Unmasking the Lumma Stealer Campaign

Lumma Stealer, a potent information-stealing malware, emerged in 2022, targeting sensitive data like browser-stored passwords, cryptocurrency wallets, and 2FA tokens. It spreads through phishing campaigns and malicious downloads, posing significant risks to individuals and organizations in the cybersecurity landscape.

Forcepoint has identified a distinctive Lumma Stealer campaign leveraging a sophisticated URL-based delivery mechanism to deploy malware. This campaign integrates multiple steps, beginning with URLs embedded within PDFs and followed by a series of dropper URLs. These techniques highlight an advanced level of obfuscation, designed to evade detection while tricking users into inadvertently executing malicious payloads. 

One standout feature of the campaign is the inclusion of a dynamic element: a unique password that is generated for every downloaded archive file. This behaviour adds another layer of complexity, making traditional signature-based detection and analysis more challenging. It also reflects the increasing adaptability of threat actors behind malware like Lumma Stealer, who continuously refine their delivery methods to outpace security solutions.

The campaign's file delivery chain highlights its intricate design: it begins with a URL leading to a PDF file, which contains another URL. This chain progresses through several intermediary URLs before eventually delivering a password-protected archive file. Within this archive file lies the executable payload that initiates the malware infection. This elaborate sequence not only demonstrates the technical sophistication of the threat but also underscores the importance of robust cybersecurity defences to detect and mitigate such evasive attacks.

The campaign's file delivery chain can be outlined as follows: 

Fig. 1 - Lumma attack chain

Stage 1: Initial Access – Malicious URLs via Legitimate Infrastructure

The Lumma Stealer campaign initiates with a strategically crafted URL that leads the user to a PDF file. At face value, both the URL and the document appear benign, effectively reducing suspicion and bypassing initial detection. The attackers leverage the credibility of widely recognized hosting services to host these malicious PDFs, including platforms like wsimg.com and cdn-website.com.

This abuse of legitimate infrastructure is a growing trend in cybercrime, aligning with Forcepoint X-Labs’ 2025 Future Insights report, which predicted a rise in attackers co-opting trusted services to blend into normal traffic and evade detection. Hosting malicious content on well-known platforms not only increases the chance of user interaction, since they seem familiar and trustworthy, but also challenges traditional URL-based detection mechanisms that rely heavily on reputation scores.

Once the user accesses the PDF, the document contains clickable links that seamlessly guide them further down the malware delivery chain. This stage is crucial in setting up the infection, relying on subtlety, familiarity, and trust to lure the victim in.

Examples of observed malicious URL patterns include:

• hxxps://cdn-website[.]com/files/invoice_312456.pdf  
• hxxps://wsimg[.]com/documents/job_offer_details.pdf  

Stage 2: Downloaded PDF – Social Engineering via Fake Bot Check

In the second stage of this campaign, the attacker delivers a malicious PDF file designed to resemble a standard "bot check" page, mimicking familiar visual elements that imply the user must verify they are human. This is a classic social engineering tactic meant to exploit user trust and urgency.

What makes this PDF particularly deceptive is that the entire page is clickable, not just specific buttons or links. Any user interaction—whether intentional or accidental—triggers a malicious embedded hyperlink, moving the victim seamlessly into the next stage of the attack chain.

Once clicked, the PDF launches a series of rapid URL redirections. These hops traverse through multiple intermediary domains before finally landing on the site hosting the actual payload. This multi-layered redirection strategy serves two key purposes:  

• Evasion: It obscures the true destination of the link, making detection by security tools more challenging.
• Obfuscation: It allows attackers to insert additional logic or checks (e.g., geofencing, user-agent filtering) along the way.
• While the PDF may appear as a simple bot verification prompt, its true function is to quietly move the user deeper into the malicious infrastructure. 

Fig. 2 - PDF file and fake CAPTCHA

Stage 3: Multiple URL Redirection

From stage 2, when fake CAPTCHA in the PDF is clicked, it follows series of redirections. These redirections follow below mentioned URLs before reaching final landing page which hosts malicious file.
 

