Lumma Stealer is a malware family known for stealing sensitive information from infected systems. This report focuses on a new variant of Lumma Stealer that resurfaced after a temporary disruption caused by law enforcement actions. The analyzed sample is delivered as an NSIS (Nullsoft Scriptable Install System) installer file that leverages AutoIt scripting to execute malicious payloads. This variant employs advanced code obfuscation and multiple evasion techniques to avoid detection by traditional signature-based antivirus solutions. It uses anti-analysis methods such as sandbox evasion and process injection to hinder forensic and automated analysis. Persistence is achieved by placing malicious components in the Windows Startup folder, ensuring the malware runs on system boot. The malware’s behavior includes runtime analysis of process trees and system activity, which complicates detection. Netskope’s detection approach utilizes a cloud-based sandbox environment enhanced with machine learning models that analyze behavioral indicators rather than relying solely on static signatures. This multi-layered detection strategy successfully identified the Lumma Stealer variant despite its sophisticated evasion tactics. The malware’s tactics correspond to several MITRE ATT&CK techniques, including command and scripting interpreter abuse (T1059.007, T1059.001, T1059.005), code obfuscation (T1027), process injection (T1055), persistence via startup folder (T1547.001), and anti-analysis (T1497). Although no known exploits are currently reported in the wild for this variant, its reemergence and advanced evasion capabilities pose a continued threat to endpoint security.

For European organizations, the resurgence of this Lumma Stealer variant presents a medium-level risk primarily to Windows-based endpoints. The malware’s ability to evade traditional signature-based detection and establish persistence can lead to prolonged undetected data exfiltration, including credentials, personal data, and potentially financial information. This can result in compromised user accounts, unauthorized access to corporate networks, and subsequent lateral movement by attackers. Organizations in sectors with high-value data such as finance, healthcare, and critical infrastructure could face operational disruptions and reputational damage. The use of AutoIt and NSIS installers may facilitate social engineering attacks, increasing the likelihood of successful infection. Given the malware’s persistence mechanism via the Startup folder, infected systems may remain compromised even after reboots, complicating remediation efforts. The lack of known active exploits in the wild currently limits immediate widespread impact, but the malware’s sophisticated evasion and persistence techniques suggest that targeted attacks or campaigns could emerge, especially against high-value European targets.

European organizations should implement a multi-layered defense strategy that includes: 1) Deploying advanced endpoint detection and response (EDR) solutions capable of behavioral analysis and machine learning to detect obfuscated and evasive malware like Lumma Stealer. 2) Monitoring and restricting the execution of NSIS installer files and AutoIt scripts, especially from untrusted sources or email attachments, through application whitelisting and execution policies. 3) Regularly auditing and monitoring the Windows Startup folder and other persistence locations for unauthorized entries. 4) Enhancing user awareness training focused on recognizing phishing and social engineering tactics that may deliver such installers. 5) Employing network segmentation and least privilege principles to limit lateral movement if an endpoint is compromised. 6) Utilizing sandbox environments with ML capabilities for dynamic analysis of suspicious files before allowing execution in production environments. 7) Keeping all endpoint software and security tools up to date to leverage the latest detection capabilities. 8) Implementing robust logging and alerting mechanisms to detect anomalous process trees and suspicious runtime behaviors indicative of malware activity. These measures go beyond generic advice by focusing on the specific delivery and persistence mechanisms used by this Lumma Stealer variant.