False family: renaming rules from Lumma stealer to GCleaner loader

naumovax · September 7, 2025, 9:20pm

Hello! Our network malware detection team from PT found interesting falses in these Lumma rules:
sid: 2064237 rev: 1 ET MALWARE Lumma Stealer CnC Checkin (/info)
sid: 2064238 rev: 1 ET MALWARE Lumma Stealer CnC Server Response
sid: 2064241 rev: 1 ET MALWARE Lumma Stealer CnC Checkin (/update)
sid: 2064261 rev: 1 ET MALWARE Lumma Stealer CnC Checkin (GET)
sid: 2064262 rev: 1 ET MALWARE Lumma Stealer CnC Checkin (/ycl)
sid: 2064271 rev: 1 ET MALWARE Lumma Stealer CnC Checkin (/service)

The false consists in the Lumma family because the rules detect GCleaner loader.
Some example:

For example, you can see the C2 communication description of GCleaner here → Deep Analysis of GCleaner - n1ghtw0lf
All Accept headers from the screenshot above are the same.

Also you can check the files verdict. 9c44f98f428e7a562553944c3067f73b from the rules is not Lumma stealer, this is downloader.

We suppose the msg-s need to be changed, what do you think?

ishaughnessy · September 8, 2025, 3:39pm

Hello @naumovax !

Thanks for the thorough analysis and review of these signatures, it looks like this was definitely a mis-attribution on my part so I’ll get this updated in today’s release!

I know ruleset users rely on our rule categorization so it’s important to keep metadata accurate. We are always grateful when the community helps us make sure everything is correct !

Cheers!

Isaac

Topic		Replies	Views
Lumma Stealer Updates Rule Signatures	2	555	September 15, 2023
Lumma Stealer Configuration Rule Signatures	11	935	December 28, 2023
LgoogLoader, PikaBot, RedLine rules Rule Signatures	7	657	December 28, 2023
Kelios check in Rule Signatures	2	393	February 3, 2023
GCleaner Sig Submission Rule Signatures	1	446	January 31, 2023

False family: renaming rules from Lumma stealer to GCleaner loader

Related topics