Lumma Infostealer Continues Its GitHub Social Engineering Campaign
Summary:
According to researchers at Piccus Security, Lumma Stealer is a rapidly evolving information-stealing malware that has played a significant role in numerous cybercrime campaigns throughout 2024 and 2025. Marketed as a Malware-as-a-Service by a threat actor using the aliases “Shamel” or “Lumma,” the malware is sold through tiered subscriptions, making it accessible to both skilled and inexperienced cybercriminals. This business model has contributed to a 369% surge in Lumma infections, with threat actors leveraging trusted platforms such as GitHub to distribute malicious payloads. Piccus researchers highlight that Lumma is distinct in its use of advanced evasion techniques, including sandbox detection, payload encryption, and abuse of legitimate system tools like PowerShell and mshta.exe. Financial gain is the primary motive behind its deployment, as Lumma enables the theft of credentials, banking details, cryptocurrency wallets, and other sensitive data that can be resold or used for fraud and identity theft.
According to the blog, campaigns observed in 2024-2025 often involve affiliate actors who purchase and deploy Lumma. One example includes a threat group dubbed “Stargazer Goblin,” which has used compromised websites and GitHub repositories to propagate the malware. These campaigns rely heavily on social engineering tactics to gain initial access, often impersonating GitHub notifications or inserting fake support comments that direct developers to download infected files. In many cases, victims unknowingly execute trojanized applications hosted on GitHub’s legitimate infrastructure, making the malicious downloads appear trustworthy. Piccus researchers also documented instances of malvertising, where poisoned online ads redirected users to fake CAPTCHA pages. Victims who interacted with these pages were tricked into running malicious PowerShell commands that led to Lumma Stealer infections.
Execution typically occurs when users launch these seemingly legitimate files, which are sometimes signed with stolen digital certificates to bypass security warnings. Once executed, the malware may unpack multiple components, such as DLLs or scripts, and employ techniques like process hollowing to inject code into legitimate processes. Piccus Security notes that Lumma campaigns also use scripting and system binaries to load the malware into memory, often avoiding traditional disk-based detection methods. For example, attackers have been observed using mshta.exe to run obfuscated JavaScript hosted remotely, followed by PowerShell commands that retrieve and execute the final Lumma payload in memory. Persistence mechanisms, though not always present, include creating startup shortcuts or scheduled tasks that ensure re-execution of malicious scripts.
Security Officer Comments:
Once active on a victim’s system, Lumma Stealer focuses on harvesting sensitive information. Piccus reports that it targets web browsers to extract saved credentials, session cookies, auto-fill data, and browsing histories. The malware also searches for cryptocurrency wallets, 2FA seeds, and other financial data stored in browser extensions. Keylogging and clipboard scraping features are sometimes employed to capture additional information. All stolen data is exfiltrated to attacker-controlled command-and-control servers over HTTP or HTTPS, typically in encrypted form. This enables attackers to quickly monetize infections by selling the data on underground markets or using it to access victims' personal and corporate accounts. Piccus Security’s analysis demonstrates that Lumma Stealer’s sophistication, combined with its broad distribution model and evasive techniques, makes it one of the most impactful infostealers in circulation today.
Suggested Corrections:
User Training: Educate employees to recognize phishing lures, fake GitHub comments, and malicious CAPTCHA prompts. Reinforce caution around downloading “fixes” or running commands from unverified sources.
Application Control: Implement allowlisting to block execution of unauthorized files, especially from temp directories or ZIP archives. Prevent unsigned or suspicious binaries from launching.
Endpoint Detection and Response (EDR): Use EDR solutions to detect signs of process hollowing, script-based execution, and abuse of LOLBins. Monitor for Base64-encoded PowerShell and remote HTA execution.
Credential Protection: Disable browser password storage on corporate machines. Encourage the use of encrypted password managers and enable MFA to reduce the impact of stolen credentials.
Persistence Monitoring: Audit startup folders and scheduled tasks for malicious entries. Investigate .url shortcuts or JavaScript payloads that launch via mshta or wscript.
Threat Intelligence and Domain Blocking: Integrate threat intelligence to block known Lumma domains and IPs. Filter shortened links and suspicious GitHub release URLs at the network level.
Patch and Update: Regularly apply security patches to browsers, extensions, and system software to reduce the risk of exploitation through outdated components.
