Ddos Cybercriminals are once again exploiting the trust users place in popular platforms like GitHub to spread sophisticated malware—this time disguised as free utilities. In its latest threat intelligence report, CYFIRMA reveals a malicious campaign that weaponizes curiosity around “Free VPN for PC” and “Minecraft Skin Changer” tools to distribute Lumma Stealer, an information-stealing malware.
The campaign was traced to a GitHub user at github[.]com/SAMAIOEC, who hosted multiple fake software samples with convincing names such as free-vpn-for-pc and minecraft-skin. These came with detailed instructions and were packaged in password-protected ZIP files to bypass browser-based security scanning.
“These lures are designed to attract users seeking free software and trick them into executing a malware dropper named Launch.exe,” CYFIRMA wrote in the report.
At the core of the malware campaign lies a file named Launch.exe, which initiates a multi-stage attack chain. Here’s a breakdown of how it works:
- Stage 1 – Obfuscation and Decryption: The malware carries a Base64-encoded DLL embedded within itself. It disguises this payload behind 1177 characters of meaningless French text to foil detection systems. A custom SinCosMath() function applies bitwise operations and byte shifts to decrypt the actual payload.
- Stage 2 – DLL Dropping and Stealth: The decrypted payload is dropped in the AppData directory as msvcp110.dqq, then renamed to msvcp110.dll. The file is hidden using Windows APIs, avoiding casual detection.
- Stage 3 – Execution and Injection: The DLL is loaded via LoadLibrary() and executed via its GetGameData() function. From there, the malware allocates memory, writes malicious code into it, and uses process injection to hijack trusted Windows executables like MSBuild.exe and aspnet_regiis.exe.
“The malware leverages process injection, DLL side-loading, and stealthy execution techniques to implant Lumma Stealer,” the report noted.
CYFIRMA’s static and dynamic analysis also uncovered an array of tactics aimed at frustrating reverse engineering and detection:
- Nonsensical assembly metadata, indicating a malware builder was likely used.
- Use of IsDebuggerPresent() to detect debugging environments and terminate early.
- Endless control flow loops and meaningless string variables to obstruct analysis.
During dynamic analysis, the malware attempted to communicate with explorationmsn[.]store, a domain that, according to CYFIRMA, “aligns with known infrastructure patterns associated with the Lumma Stealer family.”
Despite these insights, no contact information or identifying details were found about the threat actor, underscoring the anonymous and evasive nature of the operation.
By masquerading as helpful freeware, this campaign highlights a disturbing trend: attackers exploiting open-source platforms as trusted vectors for delivering malware. The tactic is simple but effective—take advantage of popular search queries and users’ desire for free tools.
“Despite the insights gained from static and dynamic analysis, no other contact information or identifiable links to the threat actor were found. This highlights the importance of proactive threat hunting and monitoring of open-source platforms,” CYFIRMA concluded.
Related Posts:
- 50,000 Minecraft players are infected with a malicious program
- Kaspersky Lab: Minecraft is still a big malware target
- MaaS in Action: How Lumma Stealer Employs Advanced Delivery Techniques
- Lumma Stealer: Unpacking Its Evasive Tactics and Complex Infection Chains
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
