Lumma Stealer: Breaking Down the Delivery Techniques and Capabilities of a Prolific Infostealer

Lumma Stealer Overview: Lumma Stealer is a sophisticated infostealer malware targeting various industries, utilizing diverse delivery methods including phishing, malvertising, and exploiting legitimate services. Operated as Malware-as-a-Service (MaaS) by threat actor Storm-2477, it facilitates credential theft from browsers and applications, particularly cryptocurrency wallets. Unlike previous variants, it employs multi-vector strategies and adaptive infrastructure to evade detection. Microsoft is actively working to disrupt Lumma's operations, having recently taken down around 2,300 associated domains and providing recommendations for mitigation against this evolving cyber threat.

https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/

Can You Really Trust That Permission Pop-Up On macOS? (CVE-2025-31250)

,

macOS vulnerability CVE-2025-31250 allows apps to spoof permission prompts, misleading users into granting access to the wrong application. Correctly patched in macOS Sequoia 15.5, earlier versions like Ventura and Sonoma remain unaddressed. The flaw arises from incorrect handling in the TCC framework's request logic, permitting consent responses for one app while displaying prompts for another. While exploiting this requires user interaction, it poses significant risks, particularly for high-access applications like Microphone and Camera. Apple has responded slowly to the issue, but recent updates appear to address the vulnerability, enhancing overall security.

https://wts.dev/posts/tcc-who/

Scientists Use AI to Encrypt Secret Messages That Are Invisible to Cybersecurity Systems

,

Scientists have developed a method using AI to encrypt messages within fake text, rendering them invisible to cybersecurity systems. This technique allows secure communication, particularly for journalists and citizens in oppressive regimes, by embedding secret messages that can only be accessed with a password. Dubbed EmbedderLLM, the method acts like digital invisible ink, but the ethics of its use remain a concern. The encryption is designed to resist future quantum computing decryption threats.

https://www.livescience.com/technology/artificial-intelligence/scientists-use-ai-to-encrypt-secret-messages-that-are-invisible-to-cybersecurity-systems

Google Chrome to Block Admin-level Browser Launches for Better Security

Google Chrome will prevent admin-level launches to enhance security, similar to a feature Microsoft implemented in Edge. This change ensures that the browser doesn't run with elevated permissions, reducing risks like unauthorized access through malicious downloads. A command-line switch will be added to manage this behavior in automation mode.

https://www.bleepingcomputer.com/news/google/google-chrome-to-block-admin-level-browser-launches-for-better-security/

What Are BYOVD Attacks?

BYOVD (Bring Your Own Vulnerable Driver) attacks exploit vulnerabilities in legitimate drivers to bypass security measures, allowing attackers to manipulate kernel-level resources directly. These attacks can disable security systems and enable encryption or data theft, notably used by the Cuba ransomware group, which has caused significant financial damage. Effective mitigation strategies include updating old operating systems, auditing kernel drivers, implementing strict permissions for driver loading, and using behavioral monitoring tools. Regular simulations of such attacks can help organizations validate their defenses.

https://cymulate.com/blog/defending-against-bring-your-own-vulnerable-driver-byovd-attacks/

Phishing Attack Uses Blob URIs to Show Fake Login Pages in Your Browser

Cofense Intelligence reports a phishing technique using blob URIs to create fake login pages in browsers, evading email security and stealing credentials. Blob URIs, which store data temporarily on local machines, make it difficult for security systems to detect malicious activity since external checks cannot see them. Attackers often redirect users from trustworthy sites to fake pages, posing a serious challenge for email security systems.

https://hackread.com/phishing-attack-blob-uri-fake-login-pages-browser/

How Signal, WhatsApp, Apple, and Google Handle Encrypted Chat Backups

Comparing encrypted chat apps, Signal has no cloud backup, prioritizing privacy; WhatsApp allows backups with optional end-to-end encryption; Apple's iMessages are encrypted but not in backups by default, unless users enable Advanced Data Protection; Google Messages provides encrypted backups with passcodes. Users must ensure all chat participants enable encryption for maximal security, and weigh the necessity of saving conversations against potential privacy risks.

