In a sophisticated cyber-attack, hackers are exploiting the brand identities of popular platforms such as Reddit and WeTransfer to distribute a malicious software known as Lumma Stealer. This malware is designed to extract sensitive information, posing significant threats to both individual users and organizations.
The Anatomy of the Attack
Fake Reddit Pages
Cybercriminals have expertly crafted over a thousand web pages that mimic the interface of Reddit, a widely-used social discussion platform. These deceptive sites host fake discussion threads on various topics. A typical scenario involves a user inquiring about a tool or service, followed by another user pretending to assist by sharing a download link. To make the exchange appear genuine, a third user expresses gratitude, further solidifying the illusion of legitimacy.
Impersonating WeTransfer
Clicking the shared link redirects users to a counterfeit WeTransfer page, a pivotal element of the attack. This site mimics the appearance and functionality of the real file-sharing service, but with a crucial difference: the download button triggers the delivery of the Lumma Stealer malware, hosted on a domain like “weighcobbweo[.]top.”
Technical Details of the Fraudulent Sites
The fake sites have URLs that incorporate the names of the impersonated brands, interspersed with random characters to create an appearance of authenticity. They predominantly use “.org” or “.net” as their top-level domains, adding an additional veneer of credibility.

Discovery and Analysis
An investigation conducted by Sekoia researcher "crep1x" exposed approximately 529 pages masquerading as Reddit and 407 as WeTransfer. Despite these detailed findings, the specific origins of the infection chain remain unclear. It is hypothesized that the entry point for these attacks could include methods such as malvertising, SEO poisoning, malicious websites, or direct social media messages.
This isn't the first time such tactics have been employed. We remember last year the same researcher discovered over 1,300 sites using the AnyDesk brand to distribute Vidar Stealer malware, showcasing a pattern in exploiting well-known brands to facilitate malware distribution.
The Danger of Lumma Stealer Malware
Lumma Stealer poses significant risks due to its advanced capabilities. Sold to hackers who disseminate it via various vectors—including GitHub comments and harmful websites—this malware has advanced mechanisms that can effortlessly evade detection while exfiltrating data.
Lumma Stealer is a potent malware designed to extract sensitive information from computers. Its primary focus is on harvesting data stored in web browsers, such as passwords, autofill details, and cookies. This malware is particularly dangerous because it can capture session tokens, allowing attackers to hijack accounts without needing the actual credentials. To effectively avoid detection, Lumma Stealer uses advanced evasion techniques. These may include disguising itself as legitimate processes or employing obfuscation methods to slip past security software undetected.
The distribution of Lumma Stealer is widespread and multifaceted. Cybercriminals often utilize fake websites, social engineering tactics, and malvertising to trick users into unwittingly downloading the malware.
The impact of Lumma Stealer is significant, posing a real threat to both individuals and organizations. By obtaining sensitive login details, attackers can perform account takeovers, leading to potential financial loss and data breaches. The stolen information is often traded or sold on hacker forums, further amplifying the risk and reach of the malware. As such, it underscores the importance of robust cybersecurity measures and heightened user vigilance for safeguarding against such threats.
High-Profile Breaches
Info-stealer malware has recently been implicated in substantial cyber-attacks on major platforms like PowerSchool, HotTopic, CircleCI, and Snowflake, underlining the critical threat such malware poses to our security.

Protective Measures and Recommendations
Vigilance and Verification
To mitigate risk, users should remain vigilant and verify the authenticity of websites and links before downloading files. Official websites often have distinct, easy-to-recognize URLs, and users should be cautious of unfamiliar domain names.
Security Solutions
Deploying robust cybersecurity solutions with real-time threat detection can help identify and neutralize such threats. Regular updates to antivirus software and operating systems, along with educating users about phishing and social engineering techniques, are essential defensive strategies.
Organizational Policies
Organizations should implement stringent security policies, including regular audits and access controls, to prevent data breaches. Training employees to recognize phishing attempts and suspicious activity can further safeguard company data.
Conclusion
The rampant use of fake websites to spread Lumma Stealer malware highlights the evolving and persistent nature of cyber threats. By leveraging the trusted identities of Reddit and WeTransfer, hackers craft convincing scenarios aimed at deceiving users. It is incumbent upon both individuals and organizations to exercise caution and maintain strong cyber defenses to protect sensitive information from falling into the wrong hands.

Francis Borges
Founder / Security Engineer
Dynacomp IT Solutions
Comments