Unmasking the Evolving Threat: A Deep Dive into the Latest Version of Lumma InfoStealer with Code Flow Obfuscation

    Friday, April 25, 2025 In: Threat Research Print

    Date: 04/25/2025

    Severity: High

    Summary

    Lumma Stealer, first detected in 2022, remains a persistent and evolving threat, frequently adapting its tactics, techniques, and procedures (TTPs) to match emerging trends. Distributed via a subscription-based Malware-as-a-Service (MaaS) model on the dark web, Lumma is built to evade detection by identifying virtual and sandbox environments. It can exfiltrate sensitive data such as browser credentials, email information, cryptocurrency wallet data, and other personally identifiable information (PII) stored within critical system directories.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    http://blast-hubs.com/ 

    http://blastikcn.com/

    http://generalmills.pro/

    http://mercharena.biz/ 

    http://naturewsounds.help/

    http://nestlecompany.pro/

    http://stormlegue.com/

    https://nikolay-romanov.su/

    Hash : 

    80741061ccb6a337cbdf1b1b75c4fcfae7dd6ccde8ecc333fcae7bcca5dc8861

    e9e568dce12ca4392001860c693292203b2bfcbbb277a484e4d2ebb5b0449207

    1345ad4c782c91049a16ec9f01b04bfc83a4f0e1e259cfed2b535f8ec6b75590

    4abe068f8e8632a9074556f2adb39dd2c52a1bf631abbf5bfd47888059c35350

    629618eb8225361b068a11ce07f46eefd0ce4098266f274f0d56b75fb5a77321

    7034406778028fd6edbb340fdaeddbbec3d1f8665e8332063edc75dfaee482d1

    aa2dfa4e02b2eb688c7ba0d29619e082214251930e39727e35b53a436766825a

    c2ab516bb3a39832d963770d813ab77027d454a087ad9fae8ce24336a78f9073

    c340bf332f68794afa171c68efadf9b1e742e4ad577582adfed61567a65aa91c

    e52f5fcfc8034e46e0f3ff826d437ce69f7d9da30019115008f823c9b7ffb929

    eb69158f493de304592e67de21a42cd094693bda13fb211c46353248706df696

    253cdcfd6f8b6e52133bc59df92563e432b335d2a207f2f8e01fac2423ccbac8

    90e35b4a519af394e32cd09d34c6d5f60b31726672aa41e37e2163c387f96a75

    B3428248caa364461d4521e2ff3c853228c38f9dc2fb5bcc9049e6652bb94ba2

    B33648806f28bae6d57103a2081df7d8e8dd03db586c03057f9c60e9ac3b2bc0

    101e4eabfde77d3a2d3877042a72bed101973d0c511ba031e6e27785d48f61fd

    A7f7a3c408c4839fb2dc28b7fc99f64f464d4e1aeedd75293937769626962c18

    9eaede7e8981fc39c0ccbe45e8ee2bf3

    80741061ccb6a337cbdf1b1b75c4fcfae7dd6ccde8ecc333fcae7bcca5dc8861

    fbcf8775e7fb3ac822f8f67ff2fe990e

    e9e568dce12ca4392001860c693292203b2bfcbbb277a484e4d2ebb5b0449207

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    domainname like "http://blastikcn.com/" or url like "http://blastikcn.com/" or siteurl like "http://blastikcn.com/" or domainname like "https://nikolay-romanov.su/" or url like "https://nikolay-romanov.su/" or siteurl like "https://nikolay-romanov.su/" or domainname like "http://stormlegue.com/" or url like "http://stormlegue.com/" or siteurl like "http://stormlegue.com/" or domainname like "http://naturewsounds.help/" or url like "http://naturewsounds.help/" or siteurl like "http://naturewsounds.help/" or domainname like "http://nestlecompany.pro/" or url like "http://nestlecompany.pro/" or siteurl like "http://nestlecompany.pro/" or domainname like "http://blast-hubs.com/" or url like "http://blast-hubs.com/" or siteurl like "http://blast-hubs.com/" or domainname like "http://generalmills.pro/" or url like "http://generalmills.pro/" or siteurl like "http://generalmills.pro/" or domainname like "http://mercharena.biz/" or url like "http://mercharena.biz/" or siteurl like "http://mercharena.biz/"

    Hash 1 : 

    sha256hash IN ("e9e568dce12ca4392001860c693292203b2bfcbbb277a484e4d2ebb5b0449207","B33648806f28bae6d57103a2081df7d8e8dd03db586c03057f9c60e9ac3b2bc0","A7f7a3c408c4839fb2dc28b7fc99f64f464d4e1aeedd75293937769626962c18","253cdcfd6f8b6e52133bc59df92563e432b335d2a207f2f8e01fac2423ccbac8","eb69158f493de304592e67de21a42cd094693bda13fb211c46353248706df696","4abe068f8e8632a9074556f2adb39dd2c52a1bf631abbf5bfd47888059c35350","101e4eabfde77d3a2d3877042a72bed101973d0c511ba031e6e27785d48f61fd","629618eb8225361b068a11ce07f46eefd0ce4098266f274f0d56b75fb5a77321","1345ad4c782c91049a16ec9f01b04bfc83a4f0e1e259cfed2b535f8ec6b75590","7034406778028fd6edbb340fdaeddbbec3d1f8665e8332063edc75dfaee482d1","B3428248caa364461d4521e2ff3c853228c38f9dc2fb5bcc9049e6652bb94ba2","e52f5fcfc8034e46e0f3ff826d437ce69f7d9da30019115008f823c9b7ffb929","c340bf332f68794afa171c68efadf9b1e742e4ad577582adfed61567a65aa91c","80741061ccb6a337cbdf1b1b75c4fcfae7dd6ccde8ecc333fcae7bcca5dc8861","aa2dfa4e02b2eb688c7ba0d29619e082214251930e39727e35b53a436766825a","c2ab516bb3a39832d963770d813ab77027d454a087ad9fae8ce24336a78f9073","90e35b4a519af394e32cd09d34c6d5f60b31726672aa41e37e2163c387f96a75")

    Hash 2 : 

    md5hash IN ("fbcf8775e7fb3ac822f8f67ff2fe990e","9eaede7e8981fc39c0ccbe45e8ee2bf3")

    Reference:

    https://www.trellix.com/blogs/research/a-deep-dive-into-the-latest-version-of-lumma-infostealer/


    Tags

    MalwareThreat ActorLumma Stealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.