Lumma Stealer, nefarious info-stealing malware, resurfaces in the cyber threat arena. Defenders recently uncovered an advanced adversary campaign distributing Lumma Stealer through GitHub infrastructure along with other malware variants, including SectopRAT, Vidar, and Cobeacon.
Detect Lumma Stealer, SectopRAT, Vidar, Cobeacon Deployed via GitHub
Lumma Stealer is a notorious data-stealing malware that extracts credentials, cryptocurrency wallets, system details, and files while connecting to adversary servers to enable further malicious actions. The latest campaign associated with Lumma Stealer’s GitHub-based delivery poses a growing threat to potentially affected organizations and individual users due to a set of sophisticated evasion techniques and offensive capabilities involving the deployment of other malware, such as SectopRAT, Vidar, and Cobeacon.
SOC Prime Platform offers a curated list of detection content to help security teams identify intrusions in a timely manner and proactively thwart related threats. Click Explore Detections to access relevant SOC content aligned with the MITRE ATT&CK® framework and enriched with actionable CTI and comprehensive metadata.
Defenders can also follow the corresponding links to obtain additional Sigma rules for Lumma Stealer, SectopRAT, Vidar, and Cobeacon detection based on the associated tags. Additionaly, security teams can explore detections addressing TTPs used by Stargazer Goblin, the group, whose behavior patterns overlap with those of adversaries behind this campaign.
Lumma Stealer Analysis: Overview of a New Malware Campaign Potentially Linked to the Stargazer Goblin Group
Trend Micro’s Managed XDR team has shed light on a new sophisticated offensive campaign involving Lumma Stealer. Adversaries exploit GitHub as a trusted platform to distribute the stealer, which then triggers further offensive actions. Attackers weaponize GitHub’s infrastructure to gain initial access, luring victims into downloading files from harmful URLs disguised as secure ones. These files stealthily exfiltrate sensitive data and establish connections with external C2 servers to execute commands while evading detection.
The campaign that tricks users into downloading Lumma Stealer and other malware strains also facilitates the deployment of additional offensive tools and is aimed at creating multiple directories and staging data for exfiltration. To maintain persistence, adversaries take advantage of PowerShell scripts and Shell commands.
Attacker TTPs observed in this campaign align with those previously linked to the Stargazer Goblin group, known for using compromised websites and GitHub to distribute payloads. The research has revealed repeated URL patterns and the use of legitimate but compromised websites to redirect victims to GitHub-hosted malware. The group’s tendency to experiment with infection flows and its use of diverse payloads highlight attackers’ flexibility and continuously evolving tactics.
The attack chain starts with GitHub-hosted files. One user downloaded Pictore.exe via Chrome, while another retrieved App_aeIGCY3g.exe, both temporarily stored on GitHub’s infrastructure. Both weaponized executable files appear to be disguised as Lumma Stealer. The initial Lumma Stealer files deploy and execute additional threats, including SectopRAT, Vidar, Cobeacon, and another Lumma Stealer variant. These files were created in randomly named, likely dynamically generated folders, within the temp directory before being executed. A dropped file that contains Lumma Stealer iteration collects stored credentials, session cookies, autofill data, and browsing history. It also drops an obfuscated PowerShell script in the temp directory, which contacts legitimate domains—likely as a connectivity check before retrieving additional payloads or attacker commands.
To mitigate cyber threats like Lumma Stealer leveraged in this campaign, organizations are recommended to validate URLs and files before downloading, inspect email links and attachments carefully, and verify digital certificates. Additionally, adopting threat intelligence, patching systems, enabling MFA, and enforcing a zero-trust approach help minimize exposure to cyber threats. SOC Prime Platform for collective cyber defense equips enterprises, MDR-focused organizations, and individual researchers with a complete product suite to outscale advanced cyber threats, including emerging malware variants and continuously evolving offensive tools, while helping SOC teams to build a robust cybersecurity posture.
The post Lumma Stealer Detection: Sophisticated Campaign Using GitHub Infrastructure to Spread SectopRAT, Vidar, Cobeacon, and Other Types of Malware appeared first on SOC Prime.
