YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake Microsoft webpages. These pages trick users into executing PowerShell scripts that download and run malware, such as Lumma Stealer. The malware steals browser data, cryptocurrency wallet information, and other sensitive data, transmitting it to command and control servers. The attack chain includes stealth and persistence mechanisms to evade detection. This campaign exploits content creators' interest in brand deals and partnerships, representing an evolution of previously observed tactics against YouTube channels.

Pulse ID: 67e2e9f6e43ced7354e51385
Pulse Link: https://otx.alienvault.com/pulse/67e2e9f6e43ced7354e51385
Pulse Author: AlienVault
Created: 2025-03-25 17:37:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

AMOS and Lumma Stealers Exploit Reddit to Steal Data

A malware campaign is targeting cryptocurrency users, particularly on Reddit, by offering fake "cracked" versions of popular tools like TradingView.

Pulse ID: 67dfda2834ecf630bc846cfc
Pulse Link: https://otx.alienvault.com/pulse/67dfda2834ecf630bc846cfc
Pulse Author: cryptocti
Created: 2025-03-23 09:53:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

AI-Assisted Fake GitHub Repositories Steal Sensitive Data

Sophisticated malware campaign which is leveraging artificial Intelligence to
create deceptive GitHub repositories has been observed distributing SmartLoader
payloads that ultimately deploy Lumma Stealer which is known as a dangerous
information stealing malware.

Pulse ID: 67d9ac798438f45e29f5cdcd
Pulse Link: https://otx.alienvault.com/pulse/67d9ac798438f45e29f5cdcd
Pulse Author: cryptocti
Created: 2025-03-18 17:25:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

A phishing campaign targeting the hospitality industry impersonates Booking.com to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, uses a social engineering technique called ClickFix to trick users into downloading malicious payloads. Targets are sent emails with links to fake Booking.com pages, which prompt users to execute commands that download malware. The campaign delivers various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Organizations in North America, Oceania, Asia, and Europe are targeted. The threat actor's evolving tactics demonstrate attempts to bypass conventional security measures.

Pulse ID: 67d30e5c763aea4dce897014
Pulse Link: https://otx.alienvault.com/pulse/67d30e5c763aea4dce897014
Pulse Author: AlienVault
Created: 2025-03-13 16:57:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution

A campaign using fake GitHub repositories to distribute SmartLoader and Lumma Stealer malware has been uncovered. The attackers create convincing repositories using AI-generated content to deceive users into downloading malicious files disguised as gaming cheats, cracked software, and system tools. The malware is delivered through obfuscated Lua scripts in ZIP files, exploiting GitHub's trusted reputation to evade detection. Upon execution, SmartLoader facilitates the delivery of Lumma Stealer, which can steal sensitive information like cryptocurrency wallets, 2FA extensions, and login credentials. This campaign demonstrates the evolving tactics of cybercriminals, adapting from using GitHub file attachments to creating entire repositories with AI-assisted deception.

Pulse ID: 67d02fc805ff65bf0f2f46eb
Pulse Link: https://otx.alienvault.com/pulse/67d02fc805ff65bf0f2f46eb
Pulse Author: AlienVault
Created: 2025-03-11 12:42:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Prospering Lumma
#LummaStealer
https://intelinsights.substack.com/p/prospering-lumma

https://www.forbes.com/sites/daveywinder/2025/03/01/5000-captcha-tests-used-as-infostealer-gateways-do-not-complete-them/
#cybersecurity #LummaStealer #infostealer #malware #searchengine #poisoning #PDFsearches #Windows

Angry Likho APT Resurfaces with Lumma Stealer Attacks Against Russia – Source:hackread.com https://ciso2ciso.com/angry-likho-apt-resurfaces-with-lumma-stealer-attacks-against-russia-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #StickyWerewolf #cybersecurity #CyberAttacks #LummaStealer #Securelist #Kaspersky #Hackread #security #Belarus #malware #Russia #APT

Angry Likho APT Resurfaces with Lumma Stealer Attacks Against Russia https://hackread.com/angry-likho-apt-lumma-stealer-attacks-on-russia/ #StickyWerewolf #Cybersecurity #CyberAttacks #LummaStealer #Securelist #Kaspersky #Security #security #Malware #Belarus #Russia #APT

Angry Likho APT resurfaces, targeting Russia and Belarus with #LummaStealer malware stealing credentials, banking data, and more.