Link(s):
https://www.picussecurity.com/resou...tinues-its-github-social-engineering-campaign
According to researchers at Piccus Security, Lumma Stealer is a rapidly evolving information-stealing malware that has played a significant role in numerous cybercrime campaigns throughout 2024 and 2025. Marketed as a Malware-as-a-Service by a threat actor using the aliases “Shamel” or “Lumma,” the malware is sold through tiered subscriptions, making it accessible to both skilled and inexperienced cybercriminals. This business model has contributed to a 369% surge in Lumma infections, with threat actors leveraging trusted platforms such as GitHub to distribute malicious payloads. Piccus researchers highlight that Lumma is distinct in its use of advanced evasion techniques, including sandbox detection, payload encryption, and abuse of legitimate system tools like PowerShell and mshta.exe. Financial gain is the primary motive behind its deployment, as Lumma enables the theft of credentials, banking details, cryptocurrency wallets, and other sensitive data that can be resold or used for fraud and identity theft.
According to the blog, campaigns observed in 2024-2025 often involve affiliate actors who purchase and deploy Lumma. One example includes a threat group dubbed “Stargazer Goblin,” which has used compromised websites and GitHub repositories to propagate the malware. These campaigns rely heavily on social engineering tactics to gain initial access, often impersonating GitHub notifications or inserting fake support comments that direct developers to download infected files. In many cases, victims unknowingly execute trojanized applications hosted on GitHub’s legitimate infrastructure, making the malicious downloads appear trustworthy. Piccus researchers also documented instances of malvertising, where poisoned online ads redirected users to fake CAPTCHA pages. Victims who interacted with these pages were tricked into running malicious PowerShell commands that led to Lumma Stealer infections.
Execution typically occurs when users launch these seemingly legitimate files, which are sometimes signed with stolen digital certificates to bypass security warnings. Once executed, the malware may unpack multiple components, such as DLLs or scripts, and employ techniques like process hollowing to inject code into legitimate processes. Piccus Security notes that Lumma campaigns also use scripting and system binaries to load the malware into memory, often avoiding traditional disk-based detection methods. For example, attackers have been observed using mshta.exe to run obfuscated JavaScript hosted remotely, followed by PowerShell commands that retrieve and execute the final Lumma payload in memory. Persistence mechanisms, though not always present, include creating startup shortcuts or scheduled tasks that ensure re-execution of malicious scripts.
Security Officer Comments:
Once active on a victim’s system, Lumma Stealer focuses on harvesting sensitive information. Piccus reports that it targets web browsers to extract saved credentials, session cookies, auto-fill data, and browsing histories. The malware also searches for cryptocurrency wallets, 2FA seeds, and other financial data stored in browser extensions. Keylogging and clipboard scraping features are sometimes employed to capture additional information. All stolen data is exfiltrated to attacker-controlled command-and-control servers over HTTP or HTTPS, typically in encrypted form. This enables attackers to quickly monetize infections by selling the data on underground markets or using it to access victims' personal and corporate accounts. Piccus Security’s analysis demonstrates that Lumma Stealer’s sophistication, combined with its broad distribution model and evasive techniques, makes it one of the most impactful infostealers in circulation today.
Suggested Corrections:
User Training: Educate employees to recognize phishing lures, fake GitHub comments, and malicious CAPTCHA prompts. Reinforce caution around downloading “fixes” or running commands from unverified sources.
Application Control: Implement allowlisting to block execution of unauthorized files, especially from temp directories or ZIP archives. Prevent unsigned or suspicious binaries from launching.
Endpoint Detection and Response (EDR): Use EDR solutions to detect signs of process hollowing, script-based execution, and abuse of LOLBins. Monitor for Base64-encoded PowerShell and remote HTA execution.
Credential Protection: Disable browser password storage on corporate machines. Encourage the use of encrypted password managers and enable MFA to reduce the impact of stolen credentials.
Persistence Monitoring: Audit startup folders and scheduled tasks for malicious entries. Investigate .url shortcuts or JavaScript payloads that launch via mshta or wscript.
Threat Intelligence and Domain Blocking: Integrate threat intelligence to block known Lumma domains and IPs. Filter shortened links and suspicious GitHub release URLs at the network level.
Patch and Update: Regularly apply security patches to browsers, extensions, and system software to reduce the risk of exploitation through outdated components.
Link(s):
https://www.picussecurity.com/resou...tinues-its-github-social-engineering-campaign