] · 2026-05-07 · 08:32 UTC

Malware Bypasses Browser Application-Bound Encryption Protections

A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.

Pulse ID: 69fb17376737204f3abf5eaf
Pulse Link: https://otx.alienvault.com/pulse/69fb17376737204f3abf5eaf
Pulse Author: AlienVault
Created: 2026-05-06 10:25:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault

#browser #cookies #cybersecurity #encryption #etherhiding #infosec

OTX Bot @[email protected] · 2026-05-07 · 08:32 UTC

Malware Bypasses Browser Application-Bound Encryption Protections

A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.

Pulse ID: 69fb17376737204f3abf5eaf
Pulse Link: https://otx.alienvault.com/pulse/69fb17376737204f3abf5eaf
Pulse Author: AlienVault
Created: 2026-05-06 10:25:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault

#browser #cookies #cybersecurity #encryption #etherhiding #infosec

OTX Bot @[email protected] · 2026-05-07 · 08:32 UTC

Malware Bypasses Browser Application-Bound Encryption Protections

A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.

Pulse ID: 69fb17376737204f3abf5eaf
Pulse Link: https://otx.alienvault.com/pulse/69fb17376737204f3abf5eaf
Pulse Author: AlienVault
Created: 2026-05-06 10:25:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault

#browser #cookies #cybersecurity #encryption #etherhiding #infosec

OTX Bot @[email protected] · 2026-05-07 · 08:32 UTC

Malware Bypasses Browser Application-Bound Encryption Protections

A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.

Pulse ID: 69fb17376737204f3abf5eaf
Pulse Link: https://otx.alienvault.com/pulse/69fb17376737204f3abf5eaf
Pulse Author: AlienVault
Created: 2026-05-06 10:25:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault

#alienvault #doxxing #developers #cryptocurrency #bot #shellcode

OTX Bot @[email protected] · 2026-05-07 · 08:32 UTC

Malware Bypasses Browser Application-Bound Encryption Protections

A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.

Pulse ID: 69fb17376737204f3abf5eaf
Pulse Link: https://otx.alienvault.com/pulse/69fb17376737204f3abf5eaf
Pulse Author: AlienVault
Created: 2026-05-06 10:25:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cookies #CyberSecurity #Encryption #EtherHiding #InfoSec #LummaStealer #Malware #OTX #OpenThreatExchange #ShellCode #bot #cryptocurrency #developers #doxxing #AlienVault

#browser #cookies #cybersecurity #encryption #etherhiding #infosec

(in)sicurezza digitale @[email protected] · 2026-04-20 · 17:21 UTC

Dal Roblox script al breach di Vercel: come un infostealer ha quasi compromesso la supply chain di Next.js

Un dipendente di Context.ai infettato da Lumma Stealer tramite script Roblox ha aperto la porta a una potenziale supply chain attack su Vercel e Next.js. ShinyHunters rivendica il furto di codice sorgente, token NPM/GitHub e 580 record di dipendenti, offrendo il pacchetto per $2 milioni. Vercel conferma accesso limitato ma esclude compromissione dei framework open source.

https://insicurezzadigitale.com/dal-roblox-script-al-breach-di-vercel-come-un-infostealer-ha-quasi-compromesso-la-supply-chain-di-next-js/

#cybercrime #databreach #infosec #infostealer #lummastealer #npm

SANS Internet Storm Center - SANS.edu - Go Sentinels! @[email protected] · 2026-04-17 · 00:36 UTC

ISC Diary: #LummaStealer infection with #SectopRAT (#ArechClient2) https://isc.sans.edu/diary/32904

#lummastealer #sectoprat

sekurak News @[email protected] · 2026-03-17 · 01:20 UTC

Nowy wariant metody ClickFix – cyberprzestępcy rezygnują z Win+R na rzecz Win+X i Terminala Windows

Badacze bezpieczeństwa z Microsoft Defender ostrzegają przed nowym wariantem kampanii malware, w której cyberprzestępcy za pomocą phishingu nakłaniają użytkowników do instalacji złośliwego oprogramowania typu infostealer (Lumma Stealer). Atak opiera się na technice ClickFix, polegającej na przekonaniu użytkownika do uruchomienia złośliwych poleceń PowerShell.TLDR: Schemat ataku jest dosyć prosty. Korzystając z socjotechniki...

