Hundreds of Fake Reddit Sites Push Lumma Stealer Malware

Cybercriminals are ramping up their efforts, using sophisticated tactics to distribute Lumma Stealer malware. These malicious campaigns leverage nearly 1,000 fraudulent websites mimicking trusted platforms like Reddit and the popular WeTransfer file-sharing service. The attackers' goal is clear: to deceive users into downloading the Lumma Stealer malware, which is a potent info-stealing threat.

How the Campaign Works

The fraudulent pages exploit the Reddit brand by presenting what appears to be a legitimate discussion thread on a specific topic. Within this fake thread, a user claims to need assistance with downloading a particular tool. Another user in the thread offers to help by uploading the tool to WeTransfer and sharing a download link, while a third user expresses gratitude, creating an illusion of credibility.

When victims click on the link, they are redirected to a fake WeTransfer site. This fraudulent portal closely resembles the genuine WeTransfer interface. However, clicking the "Download" button on the fake site delivers the Lumma Stealer malware, which is hosted on a malicious domain like “weighcobbweo[.]top.”

Key Characteristics of the Fake Websites

The fraudulent sites are designed to appear legitimate at a quick glance, using a combination of brand names and random alphanumeric strings in their URLs. The top-level domains used in this campaign are either “.org” or “.net.” This strategy helps the sites evade detection while misleading unsuspecting users.

Discovery of the Campaign

Security researchers uncovered this large-scale campaign and identified 529 fake websites impersonating Reddit and 407 mimicking WeTransfer. These sites were specifically crafted to distribute the Lumma Stealer malware through deceptive downloads.

While the exact infection chain's origins remain unclear, the use of targeted topics suggests careful planning by the attackers. Initial infection vectors could include techniques such as malvertising, SEO poisoning, malicious websites, or even direct messages on social media platforms.

This is not the first time cybercriminals have relied on fake websites to distribute malware. In a similar campaign uncovered last year, 1,300 fraudulent sites impersonated the AnyDesk brand to push Vidar Stealer malware.

Understanding Lumma Stealer’s Threat

Lumma Stealer is a highly advanced info-stealing malware, designed with sophisticated evasion and data theft capabilities. It is widely sold to hackers who distribute it using a variety of methods, including GitHub comments, malvertising campaigns, and even deepfake nude generator sites.

This malware can exfiltrate sensitive information, such as:

Passwords stored in web browsers.

Session tokens that allow attackers to hijack accounts without requiring login credentials.

These stolen details are often sold on underground forums, where they are used for various malicious purposes, including further account compromises and corporate data breaches.

The Risks of Info-Stealing Malware

Info-stealing malware like Lumma Stealer poses a serious threat to individuals and organizations alike. By targeting login credentials, browser-stored data, and session tokens, these malware strains can cause severe privacy breaches and financial losses. Once attackers gain access to sensitive login details, they often sell the information on hacker forums or use it to escalate attacks against companies.

Organizations need to prioritize robust cybersecurity measures, including:

Using strong, unique passwords stored in secure password managers.

Regularly updating software and operating systems to patch vulnerabilities.

Training employees to identify phishing attempts and other social engineering tactics.

The Bigger Picture

This campaign highlights the growing sophistication of cybercriminals and their ability to exploit trusted brands like Reddit and WeTransfer to deceive users. By mimicking well-known platforms, attackers increase their chances of tricking victims into downloading malware. As cyber threats like Lumma Stealer continue to evolve, users must remain vigilant. Awareness, combined with proactive cybersecurity measures, is critical to defending against these increasingly elaborate scams.