- Lumma Stealer Malware hides in a fake telegram premium site, launch without user click
- Executable uses cryptor -connection to bypass most traditional antivirus -Scan techniques altogether
- Malware connects to real telegram -servers while secretly sending stolen data to hidden domains
A malicious campaign is targeting users through a fraudulent telegram premium site that delivers a dangerous variant of Lumma Stealer Malware.
A report from Cyfirma claims the domain electram premium[.]App mimices carefully the legitimate telegram premium brand and hosts a file named start.exe.
This executable, built -in C/C ++ is automatically downloaded to visit the site, which requires no user interaction.
A closer look at the delivery of malware
Once performed, they harvest sensitive data, including browser-on-the-time credentials, cryptocurrency-book details and system information, increasing risks such as identity theft.
The fake place acts as a driving download mechanism, a method where malicious payload is automatically provided without explicit consent.
The high entropy of the executable suggests the use of a cryptor to the veil that complicates the detection of traditional security suites.
Static analysis shows that malware imports several Windows API features to manipulate files, change the registry, access the clipboard, perform additional payload and avoid detection.
Malware also starts DNS queries via Google’s Public DNS server and bypassing internal network controls.
It communicates with both legitimate services such as Telegram and Steam Community for possible command and control purposes and with algorithmically generated domains to avoid domain outlets.
These techniques allow malware to maintain communication channels while avoiding the detection of firewalls and conventional monitoring tools.
The domain involved is recently registered where hosting properties suggest that it was created for short -term, targeted activity.
Malware falls more disguised files in % temp % catalog, including encrypted payload that masks as image files.
Some are later renamed and performed as veiled scripts, enabling malware to clean its tracks.
It uses features such as sleep to delay performance and loadlibraryexw to stealthily load DLLs, making it more difficult for analysts to detect its presence during the first inspection.
Staying safe against threats of this kind requires a combination of technical measures and user awareness.
How to remain safe
- Organizations need to implement endpoint detection and response solutions capable of identifying suspicious behavior patterns associated with Lumma Stealer
- Block all access to malicious domains
- Enforce strict download controls to prevent the delivery of payload
- Multifactor Authorization is important to limit damage if credentials are compromised
- Regular credentials rotation helps reduce the risk of prolonged access from attackers
- Continuous monitoring of suspicious activity allows faster detection and response to potential violations
