Back to Business: Lumma Stealer Returns with Stealthier Methods

    Thursday, July 24, 2025 In: Threat Research Print

    Date: 07/24/2025

    Severity: High

    Summary

    After being taken down in May, Lumma Stealer quickly resurfaced. Between June and July, attacks surged again, now using stealthier delivery channels and evasion techniques. This malware can extract sensitive data like credentials and private files, and its availability as malware-as-a-service (MaaS) makes it accessible even to low-skilled attackers. Victims are often tricked via fake cracked software, malicious sites, or social media, putting unaware employees and organizations at risk.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    https://raw.githubusercontent.com/ferrn1la/Monotone-HWID-Spoofer/5a6acd95d8e321faee3bd97511f3545f6e75f7fd/Monotone.exe 

    http://github.com/r1thessl1/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe

    http://github.com/r1mslicks/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe

    http://github.com/nallerth1/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe

    http://github.com/lesth1alds/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe

    http://github.com/l1cmahnne/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe

    http://github.com/h1ttmela/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe

    http://github.com/k1elen1hs/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe

    http://github.com/ggarl1os/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe

    http://github.com/k0ntarrs/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe

    http://github.com/ferrn1la/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe

    http://github.com/f1scow/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe

    http://github.com/emrillate/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe

    http://github.com/carr1stomh/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe

    http://github.com/classtneh1/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe

    http://github.com/charsavve/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe

    http://github.com/caramm1t/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe

    http://github.com/S0raEmptysky/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe

    http://github.com/RAVV199/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe

    http://github.com/Kitomofu/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe

    http://github.com/BayMushroomcow/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe

    https://raw.githubusercontent.com/ggarl1os/Monotone-HWID-Spoofer/e326762359914743e5d9e3e8320e5be2182b1c0c/Monotone.exe

    https://raw.githubusercontent.com/carr1stomh/FortniteSpoofer/edcf430af107ef18bcc3ed435791e1345a77031f/TempSpoofer.exe

    https://raw.githubusercontent.com/wrett1h/Monotone-HWID-Spoofer/f445555717a928a5e029dbf87b7a002e3d03b4c3/Monotone.exe

    https://raw.githubusercontent.com/svhcnenr/Temp-Spoofer-LifeTime/1cb620ea7a2c0dfb9d3779f0b2732b2a877fbc1f/TempSpoofer.exe

    https://github.com/svhcnenr/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe

    https://github.com/ferrn1la/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe

    https://github.com/lesth1alds/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe

    https://raw.githubusercontent.com/am0slengh/SkriptGG/refs/heads/main/SkriptGG.exe

    http://raw.githubusercontent.com/spenddar1/Temp-Spoofer-LifeTime/refs/heads/main/TempSpoofer.exe

    http://swenku.xyz/gaok

    http://lnofi.xyz/qoei

    http://ryxpq.xyz/tpaz

    http://dzyzb.xyz/anby

    http://dkkig.xyz/xjau

    http://lodib.xyz/towq

    http://cexpxg.xyz/airq

    http://urarfx.xyz/twox

    http://reckdp.pics/xiar

    http://ycvduc.xyz/trie

    http://nbcsfar.xyz/tpxz

    http://cbakk.xyz/ajng

    http://trsuv.xyz/gait

    http://sqgzl.xyz/taoa

    http://cexpxg.xyz/airq

    http://urarfx.xyz/twox

    http://plapwf.top/agnb

    http://narrathfpt.top/tekq

    http://escczlv.top/bufi

    http://localixbiw.top/zlpa

    http://korxddl.top/qidz

    http://stochalyqp.xyz/alfp

    http://diecam.top/laur

    http://citellcagt.top/gjtu

    https://ui3.fit/WeX.ini

    cbakk.xyz

    cexpxg.xyz

    fiuylj.top

    nbcsfar.xyz

    sqgzl.xyz

    trsuv.xyz

    urarfx.xyz

    ycvduc.xyz 

    https://softwarescr.info/dl  

    https://vfy2.help

    Hash :

