LummaStealer Delivered Via Malicious Search Results

    Date: 04/23/2026

    Severity: High

    Summary

    The attack starts with SEO poisoning, luring users searching for YubiKey Manager into downloading a malicious ISO file. It then executes a complex chain using DLL sideloading and PowerShell to evade defenses by adding Windows Defender exclusions. An obfuscated AutoIt script disguised as Health.exe decrypts and decompresses the Lumma Stealer payload. The malware runs in memory via process hollowing, avoiding traditional file-based detection methods. It escalates privileges using winlogon token duplication and steals data from browsers, FTP/SSH tools, and password managers. Additional persistence includes RDP backdoors, reverse tunnels, malicious extensions, anti-analysis checks, and cleanup mechanisms, confirming attribution to LummaStealer.

    Indicators of Compromise (IOC) List  

    Domains/URLs :

    Verifydl.top

    Yubico-app.com

    https://yubico-app.com/yubikey-manager.php 

    Hash : 

    e70d3ebc928d2c199d7a62b130421c398b2dc89db48645585d67927b471912c4

    bcd08a8a103088ba2451a3a547725285a78894d71769494245c0aadf37e2e431

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "Verifydl.top" or url like "Verifydl.top" or siteurl like "Verifydl.top" or domainname like "https://yubico-app.com/yubikey-manager.php" or url like "https://yubico-app.com/yubikey-manager.php" or siteurl like "https://yubico-app.com/yubikey-manager.php" or domainname like "Yubico-app.com" or url like "Yubico-app.com" or siteurl like "Yubico-app.com"

    Detection Query 2 :

    sha256hash IN ("bcd08a8a103088ba2451a3a547725285a78894d71769494245c0aadf37e2e431","e70d3ebc928d2c199d7a62b130421c398b2dc89db48645585d67927b471912c4")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-04-21-LummaStealer-Delivered-Via-Malicious-Search-Results.txt 


    Tags

    MalwareLumma StealerSEO PoisoningDLLData StealerRDPBackdoor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags