
ClickFix initial access | Source:TRU
eSentire’s Threat Response Unit (TRU) has identified a new tactic employed by the developers of the Lumma Stealer malware: the use of the ChaCha20 cipher for configuration decryption. This change, discovered on January 21, 2025, highlights the ongoing efforts by cybercriminals to evade detection and analysis.
Lumma Stealer, also known as LummaC2, is an information-stealing malware operating as a Malware-as-a-Service (MaaS). It is primarily sold in underground Russian-speaking forums and commonly delivered through the ClickFix initial access method. This method involves social engineering tactics to trick users into executing malicious PowerShell commands.
“These changes provide insight into the evasive tactics employed by the developer(s) who are actively working to circumvent current extraction and analysis tools,” warns eSentire TRU.
The recent update to Lumma Stealer incorporates a ChaCha20 subroutine for configuration decryption. This routine utilizes a unique 32-byte key and an 8-byte nonce for each sample, making analysis and decryption more challenging.
eSentire TRU has developed a Python script to aid in extracting the new configuration format. This script has revealed that the latest version of Lumma Stealer is collecting and exfiltrating sensitive information to a network of command-and-control (C2) servers.