    388f910e662f69c7ab 6fcf5e938ba813cf92c7794e5c3a6ad29c2d9276921ed3

fa8be0ce6f177965a5cd2db80e57c49fb31083bd4ddcb052def24cfbf48d65b5

64f6c0c0fd736c4a82f545aadc7a1c49d4cea77b14f4b526ef9da56a606eeb3d

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs 1 :

    domainname like "http://github.com/caramm1t/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or url like "http://github.com/caramm1t/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "http://github.com/caramm1t/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or domainname like "https://raw.githubusercontent.com/svhcnenr/Temp-Spoofer-LifeTime/1cb620ea7a2c0dfb9d3779f0b2732b2a877fbc1f/TempSpoofer.exe" or url like "https://raw.githubusercontent.com/svhcnenr/Temp-Spoofer-LifeTime/1cb620ea7a2c0dfb9d3779f0b2732b2a877fbc1f/TempSpoofer.exe" or siteurl like "https://raw.githubusercontent.com/svhcnenr/Temp-Spoofer-LifeTime/1cb620ea7a2c0dfb9d3779f0b2732b2a877fbc1f/TempSpoofer.exe" or domainname like "http://swenku.xyz/gaok" or url like "http://swenku.xyz/gaok" or siteurl like "http://swenku.xyz/gaok" or domainname like "http://github.com/ggarl1os/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or url like "http://github.com/ggarl1os/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or siteurl like "http://github.com/ggarl1os/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or domainname like "https://vfy2.help" or url like "https://vfy2.help" or siteurl like "https://vfy2.help" or domainname like "http://github.com/k0ntarrs/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or url like "http://github.com/k0ntarrs/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "http://github.com/k0ntarrs/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or domainname like "http://escczlv.top/bufi" or url like "http://escczlv.top/bufi" or siteurl like "http://escczlv.top/bufi" or domainname like "http://localixbiw.top/zlpa" or url like "http://localixbiw.top/zlpa" or siteurl like "http://localixbiw.top/zlpa" or domainname like "http://korxddl.top/qidz" or url like "http://korxddl.top/qidz" or siteurl like "http://korxddl.top/qidz" or domainname like "http://github.com/lesth1alds/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or url like "http://github.com/lesth1alds/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "http://github.com/lesth1alds/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or domainname like "http://github.com/k1elen1hs/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or url like "http://github.com/k1elen1hs/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "http://github.com/k1elen1hs/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or domainname like "sqgzl.xyz" or url like "sqgzl.xyz" or siteurl like "sqgzl.xyz" or domainname like "http://lodib.xyz/towq" or url like "http://lodib.xyz/towq" or siteurl like "http://lodib.xyz/towq" or domainname like "http://github.com/ferrn1la/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or url like "http://github.com/ferrn1la/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or siteurl like "http://github.com/ferrn1la/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or domainname like "https://github.com/lesth1alds/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or url like "https://github.com/lesth1alds/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "https://github.com/lesth1alds/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or domainname like "http://github.com/RAVV199/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or url like "http://github.com/RAVV199/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "http://github.com/RAVV199/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or domainname like "http://urarfx.xyz/twox" or url like "http://urarfx.xyz/twox" or siteurl like "http://urarfx.xyz/twox" or domainname like "http://github.com/r1mslicks/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or url like "http://github.com/r1mslicks/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "http://github.com/r1mslicks/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe"

    Domains\URLs 2 :