Read: https://hackread.com/angry-likho-apt-lumma-stealer-attacks-on-russia/

Lumma Stealer Malware Thrives as Silent Push Uncovers Unique Patterns in the Infostealer's Domain Clusters
#LummaStealer
https://www.silentpush.com/blog/lumma-stealer/

Hackers Use Google Docs and Steam to Spread ACRStealer Infostealer – Source:hackread.com https://ciso2ciso.com/hackers-use-google-docs-and-steam-to-spread-acrstealer-infostealer-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #LummaStealer #Infostealer #ACRStealer #GoogleDocs #Hackread #security #malware #Steam

New FrigidStealer Malware Infects macOS via Fake Browser Updates – Source:hackread.com https://ciso2ciso.com/new-frigidstealer-malware-infects-macos-via-fake-browser-updates-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #FrigidStealer #LummaStealer #CyberAttack #0CISO2CISO #Hackread #security #android #Browser #malware #Windows #macOS

New FrigidStealer Malware Infects macOS via Fake Browser Updates https://hackread.com/frigidstealer-malware-infect-macos-fake-browser-updates/ #Cybersecurity #FrigidStealer #LummaStealer #CyberAttack #Security #security #Malware #Android #Browser #Windows #macOS

Watch Out: Fake update scams now target Mac, Windows, and Android users, delivering malware like #FrigidStealer, Lumma Stealer, and Marcher trojan via hacked websites.

Read: https://hackread.com/frigidstealer-malware-infect-macos-fake-browser-updates/

Lumma Stealer is currently one of the most popular malware. Campaigns involving this info stealer have a notable presence in DNS. We’ve been tracking a threat actor that deploys large number of domains to advertise file share links dropping Lumma Stealer. These campaigns are interesting because the actor uses traffic distribution system (TDS), cloaking, and web tracking technology (e.g. Matomo, Bablosoft) to hide and protect the malicious content. Here are recent examples of the TDS and landing page domains.

:::TDS + Cloaking:::
am4[.]myidmcrack[.]site
bjnhuy[.]shop
filefetch[.]click
mplopop[.]shop
oyoclean[.]sbs
psldi3z[.]com
readyf1[.]click
volopi[.]cfd

:::Landing Page:::
14redirect[.]cfd
downf[.]lol
fbfgsnew[.]com
icjvueszx[.]com
lkjpoisjnil[.]site
sikoip[.]cfd
zulmie[.]cfd


An attack that we investigated today showed a new Lumma Stealer payload and C2 domain that is only a day old.

:::Lumma Stealer executable SHA256::: df148680db17e221e6c4e8aed89b4d3623f4a8ad86a3a4d43c64d6b1768c5406

:::Text sites containing Lumma Stealer configuration details:::
hXXps://rentry[.]co/feouewe5/raw
hXXps://pastebin[.]com/raw/uh1GCpxx

:::Newly created Lumma Stealer C2:::
hXXps://urbjanjungle[.]tech/api

Exploring PowerShell Reflective Loading in Lumma Stealer http://dlvr.it/THjpsn via PlanetPowerShell #PowerShell #ReflectiveLoading #LummaStealer #CyberSecurity

Lumma Stealer Found in Fake Crypto Tools and Game Mods on GitHub – Source:hackread.com https://ciso2ciso.com/lumma-stealer-found-in-fake-crypto-tools-and-game-mods-on-github-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #ScamsandFraud #LummaStealer #Infostealer #Hackread #security #malware #Crypto #gaming #GitHub #Fraud

Lumma Stealer Found in Fake Crypto Tools and Game Mods on GitHub https://hackread.com/lumma-stealer-github-fake-crypto-tools-game-mods/ #ScamsandFraud #LummaStealer #Infostealer #Security #Malware #Gaming #Crypto #gaming #GitHub #Fraud