Date: 04/23/2026
Severity: High
Summary
The attack starts with SEO poisoning, luring users searching for YubiKey Manager into downloading a malicious ISO file. It then executes a complex chain using DLL sideloading and PowerShell to evade defenses by adding Windows Defender exclusions. An obfuscated AutoIt script disguised as Health.exe decrypts and decompresses the Lumma Stealer payload. The malware runs in memory via process hollowing, avoiding traditional file-based detection methods. It escalates privileges using winlogon token duplication and steals data from browsers, FTP/SSH tools, and password managers. Additional persistence includes RDP backdoors, reverse tunnels, malicious extensions, anti-analysis checks, and cleanup mechanisms, confirming attribution to LummaStealer.
Indicators of Compromise (IOC) List
Domains/URLs : | Verifydl.top Yubico-app.com https://yubico-app.com/yubikey-manager.php |
Hash : | e70d3ebc928d2c199d7a62b130421c398b2dc89db48645585d67927b471912c4
bcd08a8a103088ba2451a3a547725285a78894d71769494245c0aadf37e2e431
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "Verifydl.top" or url like "Verifydl.top" or siteurl like "Verifydl.top" or domainname like "https://yubico-app.com/yubikey-manager.php" or url like "https://yubico-app.com/yubikey-manager.php" or siteurl like "https://yubico-app.com/yubikey-manager.php" or domainname like "Yubico-app.com" or url like "Yubico-app.com" or siteurl like "Yubico-app.com" |
Detection Query 2 : | sha256hash IN ("bcd08a8a103088ba2451a3a547725285a78894d71769494245c0aadf37e2e431","e70d3ebc928d2c199d7a62b130421c398b2dc89db48645585d67927b471912c4")
|
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-04-21-LummaStealer-Delivered-Via-Malicious-Search-Results.txt