Redirected URLs:

• hxxps://lusejoripifofo.robazumuxi.com/fps.php
• hxxps://lusejoripifofo.robazumuxi.com/mgo.php?q=request+for+business+cooperation+sample+letter&s1=onp1p969jcpc
• hxxps://berapt-medii.com/2025/01/14/rewriting-the-rules-innovative-game-mechanics-unveiled/
  utm_source=onp1p969jcpc&utm_term=request%20for%20business%20cooperation%20sample%20letter
  &utm_content=onp1p969jcpc&utm_medium=link
• hxxps://berapt-medii.com/2025/01/14/rewriting-the-rules-innovative-game-mechanics-unveiled/?utm_term=request+for+business+cooperation+sample+letter
  &utm_content=onp1p969jcpc&utm_medium=link&utm_source=cQB8d049103b90000000008066419
  &referer=https%3A%2F%2Flusejoripifofo.robazumuxi.com%2F
• hxxps://media.site34l.cyou/request_for_business_cooperation_sample_letterarchive
  ?c=AO5Z_mfScAUA_YUCAEdCFwASAAAAAAB3 (final page)

Stage 4: Dynamic Password-Protected Payload Delivery

The fourth stage of this campaign is the most distinctive and complex element of the infection chain. At this point, the final URL provides users with a downloadable archive file, paired with a password required to unlock its contents. This dynamic protection approach makes the campaign exceptionally challenging to block or analyse effectively.

Inside the archive file, users find a large executable file (.exe) having file size (>800mb, which acts as the Lumma Stealer’s payload. Accompanying this stage are explicit instructions that urge users to copy and paste the URL from the final link to download the archive file, open it using the password, and then execute the .exe file through the command prompt. By providing such clear guidance, the attackers ensure that users follow the exact steps required to successfully infect their systems.

Additionally, the final URL hosting the archive file is geofenced, accessible only in specific regions such as Georgia, Russia, and the Caucasus region of Eastern Europe and West Asia. This restriction may indicate targeted operations in these areas, reflecting a strategic focus on demographics or regional vulnerabilities. The geofencing adds a layer of intrigue to this stage, suggesting deliberate planning in the campaign’s deployment.

Fig. 3 - Password-protected archive final landing page

Fig. 4  - Archive containing large executable file
 

Above stages describe how the final payload is delivered via multiple URL redirections. Next, we will be having a look at analysis of payload. 

Stage 5: Executable Analysis:

On the successful download of the password-protected archive file, we find a large executable file inside the archive. 
The executable is compiled using Nullsoft software and is not packed.

Fig. 5 - Executable information

On statically analysing the executable file, we found a few suspicious API calls which are being used for multiple file creations in the temp folder. Below are some of them:

• CreateDirectoryW – Creates a directory in \\Appdata\\Local\\Temp
• CopyFileW – Copies one file's content to another
• GetTempPathW – Gets the Temp path from and modifies/writes data
• CreateFileW – Used to create a file
• ShellExecuteW – Used to execute any commands via the command line

Fig. 5.1 - CreateFileW used to create files in the temp folder

Fig. 5.2  - Loop to create multiple .accde files in the temp folder

Files created in \\Appdata\\Temp folder:

• Nr.accde
• Champagne.accde
• Do.accde
• Challenging.accde
• Receptors.accde
• Deemed.accde
• Horizontal.accde
• Mars.accde
• Transcription.accde
• Mars.accde.bat

Stage 6 - Accde File Overview

A .accde is a compiled Microsoft Access Database file, which is a read-only version of the .accdb file. It is used primarily for the distribution, security, and protection of VBA code in Access applications. In this campaign, the attacker leverages .accde files to host malicious VB codes in a protected format, making analysis more difficult.

