Fake Telegram Premium Site Distributes New Lumma Stealer Variant

    Thursday, August 14, 2025 In: Threat Research Print

    Date: 08/14/2025

    Severity: Medium

    Summary

    A malicious campaign has been discovered using the fake domain ‘telegrampremium[.]app’ to impersonate the official Telegram Premium platform. The site delivers a file named ‘start.exe’ that contains a new variant of the Lumma Stealer malware. This sophisticated trojan can steal browser credentials, cryptocurrency wallet data, and system information. Alarmingly, the malware downloads automatically when the URL is accessed, without user interaction. The campaign highlights ongoing threats using brand impersonation and social engineering. Immediate blocking of the domain, endpoint scanning, and credential rotation are strongly advised.

    Indicators of Compromise (IOC) List 

    URL/Domain

    Telegrampremium.app

    Teijx.lat

    Prvqhm.shop

    Daruubs.top

    Cidtfhh.shop

    Annwt.xyz

    Ungryo.shop

    Greqjfu.xyz

    Rayrhs.top

    Furwmsx.shop

    IP Address

    87.120.126.213

    Hash

    9a5f72502fd9be56226716e6435888a43ff43154

    fc0e3ff066427316bcb001d05b3ac5692093d6a3

    7a77f579c6a4bda83d659be4e39ddfd7b7e2f73c

    3921ba3ad9ace63827a8ad2d70c1c4a79d462f24

    8c893331a5e01e0c99a7ad0f7f1cbb9418a86d4a

    0736ccd4920e227ebae3b0ded4950c01f663af6a

    888e33a919d5dda152a539aed3f5a3b7840937bc

    b97dcfb5161a59bd88fd821542e9d066c77c4ad49f09c81f472b26a5339f44f2

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "Daruubs.top" or siteurl like "Daruubs.top" or url like "Daruubs.top" or domainname like "Rayrhs.top" or siteurl like "Rayrhs.top" or url like "Rayrhs.top" or domainname like "Telegrampremium.app" or siteurl like "Telegrampremium.app" or url like "Telegrampremium.app" or domainname like "Teijx.lat" or siteurl like "Teijx.lat" or url like "Teijx.lat" or domainname like "Prvqhm.shop" or siteurl like "Prvqhm.shop" or url like "Prvqhm.shop" or domainname like "Greqjfu.xyz" or siteurl like "Greqjfu.xyz" or url like "Greqjfu.xyz" or domainname like "Furwmsx.shop" or siteurl like "Furwmsx.shop" or url like "Furwmsx.shop" or domainname like "Ungryo.shop" or siteurl like "Ungryo.shop" or url like "Ungryo.shop" or domainname like "Cidtfhh.shop" or siteurl like "Cidtfhh.shop" or url like "Cidtfhh.shop" or domainname like "Annwt.xyz" or siteurl like "Annwt.xyz" or url like "Annwt.xyz"

    Detection Query 2 : 

    dstipaddress IN ("87.120.126.213") or srcipaddress IN ("87.120.126.213")

    Detection Query 3 :

    sha256hash IN ("b97dcfb5161a59bd88fd821542e9d066c77c4ad49f09c81f472b26a5339f44f2")

    Detection Query 4 :

    hash IN ("7a77f579c6a4bda83d659be4e39ddfd7b7e2f73c","9a5f72502fd9be56226716e6435888a43ff43154","fc0e3ff066427316bcb001d05b3ac5692093d6a3","3921ba3ad9ace63827a8ad2d70c1c4a79d462f24","8c893331a5e01e0c99a7ad0f7f1cbb9418a86d4a","0736ccd4920e227ebae3b0ded4950c01f663af6a","888e33a919d5dda152a539aed3f5a3b7840937bc")

    Reference:    

    https://www.cyfirma.com/research/fake-telegram-premium-site-distributes-new-lumma-stealer-variant/


    Tags

    MalwareLumma StealerTelegramSocial EngineeringTrojancryptocurrency

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.