#Aktualności #Clickfix #LummaStealer #Microsoft #Windows #WindowsDefender

https://sekurak.pl/nowy-wariant-metody-clickfix-cyberprzestepcy-rezygnuja-z-winr-na-rzecz-winx-i-terminala-windows/

#aktualnosci #clickfix #lummastealer #microsoft #windows #windowsdefender

sekurak News @[email protected] · 2026-03-17 · 01:20 UTC

Nowy wariant metody ClickFix – cyberprzestępcy rezygnują z Win+R na rzecz Win+X i Terminala Windows

Badacze bezpieczeństwa z Microsoft Defender ostrzegają przed nowym wariantem kampanii malware, w której cyberprzestępcy za pomocą phishingu nakłaniają użytkowników do instalacji złośliwego oprogramowania typu infostealer (Lumma Stealer). Atak opiera się na technice ClickFix, polegającej na przekonaniu użytkownika do uruchomienia złośliwych poleceń PowerShell.TLDR: Schemat ataku jest dosyć prosty. Korzystając z socjotechniki...

#Aktualności #Clickfix #LummaStealer #Microsoft #Windows #WindowsDefender

https://sekurak.pl/nowy-wariant-metody-clickfix-cyberprzestepcy-rezygnuja-z-winr-na-rzecz-winx-i-terminala-windows/

#aktualnosci #clickfix #lummastealer #microsoft #windows #windowsdefender

sekurak News @[email protected] · 2026-03-17 · 01:20 UTC

Nowy wariant metody ClickFix – cyberprzestępcy rezygnują z Win+R na rzecz Win+X i Terminala Windows

Badacze bezpieczeństwa z Microsoft Defender ostrzegają przed nowym wariantem kampanii malware, w której cyberprzestępcy za pomocą phishingu nakłaniają użytkowników do instalacji złośliwego oprogramowania typu infostealer (Lumma Stealer). Atak opiera się na technice ClickFix, polegającej na przekonaniu użytkownika do uruchomienia złośliwych poleceń PowerShell.TLDR: Schemat ataku jest dosyć prosty. Korzystając z socjotechniki...

#Aktualności #Clickfix #LummaStealer #Microsoft #Windows #WindowsDefender

https://sekurak.pl/nowy-wariant-metody-clickfix-cyberprzestepcy-rezygnuja-z-winr-na-rzecz-winx-i-terminala-windows/

#aktualnosci #clickfix #lummastealer #microsoft #windows #windowsdefender

sekurak News @[email protected] · 2026-03-17 · 01:20 UTC

Nowy wariant metody ClickFix – cyberprzestępcy rezygnują z Win+R na rzecz Win+X i Terminala Windows

Badacze bezpieczeństwa z Microsoft Defender ostrzegają przed nowym wariantem kampanii malware, w której cyberprzestępcy za pomocą phishingu nakłaniają użytkowników do instalacji złośliwego oprogramowania typu infostealer (Lumma Stealer). Atak opiera się na technice ClickFix, polegającej na przekonaniu użytkownika do uruchomienia złośliwych poleceń PowerShell.TLDR: Schemat ataku jest dosyć prosty. Korzystając z socjotechniki...

#Aktualności #Clickfix #LummaStealer #Microsoft #Windows #WindowsDefender

https://sekurak.pl/nowy-wariant-metody-clickfix-cyberprzestepcy-rezygnuja-z-winr-na-rzecz-winx-i-terminala-windows/

#windowsdefender #windows #microsoft #lummastealer #clickfix #aktualnosci

sekurak News @[email protected] · 2026-03-17 · 01:20 UTC

Nowy wariant metody ClickFix – cyberprzestępcy rezygnują z Win+R na rzecz Win+X i Terminala Windows

Badacze bezpieczeństwa z Microsoft Defender ostrzegają przed nowym wariantem kampanii malware, w której cyberprzestępcy za pomocą phishingu nakłaniają użytkowników do instalacji złośliwego oprogramowania typu infostealer (Lumma Stealer). Atak opiera się na technice ClickFix, polegającej na przekonaniu użytkownika do uruchomienia złośliwych poleceń PowerShell.TLDR: Schemat ataku jest dosyć prosty. Korzystając z socjotechniki...

