In early 2025, LummaStealer was in widespread use by cybercriminals targeting victims throughout the world in multiple industry verticals, including telecom, healthcare, banking, and marketing.
A sweeping law enforcement operation in May brought this all to an abrupt halt. After a quiet period, we are now seeing new variants of LummaStealer emerge.
In light of this re-emergence, this article reveals one of the tools Netskope has in its arsenal to detect new and novel LummaStealer variants.
In January 2025, Netskope Threat Labs observed a LummaStealer campaign and documented its delivery mechanisms and TTPs.
That analysis detailed fake captchas, malicious archives, and multi-stage unpacking techniques. Since that initial disclosure, threat actors have refined obfuscation layers, making detection more challenging.
Our focus in this blog post is a fresh LummaStealer sample (hash: 87118baadfa7075d7b9d2aff75d8e730) and the ML-driven detection strategy used by Netskope AI Labs.
ML-based Detection Approach
Netskope’s Advanced Threat Protection platform combines static signatures with dynamic, sandbox-based analysis powered by AI and machine learning.
Our multi-layered architecture applies ML models in both inline fast scans and deep scans. Suspicious files are detonated in an isolated Windows cloud sandbox, where detailed runtime behavior is recorded:
- Process trees with API calls and DLL interactions.
- Registry modifications.
- File operations.
- Network activity.
A transformer-based model ingests the hierarchical process tree as a sequence of node embeddings enhanced by tree positional encodings.
Concurrently, runtime behavioral events—registry writes, file creation, outbound connections—are vectorized.
The model’s tree transformer layers capture intricate inter-node patterns, while the behavioral vectors highlight anomalous actions.
By fusing these embeddings, the system excels at flagging previously unseen malware, preventing overfitting to known samples.
When executed, the LummaStealer sample triggered high anomaly scores in both its process tree footprint and behavior vectors. This confirmed the strength of our patented tree transformer–based detection, surfacing the file as malicious despite novel obfuscation layers.
The analyzed sample is a Nullsoft Scriptable Install System (NSIS) installer. NSIS formats allow threat actors to bundle and launch custom scripts under the guise of legitimate installers. Inspection with Detect It Easy (DIE) confirmed the NSIS format, revealing embedded AutoIt scripts.
Upon extraction with 7-Zip, two items emerged:
- [NSIS].nsi: An obfuscated NSIS script that invokes an obfuscated batch file named
Parish.m4a. - Parish.m4a: A disguised batch file housing further payload blobs.
The NSIS script calls the batch file, which in turn extracts a renamed autoit3.exe and associated u.a3x script. The u.a3x file contains a malicious AutoIt script employing while-loop and switch-case obfuscation. Key features include:
- Environment checks: Verifies
COMPUTERNAMEagainst known sandbox labels (tz,NfZtFbPfH,ELICZ) andUSERNAMEagainst test accounts. - Anti-debugging: Time-based tampering detection to detect slowed or instrumented execution.
- Anti-analysis: Attempts to ping a dummy domain; if successful (indicating an analyst environment), it self-terminates or hides its tray icon.
- DLL unhooking: Restores original bytes of critical ntdll.dll functions (e.g.,
NtCreateProcess) to bypass security hooks.
Persistence and Payload Unpacking
Persistence is achieved by launching cmd.exe via CreateProcessW, creating a .url shortcut in the Windows Startup folder that runs a JScript wrapper on login. The wrapper instantiates Wscript.Shell to re-execute the AutoIt payload.
Due to its evasion and anti-analysis techniques, the sample initially exhibited a very low detection rate on VirusTotal (9/73) on its first submission.
The next-stage payload is LZ-compressed in memory. A self-defined decryption routine uses two functions: one for key mapping, the other for decompression. Finally, the Windows API RtlDecompressFragmentWindows with LZ format (0x2) unpacked a PE executable in memory. Due to an inactive C2, deeper analysis of this stage was not possible.
Netskope’s Advanced Threat Protection flagged the sample with the following detection codes:
- Win32.Exploit.Generic: Broad signature coverage.
- Gen.Detect.By.NSCloudSandbox.tr: Indicative of sandbox-based detection.
The Cloud Sandbox screenshot confirmed that sample 87118baadfa7075d7b9d2aff75d8e730 was successfully detected, showcasing the ML model’s efficacy against sophisticated, novel threats.
LummaStealer operators continue to evolve, leveraging legitimate tools and layered obfuscation to evade defenses.
This resurgence underscores the critical need for advanced threat protection solutions that integrate static analysis, dynamic sandboxing, and ML-powered detection.
Organizations should also prioritize user awareness training, as many infection chains begin with end-user interaction. Netskope will continue monitoring LummaStealer campaigns, delivering timely updates as its TTPs develop.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
