This threat involves a malicious campaign leveraging a fake website impersonating the official Telegram Premium platform, hosted at the domain 'telegrampremium.app'. Upon visiting the site, users are subjected to a drive-by download of an executable file named 'start.exe', which is a new variant of the Lumma Stealer malware. Lumma Stealer is an information-stealing trojan designed primarily for Windows systems. This malware is capable of exfiltrating sensitive data such as browser credentials, cryptocurrency wallet information, and detailed system information. The malware employs multiple advanced techniques to maintain persistence on infected systems, evade detection, and facilitate data theft. These techniques include manipulation of the file system, modification of Windows registry keys, clipboard data interception, and potentially process injection or obfuscation methods as indicated by the MITRE ATT&CK tags (e.g., T1055 - Process Injection, T1027 - Obfuscated Files or Information). The campaign exploits brand impersonation and social engineering tactics to lure victims into downloading the malware, highlighting the ongoing threat posed by fake websites mimicking trusted brands. Indicators of compromise include multiple file hashes, suspicious domains, and an IP address linked to the campaign. Although no known exploits in the wild are reported, the malware’s capability to steal credentials and cryptocurrency wallets poses a significant risk to affected users and organizations. The campaign underscores the importance of vigilance against phishing and drive-by download attacks, especially those exploiting popular platforms like Telegram.

For European organizations, this threat poses a medium to high risk primarily due to the potential compromise of user credentials and sensitive financial information, including cryptocurrency wallets. Credential theft can lead to unauthorized access to corporate accounts, email systems, and internal resources, potentially resulting in data breaches, financial fraud, or lateral movement within networks. The malware’s ability to persist and evade detection increases the likelihood of prolonged compromise, which can exacerbate damage. Organizations with employees or customers who use Telegram Premium or related services are particularly vulnerable to social engineering attacks leveraging this fake site. The theft of browser credentials may also expose access to other corporate web services, increasing the attack surface. Additionally, the exfiltration of system information could aid attackers in tailoring further attacks or exploiting other vulnerabilities. The campaign’s use of drive-by downloads means that even a single visit to the malicious site can result in infection, increasing the risk of widespread impact if the domain is accessed from corporate networks. Given the increasing adoption of cryptocurrencies in Europe, theft of wallet credentials could lead to direct financial losses. Overall, this threat could disrupt business operations, compromise sensitive data, and cause reputational damage to affected organizations.

1. Implement robust web filtering solutions to block access to known malicious domains such as 'telegrampremium.app' and the associated suspicious domains listed in the indicators. 2. Deploy endpoint detection and response (EDR) tools capable of identifying and blocking information-stealing malware behaviors, including file system manipulation, registry changes, and clipboard monitoring. 3. Enforce strict application whitelisting policies to prevent unauthorized execution of unknown executables like 'start.exe'. 4. Conduct targeted user awareness training focusing on the risks of brand impersonation, phishing, and drive-by downloads, emphasizing verification of URLs and the dangers of downloading executables from untrusted sources. 5. Regularly audit and monitor browser credential stores and cryptocurrency wallet applications for unauthorized access or anomalies. 6. Utilize multi-factor authentication (MFA) across all critical systems to mitigate the impact of credential theft. 7. Maintain up-to-date threat intelligence feeds and integrate them with security controls to promptly block emerging indicators of compromise. 8. Monitor network traffic for unusual outbound connections, especially to the IP address 87.120.126.213 and the domains listed, to detect potential data exfiltration attempts. 9. Implement strict privilege management to limit the ability of malware to modify registry keys or system files. 10. Encourage the use of hardware wallets or secure wallet management practices to reduce the risk of cryptocurrency theft.