Hello, since late January 2025 a new malware loader has been observed delivering Lumma Stealer on fake AI websites.
Since seems like some big companies were also aware of this threat i’ve decided to not do any research on this and wait, but since i didnt see nothing in all this time i’ve decided to this myself and try to expose as much I can with my capabilities in a express blog just published:
The malware i’m talking about is a node.js application that loads other infostealer, i think i’ve tried to explain as much as i can on my blog.
Please refer to this sandbox detonation: (C2 140.82.54.223)
Theres currenlty no rule detection for this loader, do you think is possible to add detection to this threat? Let me know if more information is missing, thanks for your service!