    domainname like "https://raw.githubusercontent.com/ggarl1os/Monotone-HWID-Spoofer/e326762359914743e5d9e3e8320e5be2182b1c0c/Monotone.exe" or url like "https://raw.githubusercontent.com/ggarl1os/Monotone-HWID-Spoofer/e326762359914743e5d9e3e8320e5be2182b1c0c/Monotone.exe" or siteurl like "https://raw.githubusercontent.com/ggarl1os/Monotone-HWID-Spoofer/e326762359914743e5d9e3e8320e5be2182b1c0c/Monotone.exe" or domainname like "http://github.com/nallerth1/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or url like "http://github.com/nallerth1/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or siteurl like "http://github.com/nallerth1/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or domainname like "http://github.com/Kitomofu/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or url like "http://github.com/Kitomofu/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "http://github.com/Kitomofu/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or domainname like "http://narrathfpt.top/tekq" or url like "http://narrathfpt.top/tekq" or siteurl like "http://narrathfpt.top/tekq" or domainname like "http://trsuv.xyz/gait" or url like "http://trsuv.xyz/gait" or siteurl like "http://trsuv.xyz/gait" or domainname like "trsuv.xyz" or url like "trsuv.xyz" or siteurl like "trsuv.xyz" or domainname like "https://github.com/ferrn1la/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or url like "https://github.com/ferrn1la/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or siteurl like "https://github.com/ferrn1la/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or domainname like "http://github.com/carr1stomh/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or url like "http://github.com/carr1stomh/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "http://github.com/carr1stomh/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or domainname like "http://ryxpq.xyz/tpaz" or url like "http://ryxpq.xyz/tpaz" or siteurl like "http://ryxpq.xyz/tpaz" or domainname like "http://github.com/classtneh1/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or url like "http://github.com/classtneh1/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "http://github.com/classtneh1/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or domainname like "http://cbakk.xyz/ajng" or url like "http://cbakk.xyz/ajng" or siteurl like "http://cbakk.xyz/ajng" or domainname like "http://dzyzb.xyz/anby" or url like "http://dzyzb.xyz/anby" or siteurl like "http://dzyzb.xyz/anby" or domainname like "https://raw.githubusercontent.com/ferrn1la/Monotone-HWID-Spoofer/5a6acd95d8e321faee3bd97511f3545f6e75f7fd/Monotone.exe" or url like "https://raw.githubusercontent.com/ferrn1la/Monotone-HWID-Spoofer/5a6acd95d8e321faee3bd97511f3545f6e75f7fd/Monotone.exe" or siteurl like "https://raw.githubusercontent.com/ferrn1la/Monotone-HWID-Spoofer/5a6acd95d8e321faee3bd97511f3545f6e75f7fd/Monotone.exe" or domainname like "https://github.com/svhcnenr/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or url like "https://github.com/svhcnenr/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "https://github.com/svhcnenr/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or domainname like "urarfx.xyz" or url like "urarfx.xyz" or siteurl like "urarfx.xyz" or domainname like "http://citellcagt.top/gjtu" or url like "http://citellcagt.top/gjtu" or siteurl like "http://citellcagt.top/gjtu" or domainname like "nbcsfar.xyz" or url like "nbcsfar.xyz" or siteurl like "nbcsfar.xyz" or domainname like "http://sqgzl.xyz/taoa" or url like "http://sqgzl.xyz/taoa" or siteurl like "http://sqgzl.xyz/taoa" or domainname like "cbakk.xyz" or url like "cbakk.xyz" or siteurl like "cbakk.xyz" or domainname like "http://github.com/charsavve/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or url like "http://github.com/charsavve/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "http://github.com/charsavve/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or domainname like "http://github.com/r1thessl1/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or url like "http://github.com/r1thessl1/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or siteurl like "http://github.com/r1thessl1/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or domainname like "http://lnofi.xyz/qoei" or url like "http://lnofi.xyz/qoei" or siteurl like "http://lnofi.xyz/qoei" or domainname like "http://cexpxg.xyz/airq" or url like "http://cexpxg.xyz/airq" or siteurl like "http://cexpxg.xyz/airq" or domainname like "http://reckdp.pics/xiar" or url like "http://reckdp.pics/xiar" or siteurl like "http://reckdp.pics/xiar" or domainname like "http://diecam.top/laur" or url like "http://diecam.top/laur" or siteurl like "http://diecam.top/laur" or domainname like "https://ui3.fit/WeX.ini" or url like "https://ui3.fit/WeX.ini" or siteurl like "https://ui3.fit/WeX.ini" or domainname like "http://github.com/BayMushroomcow/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or url like "http://github.com/BayMushroomcow/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "http://github.com/BayMushroomcow/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe"