Here we are showing information for one of the .accde files named Mars.accde.:

Fig. 6.1 - Mars.accde

Some parts of Mars.accde are not found to be encrypted. It contains compiled VBA logic, and some embedded form/module identifiers remain in the binary. These can be table names, queries, or linked resources that are copied to Mars.accde.bat. 

Shown below is the creation of Mars.accede.bat by copying the contents of Mars.accde and executing it using ShellExecuteW. 

Fig. 6.2 - ShellExecuteW used to execute Mars.accde.bat using the  command line

As we can observe contents from Mars.accde is getting copied to Mars.accde.bat file. Let us have a deeper look at the .bat file.

In the first instance, the .BAT file looks like it is filled with garbage values, but if we have a closer look at it, we see some parameters/names that are taken from compiled Microsoft Access DB (.accde) files. These .accde files combine and make an Auto IT-compiled executable, Alexander.com, which is an Auto IT file loader.

Stage 7 - Brief Working of .BAT Script 

• The script scans for security software terms like opssvc (Online Protection System), which is a component of Quick Heal Total Security and Quick Heal antivirus, and wrsa, which is a component of Webroot Secure Anywhere Program. If any of them are detected, the script delays execution via the ping –n 188 command, which pings the local host 188 times. This technique is commonly used for sandbox evasion, where the malware exits before the ping operation can complete, thereby avoiding detection.
• The script also checks for the presence of AVs like Sophos, AVG, and Avast.
• The script creates a directory named 283528 in the AppData\\Local\\Temp folder to store malicious files.
• Using findstr, the script tries to find the filename “Farmer” from the initial executable file, which is Nullsoft compiled, and attempts to filter and clean the string “continuity” and store the result in Alexander.com.
• The script then uses the copy /b command to merge Alexander.com with additional components from the Nullsoft compiled executable: Pocket, Treasure, Dealtime, Apparatus, Sys, Internationally, Dictionaries, and many others, forming an Auto IT executable.
• The script then concatenates with other .accde files, Receptors, Do, and Transcription to generate the file o.a3x, which is an AutoIt script.
• The script provides the user a choice from the list of choices using choice.exe. Here, the default value for the execution of the script is selected as Y (yes) and automatically exits in 5 seconds. Finally, the script executes Alexander.com, which further executes o.a3x, triggering an Auto IT-based Lumma stealer.

Fig. 7.1 - Batch script command and functions

Fig. 7.2 - Execution of Alexander.com from batch script

Stage 8: AutoIT Script Analysis

During analysis of the final payload Alexander.com, which is an AutoIT loader, we observed the payload runs a script o.a3x, which is an AutoIT compiled script. The presence of “AU3!EA06” shows that the script is AutoIT compiled.

 Fig. 8.1 - Encoded AutoIT script
 

On decompiling the script using AutoIT script de-compiler, we get the decrypted script.

Fig. 8.2 - Decrypted script

On decrypting the script, we still find the file to be obfuscated. Below is the observation of code obfuscation. 

• Multiple functions having HAWKFREEDOM
• Having obfuscated strings “70}89}81}70}83}74}78}70}79}85}66}77}46}83}70}81}83}80} ....” which can be de-obfuscated by splitting and subtracting an offset to convert it into readable strings.
• Repeated DllCall, DllStructCreate
• Suspicious behaviour like calling APIs PixelGetColor, DirGetSize, MemGetStats, and especially DllCall with dynamic parameters suggests it is interacting with or manipulating the system or environment.

On de-obfuscating the script, we found several activities performed by the script. These activities are pointed out below: 

• Anti-Analysis via obfuscation and dynamic string de-obfuscation
• DLL Injection and System Info Collection

Fig. 8.3 - DLLCall obfuscated strings

 Fig. 8.4 - DllCall after de-obfuscation
 

• DllCall functions when de-obfuscated code gives content like DllCall("kernel32.dll", "WriteProcessMemory", ...)
• Strings are de-obfuscated from the script using techniques like Caesar shift and XOR decryption algorithms, which include subtracting the value from the offset and converting values to ASCII characters.
• The script has an Execute function that can run:
  - Another AutoIt Script 
  - A compiled payload 
  - And decrypt code from previous steps in the script
   

