Fake VPNs and Game Mods on GitHub Used to Spread Dangerous Lumma Stealer Malware
Cybersecurity researchers have uncovered a malicious campaign using GitHub as a distribution platform for malware disguised as legitimate software. According to a recent report from threat intelligence firm Cyfirma, cybercriminals are exploiting users’ trust in open-source platforms by uploading fake software packages labeled as “Free VPN for PC” and Minecraft mod tools to trick users into downloading malicious payloads.
What the Attack Looks Like
At first glance, the offered tools look legitimate. One of the malware variants posed as “Minecraft Skin Changer,” while another claimed to be a free VPN utility. Both were uploaded to a GitHub repository under the name github[.]com/SAMAIOEC. To appear authentic, the files were packed in password-protected archives and included basic installation instructions in French, further masking their true nature. However, once extracted and launched, the software executed a complex chain of actions designed to infiltrate the victim’s system. The ultimate goal? Installing Lumma Stealer — a notorious infostealer malware active since 2022 and known for stealing sensitive user data.
What is Lumma Stealer?
Lumma Stealer is a malware-as-a-service (MaaS) tool actively sold on dark web forums. Once installed, it harvests login credentials, browser cookies, autofill information, cryptocurrency wallet data, messaging app content, and system configurations. The stolen data is then quietly sent back to attackers. The malware begins with a file named Launch.exe, which decodes a Base64 string to produce an encrypted code segment. It then generates a hidden DLL file (msvcp110.dll) within the AppData folder, a common location for malware due to its frequent use by legitimate apps and its tendency to escape casual inspection.
Sophisticated Evasion Tactics Used
The malware is heavily obfuscated, using advanced techniques to avoid detection by security software. It abuses legitimate Windows processes such as MSBuild.exe and aspnet_regiis.exe to mask its presence and executes in memory, avoiding the hard disk altogether. To further complicate analysis, the malware implements anti-debugging checks using IsDebuggerPresent(), applies control flow obfuscation, and uses MITRE ATT&CK techniques like DLL injection and sandbox evasion. These characteristics make it extremely difficult for traditional antivirus tools to identify and neutralize the threat in time.
GitHub Exploited Yet Again
The abuse of GitHub — a platform trusted by developers globally — highlights a growing concern in cybersecurity. Although GitHub routinely removes malicious repositories, attackers are quick to upload new variants. Password-protected archives, a tactic used in this campaign, make it even harder for automated scanners to analyze contents preemptively.
How to Stay Safe
To avoid infection from threats like Lumma Stealer, users are strongly advised to avoid downloading software from unknown or unofficial sources, even if it’s hosted on platforms like GitHub. Never run executable files from password-protected archives unless you’re sure of their origin. Inspect folders like AppData for suspicious DLL files or other unfamiliar executables. Monitor system processes like MSBuild.exe or aspnet_regiis.exe for unusual behavior. Use advanced endpoint protection tools with behavioral analysis capabilities to detect in-memory and obfuscated threats.
Conclusion
This latest attack campaign once again proves that hackers are getting more creative, leveraging trusted platforms like GitHub and popular games like Minecraft to distribute malicious software. Lumma Stealer continues to evolve and remains a powerful tool for stealing sensitive data. Users — especially gamers and those seeking free VPNs — must remain cautious, skeptical, and security-aware. Staying vigilant, verifying software sources, and using robust cybersecurity tools are essential defenses in today’s threat landscape.
