Cybersecurity

In early 2025, the LummaStealer malware was extensively utilized by cybercriminals across various industries, including telecommunications, healthcare, banking, and marketing. A significant law enforcement operation in May temporarily halted its spread. However, new variants of LummaStealer have now emerged.

This article discusses Netskope’s strategies for detecting new LummaStealer variants.

In January 2025, Netskope Threat Labs observed a LummaStealer campaign, documenting its delivery mechanisms and techniques. The initial analysis revealed the use of fake captchas, malicious archives, and multi-stage unpacking techniques. Recent developments indicate that threat actors have enhanced obfuscation tactics, complicating detection efforts.

ML-based Detection Approach

Netskope’s Advanced Threat Protection platform integrates static signatures with dynamic AI and machine learning-powered sandbox analysis. This multi-layered architecture applies ML models for both fast and deep scans. Suspicious files are executed in an isolated Windows cloud sandbox, capturing detailed runtime behavior, including:

• Process trees with API calls and DLL interactions.
• Registry modifications.
• File operations.
• Network activity.

A transformer-based model analyzes the hierarchical process tree as a sequence of node embeddings, augmented with tree positional encodings. Simultaneously, runtime behavioral events are vectorized. The model captures complex inter-node patterns and highlights anomalous actions, effectively identifying novel malware without overfitting to known samples.

Upon execution, the LummaStealer sample exhibited high anomaly scores in both process tree and behavior vectors, confirming its malicious nature despite advanced obfuscation techniques.

The analyzed sample was a Nullsoft Scriptable Install System (NSIS) installer, which allows threat actors to conceal and execute custom scripts under the guise of legitimate software. Inspection revealed embedded AutoIt scripts, which, upon extraction, displayed further malicious capabilities.

• [NSIS].nsi: An obfuscated NSIS script that triggers a batch file named Parish.m4a.
• Parish.m4a: A batch file containing additional payloads.

The NSIS script executes the batch file, which subsequently extracts and runs a disguised autoit3.exe along with an u.a3x script. The u.a3x script employs obfuscation techniques and performs environment checks, anti-debugging measures, anti-analysis, and DLL unhooking.

Persistence and Payload Unpacking

Persistence is maintained by creating a shortcut in the Windows Startup folder, which runs a JScript wrapper upon login. This wrapper re-executes the AutoIt payload. Initially, the sample had a low detection rate on VirusTotal due to its evasion tactics.

The next-stage payload is LZ-compressed in memory, with a custom decryption routine facilitating unpacking. The Windows API function RtlDecompressFragmentWindows is used for decompression, but further analysis was limited due to an inactive C2.

Netskope’s Advanced Threat Protection identified the sample with detection codes:

• Win32.Exploit.Generic: Broad signature coverage.
• Gen.Detect.By.NSCloudSandbox.tr: Sandbox-based detection indicator.

The Cloud Sandbox confirmed the detection of sample 87118baadfa7075d7b9d2aff75d8e730, demonstrating the efficacy of the ML model against sophisticated threats.

LummaStealer operators continue to evolve their tactics, utilizing legitimate tools and layered obfuscation to bypass defenses. This resurgence highlights the importance of advanced threat protection that integrates static analysis, dynamic sandboxing, and ML-powered detection. Organizations should also focus on user awareness training, as many attacks begin with user interaction. Netskope will continue to monitor LummaStealer campaigns and provide updates as necessary.