Fig. 8.5 - Execute function in script

The pointers below summarize the what the script executes: 

• The script can perform in-memory shellcode execution. The script is capable of injecting into its own process (Alexander.com), which can be obtained by repeated use of DllCall(“kernel32.dll”, “ptr”, “GetCurrentProcess”)\Second stage payload execution using the Execute function.
• Second stage payload execution using the Execute function.
• Obfuscated C2 in encrypted strings. From the script, ObjGet( function is used to connect to C2, which de-obfuscates to something like a moniker string or CLSID URL, pointing to a remote COM object or ActiveX control, which is a well-known fileless C2 method.
• Executing code from memory

While the file (Alexander.com) is running, it tries to connect to sites like t[.]me, steamcommunity[.]com, and C2s like dogalmedical[.]org for data exfiltration. Lumma Stealer uses TLS for C2 communication because this protocol offers encrypted communication, which makes it difficult to detect malware activity over the communication. 

 Fig. 8.6 - C2 connections

Stage 9: Data Exfiltration

After receiving the response from the C2 server, the malware begins to exfiltrate data from the victim’s system. The data is collected in the form of web browser history, extensions, login data, and cache. It also targets user-sensitive files, Telegram data, email clients, cryptocurrency wallets, FTP, and Remote client data and more.

Fig. 9.1 - Email client data

Fig. 9.2 - Telegram data

Fig. 9.3 - FTP data 

Fig.9.4 - Remote client data

Fig. 9.5- Crypto wallet data

 Fig. 9.6 - Data exfiltration 

Conclusion

The Lumma Stealer campaign highlights a layered and evolving malware delivery strategy that blends social engineering with abuse of legitimate infrastructure to bypass defences. From trusted hosting platforms to deceptive bot-check PDFs and multi-stage redirects, each step is designed to reduce suspicion while advancing the infection chain. The multi-stage redirects take the user to a final page where they are asked to download a password-protected archive file. The archive file contains a large executable file  (>800MB). Upon execution, it performs a series of actions including creating .accde files in the \\Appdata\\Local\\Temp folder, which is then used to create an AutoIT compiled executable along with a malicious .a3x script. This malware, after being executed in the victim’s system, is capable of stealing user-sensitive data such as browser credentials, ftp and remote client data, Telegram data and other sensitive information.

This variant stands out by going beyond phishing, delivering concrete evidence of active malware deployment, and revealing key Indicators of Compromise (IOCs) that can aid in detection and response. The sophistication and execution of this campaign underscore the importance of vigilance, layered defences and threat intelligence in today’s threat landscape.

Protection statement:

• Stage 3 (Redirect) – Blocked URLs that download further payload.
• Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
• Stage 6 (Call Home) – C2 servers are categorized under the security category and blocked.
   

 NGFW Protection Statement:
•    The malicious PDF files are blocked by the GTI file reputation service if it is enabled.

IOCs

URLs: 

