Lumma Infostealer MaaS Campaign Uses NSIS/AutoIt and MEGA Cloud to Steal Credentials via Pirated Software

Researchers at the Genians Security Center (GSC) have uncovered an active Lumma Infostealer campaign leveraging AutoIt scripts, NSIS installers, and MEGA cloud infrastructure to distribute credential-stealing malware disguised as pirated software.
The campaign represents a sophisticated evolution in Malware-as-a-Service (MaaS) operations, blending social engineering with multi-stage execution and advanced evasion tactics.

“Lumma Infostealer is notable for being operated as Malware-as-a-Service (MaaS), meaning it is available to anyone via subscription or one-time payment,” GSC noted. “Attackers lacking specialized skills or development capabilities can readily carry out attacks.”

GSC emphasizes that information-stealing malware remains a leading driver of secondary attacks such as ransomware, account takeovers, and corporate intrusions.

“Infections caused by infostealer malware are regarded as a high-risk threat vector that performs unauthorized activities within a victim’s endpoint system,” the report explains. “The stolen data is traded on the Dark Web and reused for identity theft, financial fraud, and corporate network intrusions.”

Infostealers like Lumma are increasingly integrated into multi-vector attack chains, serving as reconnaissance tools in the early stages of ransomware or credential-based intrusion campaigns.

Originally observed in August 2022, Lumma Infostealer has rapidly become one of the most widespread MaaS threats. In September 2025, it ranked first on ANY.RUN’s weekly malware leaderboard, reflecting its growing adoption among low-skill threat actors.

“The MaaS model lowers the entry barrier for cybercrime,” GSC warns. “By offering commoditized malware, operational infrastructure, and technical support as a service, individuals lacking programming skills can readily carry out attack campaigns.”

This ease of access, combined with Lumma’s modular design, has led to a global proliferation of infostealer-based breaches, often initiated through fake software downloads or phishing pages.

The latest campaign analyzed by GSC begins with phishing sites impersonating cracked software portals. Users who attempt to download applications are redirected through multiple domains to MEGA cloud-hosted payloads, helping attackers bypass traditional URL filtering and domain reputation checks.

“Attackers are improving distribution and infection methods by changing the distribution site URLs and the distributed files,” GSC explains. “Defenses that rely on a single indicator are unlikely to be effective.”

Once downloaded, the malware arrives as an encrypted ZIP archive containing a malicious NSIS (Nullsoft Scriptable Install System) installer named setup.exe. NSIS, an open-source tool used for legitimate software packaging, is abused here to embed multiple AutoIt modules and shellcode fragments that reassemble upon execution.

• Drops a malicious file in the %Temp% directory.
• Launches a decoy document named Contribute.docx via cmd.exe.
• Uses extrac32.exe to unpack a disguised CAB archive named Make.docx.
• Recombines AutoIt runtime and script fragments to execute the final payload via Riding.pif (AutoIt3.exe)

The AutoIt script itself is heavily obfuscated, containing dummy code and ASCII-encoded strings to bypass static scanning.

“When deobfuscated, strings are recoverable, but numerous dummy code blocks remain inserted to obstruct comprehensive analysis,” the GSC report observes.

After decryption, the script injects Lumma Infostealer into memory using the Process Hollowing technique — replacing the benign AutoIt process with the malicious payload while maintaining a legitimate appearance.

“Although the running process appears as ‘Riding.pif,’ Lumma Infostealer actually executes within that process,” analysts confirmed.

Once operational, Lumma Infostealer decrypts its C2 (command-and-control) domains and connects to remote servers to exfiltrate stolen data.

The Genians team identified multiple active C2 servers during analysis:

The malware primarily targets:

• Web browser credentials (Chrome, Edge)
• Email and communication data (Outlook, Telegram)
• Cryptocurrency wallets
• VPN and RDP credentials
• Remote access software configurations

GSC’s telemetry shows that once data is collected, it is compressed and transmitted to these C2 servers for resale or use in account takeover and financial fraud operations.

Related Posts:

• Login information for a large number of Mega accounts has been compromised
• Ransomware Surge: 1 in 10 Organizations Targeted Globally in 2023
• ClickFix Unmasked: How North Korea’s Kimsuky Group Turned PowerShell into a Weapon of Psychological Deception
• RIG Exploit Kit use the PROPagate injection technology to spread Monero miners
• Kimsuky Group Weaponizes AI Deepfakes in New Spear-Phishing Campaign