Intel Name: Lumma stealer’s github-based delivery explored via managed detection and response
Date of Scan: January 31, 2025
Impact: High
Summary: Our team investigated a campaign leveraging GitHub’s release infrastructure to distribute Lumma Stealer and other malware, including SectopRAT, Vidar, and Cobeacon. Attackers used GitHub for initial access, tricking users into downloading malicious files from seemingly secure URLs. These files exfiltrated sensitive data, connected to external C&C servers, and executed commands to evade detection. Lumma Stealer and other payloads deployed additional tools, created multiple directories, and used PowerShell scripts and shell commands for persistence and data exfiltration.