#Aktualności #Clickfix #LummaStealer #Microsoft #Windows #WindowsDefender

https://sekurak.pl/nowy-wariant-metody-clickfix-cyberprzestepcy-rezygnuja-z-winr-na-rzecz-winx-i-terminala-windows/

#aktualnosci #clickfix #lummastealer #microsoft #windows #windowsdefender

TechNadu @[email protected] · 2026-02-16 · 17:13 UTC

CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modification

This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoring

How are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.

Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer

Follow @technadu for ongoing threat intelligence coverage.

#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse

#threatintel #malwareresearch #detectionengineering #socoperations #edr #cloudsecurity

TechNadu @[email protected] · 2026-02-16 · 17:13 UTC

CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modification

This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoring

How are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.

Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer

Follow @technadu for ongoing threat intelligence coverage.

#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse

#threatintel #malwareresearch #detectionengineering #socoperations #edr #cloudsecurity

TechNadu @[email protected] · 2026-02-16 · 17:13 UTC

CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modification

This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoring

How are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.

Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer

Follow @technadu for ongoing threat intelligence coverage.

#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse

#incidentresponse #ctm360 #linuxthreats #lummastealer #saasabuse #cloudsecurity

TechNadu @[email protected] · 2026-02-16 · 17:13 UTC

CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modification

This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoring

How are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.

Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer

Follow @technadu for ongoing threat intelligence coverage.

#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse

#threatintel #malwareresearch #detectionengineering #socoperations #edr #cloudsecurity

TechNadu @[email protected] · 2026-02-16 · 07:29 UTC

DNS-based staging via ClickFix represents tactical evolution.

Per Microsoft:
• Cmd.exe → nslookup execution
• Hardcoded external DNS resolver
• Payload embedded in DNS Name: response
• ZIP retrieval from azwsappdev[.]com
• Python-based reconnaissance
• VBScript persistence via Startup LNK
• ModeloRAT deployment
• Lumma Stealer distribution via CastleLoader (GrayBravo)

Campaign telemetry also discussed by Bitdefender and Kaspersky.

DNS offers:
• Reduced dependency on HTTP
• Traffic blending with legitimate queries
• Lightweight validation signaling

Detection priorities:
• Anomalous nslookup patterns
• External DNS resolver usage
• Suspicious Startup LNK creation
• DNS response content inspection

Is your EDR correlating DNS queries with process lineage?
Engage below.
Follow @technadu for advanced threat analysis.

#ThreatIntel #ClickFix #DNSStaging #ModeloRAT #LummaStealer #CastleLoader #DetectionEngineering #BlueTeam #SOC #Infosec #CyberOperations #MalwareAnalysis

#threatintel #clickfix #dnsstaging #modelorat #lummastealer #castleloader

The Threat Codex @[email protected] · 2026-02-12 · 16:00 UTC

LummaStealer Is Getting a Second Life Alongside CastleLoader
#LummaStealer #CastleLoader
https://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader

#lummastealer #castleloader

Brad @[email protected] · 2026-02-02 · 03:47 UTC

2026-02-01 (Sunday): It's easy enough to find #LummaStealer malware samples.

Just do a Google search for cracked versions of popular software and specify site:drive.google.com.

Details on today's haul at https://github.com/malware-traffic/indicators/blob/main/2026-02-01-Google-Drive-links-lead-to-Lumma-Stealer.txt

#lummastealer

Brad @[email protected] · 2026-01-29 · 02:34 UTC

2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at https://www.malware-traffic-analysis.net/2026/01/06/index.html

I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at https://www.malware-traffic-analysis.net/2026/index.html