    Domains\URLs 3 :

    domainname like "http://github.com/l1cmahnne/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or url like "http://github.com/l1cmahnne/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "http://github.com/l1cmahnne/Temp-Spoofer-LifeTime/raw/refs/heads/main/TempSpoofer.exe" or domainname like "http://github.com/h1ttmela/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or url like "http://github.com/h1ttmela/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or siteurl like "http://github.com/h1ttmela/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or domainname like "http://github.com/f1scow/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or url like "http://github.com/f1scow/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or siteurl like "http://github.com/f1scow/FortniteSpoofer/raw/refs/heads/main/TempSpoofer.exe" or domainname like "http://github.com/emrillate/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or url like "http://github.com/emrillate/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or siteurl like "http://github.com/emrillate/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or domainname like "http://github.com/S0raEmptysky/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or url like "http://github.com/S0raEmptysky/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or siteurl like "http://github.com/S0raEmptysky/Monotone-HWID-Spoofer/raw/refs/heads/main/Monotone.exe" or domainname like "https://raw.githubusercontent.com/carr1stomh/FortniteSpoofer/edcf430af107ef18bcc3ed435791e1345a77031f/TempSpoofer.exe" or url like "https://raw.githubusercontent.com/carr1stomh/FortniteSpoofer/edcf430af107ef18bcc3ed435791e1345a77031f/TempSpoofer.exe" or siteurl like "https://raw.githubusercontent.com/carr1stomh/FortniteSpoofer/edcf430af107ef18bcc3ed435791e1345a77031f/TempSpoofer.exe" or domainname like "https://raw.githubusercontent.com/wrett1h/Monotone-HWID-Spoofer/f445555717a928a5e029dbf87b7a002e3d03b4c3/Monotone.exe" or url like "https://raw.githubusercontent.com/wrett1h/Monotone-HWID-Spoofer/f445555717a928a5e029dbf87b7a002e3d03b4c3/Monotone.exe" or siteurl like "https://raw.githubusercontent.com/wrett1h/Monotone-HWID-Spoofer/f445555717a928a5e029dbf87b7a002e3d03b4c3/Monotone.exe" or domainname like "https://raw.githubusercontent.com/am0slengh/SkriptGG/refs/heads/main/SkriptGG.exe" or url like "https://raw.githubusercontent.com/am0slengh/SkriptGG/refs/heads/main/SkriptGG.exe" or siteurl like "https://raw.githubusercontent.com/am0slengh/SkriptGG/refs/heads/main/SkriptGG.exe" or domainname like "http://raw.githubusercontent.com/spenddar1/Temp-Spoofer-LifeTime/refs/heads/main/TempSpoofer.exe" or url like "http://raw.githubusercontent.com/spenddar1/Temp-Spoofer-LifeTime/refs/heads/main/TempSpoofer.exe" or siteurl like "http://raw.githubusercontent.com/spenddar1/Temp-Spoofer-LifeTime/refs/heads/main/TempSpoofer.exe" or domainname like "http://dkkig.xyz/xjau" or url like "http://dkkig.xyz/xjau" or siteurl like "http://dkkig.xyz/xjau" or domainname like "http://ycvduc.xyz/trie" or url like "http://ycvduc.xyz/trie" or siteurl like "http://ycvduc.xyz/trie" or domainname like "http://nbcsfar.xyz/tpxz" or url like "http://nbcsfar.xyz/tpxz" or siteurl like "http://nbcsfar.xyz/tpxz" or domainname like "http://urarfx.xyz/twox" or url like "http://urarfx.xyz/twox" or siteurl like "http://urarfx.xyz/twox" or domainname like "http://plapwf.top/agnb" or url like "http://plapwf.top/agnb" or siteurl like "http://plapwf.top/agnb" or domainname like "http://stochalyqp.xyz/alfp" or url like "http://stochalyqp.xyz/alfp" or siteurl like "http://stochalyqp.xyz/alfp" or domainname like "cexpxg.xyz" or url like "cexpxg.xyz" or siteurl like "cexpxg.xyz" or domainname like "fiuylj.top" or url like "fiuylj.top" or siteurl like "fiuylj.top" or domainname like "ycvduc.xyz" or url like "ycvduc.xyz" or siteurl like "ycvduc.xyz" or domainname like "https://softwarescr.info/dl" or url like "https://softwarescr.info/dl" or siteurl like "https://softwarescr.info/dl"

    Hash :

    sha256hash IN ("fa8be0ce6f177965a5cd2db80e57c49fb31083bd4ddcb052def24cfbf48d65b5","64f6c0c0fd736c4a82f545aadc7a1c49d4cea77b14f4b526ef9da56a606eeb3d","388f910e662f69c7ab6fcf5e938ba813cf92c7794e5c3a6ad29c2d9276921ed3")

    Reference:   

    https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html


    Tags

    MalwareLumma StealerMaaS

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.