• hxxps://assets.websitefiles[.]com/65e88a83310831005ea7083a/65f6aedf35a8b452bbe158a8_75842919999.pdf
• hxxps://assets.websitefiles[.]com/65f00a69b7e1e742d39f12df/65f6cf5b7d17b07b89535842_90431402255.pdf
• hxxps://assets.websitefiles[.]com/65f045335158d93fe6402d1b/65f360191df26a6d0d0ddbbc_28378107181.pdf
• hxxps://assets.websitefiles[.]com/660044d3442d6de37d60189f/66315aeb56f180ea022cd0e3_murajivezir.pdf
• hxxps://c2ebbd31-8de7-4bc1-ab8e2718fb224635.filesusr[.]com/ugd/b90ce7_bd17131436604e79a36393ea84e30cce.pdf
• hxxps://cdn.prod.websitefiles[.]com/65e877bca57066ca452b4066/6724547314f143e98b39ca70_19086120525.pdf
• hxxps://cdn.prod.websitefiles[.]com/65f01e96ebd39df85ea7fc0a/67173d78f2e55cdd11ee58f4_48832576661.pdf
• hxxps://cdn.prod.websitefiles[.]com/65ffec4ca5efd4c62c5b80a1/66deb68f647f66428162c921_duwugu.pdf
• hxxps://cdn.prod.websitefiles[.]com/67239106702336343e97a24e/674c14175018931737ea2eff_9678374467.pdf
• hxxps://cdn.prod.websitefiles[.]com/67239106702336343e97a24e/674c14175018931737ea2eff_9678374467.pdf
• hxxps://img1.wsimg[.]com/blobby/go/1bfc168f-d0df-43cb
  a73ed0c80e42fe5c/downloads/formulaire_virement_international_banque_postale.pdf
• hxxps://img1.wsimg[.]com/blobby/go/91a706e9-d066-47d7-89af69535d865c3d/downloads/bokaxulusodibir.pdf
• hxps://img1.wsimg[.]com/blobby/go/af0be9d0-b995-4f2a-8f66-25f04f50db42/downloads/rubetugetafapojopodibom.pdf
• hxxps://img1.wsimg[.]com/blobby/go/f7748e26-2d27-4aa6-89fbb263de90f421/downloads/tilovapexof.pdf
• hxxps://irp.cdn-website[.]com/4683bcc6/files/uploaded/80723380.pdf hxxps://irp.cdn
• website[.]com/a020f79d/files/uploaded/62238594.pdf
• hxxps://jagunafine.weebly[.]com/uploads/1/3/4/3/134363358/koduwebe_ropetow_degodapafumiku.pdf
• hxxps://notapogixunimo.weebly[.]com/uploads/1/3/4/3/134363186/8474e.pdf
• hxxps://trabaja[.]xyz/wpcontent/uploads/2021/09/Empresas-Espanolas-para-trabajar-enArgelia.pdf
• hxxps://uploads.strikinglycdn[.]com/files/b723f54e-c395-4ee8-a471-61584b920b1a/remumajiri.pdf
• hxxps://uploadsssl.webflow[.]com/65f043d4f92470129b4e5799/65f8fea4c897f0bac9dd5202_76924107039.pdf
• hxxps://veszpremkosar[.]hu/_user/file/60055992296.pdf
• hxxps://cdn-website[.]com/files/invoice_312456.pdf  
• hxxps://wsimg[.]com/documents/job_offer_details.pdf
• hxxps://websitefiles[.]com/assets/report-Q1_2025.pdf

File hashes (SHA1):

• fb5c226719aa7c3cbf1b187e7cc15dd2bfe44581 - PDF
• 04b5c00440171062abaa53f5228ef91ac064bb45 – PDF
• 71ebb6b0f5d669e5e53f07ab283e1028252b3c33– PDF
• bb61645305a9e87f6571c49918391b83022b22ca– PDF
• a00e3a1ecced7d3098a35c83b1adc494fb9fe3d8– PDF
• e32145901e539b4d33212fa4485cca531f521ce5 - ARCHIVE
• ec69088d1409444de60c3c6aba5021194839d7ba – EXE
• d7cd79911d2fbb575777b26ecf32da1d0965291f - .bat
• 2c8ec98431a788f18f1865c7d742deb741a927b3 – a3x 

C2:

• hxxps://econnit[.]digital/tqoi
• hxxps://changeaie[.]top/geps
• hxxps://lonfgshadow[.]live/xawi
• hxxps://liftally[.]top/xasj
• hxxps://nighetwhisper[.]top/lekd
• hxxps://salaccgfa[.]top/gsooz
• hxxps://zestmodp[.]top/zeda
• hxxps://owlflright[.]digital/qopy
• hxxps://4liftally[.]top/xasj
• hxxps://jawdedmirror[.]run/ewqd
• hxxps://dogalmedical[.]org
• hxxps://t[.]me/lolypop343