https://www.eff.org/deeplinks/2025/05/back-it-back-it-let-us-begin-explain-encrypted-chat-backups

Catching a Phish With Many Faces

Summary: Phishing attacks are evolving, utilizing phishing-as-a-service toolkits to create dynamic, customizable fake login pages in real-time. These pages appear legitimate by using logos and branding from legitimate sources, making detection difficult. Attackers leverage urgency-inducing messages to entice victims to click links, often sending login credentials directly via AJAX. To protect against these threats, users should verify link authenticity, use strong passwords, enable two-factor authentication, and employ robust security measures. Cybercriminals continue to adapt their tactics, making awareness and technological defenses crucial.

https://www.welivesecurity.com/en/scams/spotting-phish-many-faces/

Multilayered Email Attack: How a PDF Invoice and Geo-Fencing Led to RAT Malware

Email campaign distributing Ratty RAT malware exploits legitimate invoicing tactics and geofencing to bypass security. Attackers use a trusted email service and file-sharing platforms, manipulate recipients through social engineering, and employ Ngrok for covert links. Targeting mainly Italy, the campaign exemplifies advanced evasion strategies and challenges conventional detection systems. Fortinet provides protections, urging users to stay vigilant against such phishing threats.

https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware

LockBit Ransomware Gang Hacked, Victim Negotiations Exposed

LockBit ransomware gang hacked; admin panels defaced, revealing a database containing over 59,000 bitcoin addresses and 4,442 victim negotiation messages. Passwords stored in plaintext for 75 affiliates exposed. Breach occurred April 29, 2025, with uncertain perpetrators. This incident follows previous law enforcement disruptions, further damaging LockBit's reputation.

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/

Backdoor Found in Popular Ecommerce Components

Backdoor discovered in 21 ecommerce applications from breached vendors Tigren, Magesolution (MGS), and Meetanshi. Malware active since Apr 20, affecting 500-1000 stores. Fake license checks enable unauthorized access. Users advised to scan for backdoors, especially those from these vendors. Vendor responses vary; backdoored packages are still available for download. Recommendations include using eComscan for detection and removing infected files.

https://sansec.io/research/license-backdoor

Why MFA Is Getting Easier to Bypass and What to Do About It

MFA is increasingly bypassed due to phishing attacks using “adversary-in-the-middle” techniques. Criminals utilize phishing-as-a-service toolkits that allow anyone, even non-technical users, to create fake login pages that capture credentials and MFA codes. Traditional MFA, relying on one-time passwords or push notifications, can still be compromised since attackers can capture these codes. WebAuthn offers better security as it ties credentials to specific URLs and devices, making it resistant to such attacks. Organizations are encouraged to adopt WebAuthn to enhance security against phishing threats.

https://arstechnica.com/security/2025/05/phishing-attacks-that-defeat-mfa-are-easier-than-ever-so-what-are-we-to-do/

Hackers Ramp up Scans for Leaked Git Tokens and Secrets

,

Hackers are increasing scans for leaked Git configuration files, which can expose sensitive data like tokens and credentials. A report by GreyNoise highlighted a surge in scans from April 20-21, 2025, with nearly 4,800 unique IPs detected, predominantly from Singapore, the U.S., and Germany. These exposed Git files often lead to significant security breaches, allowing unauthorized access to cloud services and repositories. To mitigate risks, experts recommend blocking access to .git/ directories and monitoring logs for suspicious activity.

https://www.bleepingcomputer.com/news/security/hackers-ramp-up-scans-for-leaked-git-tokens-and-secrets/

Hello 0-Days, My Old Friend: a 2024 Zero-Day Exploitation Analysis

, ,

Google's Threat Intelligence Group reported 75 zero-day vulnerabilities exploited in 2024, down from 98 in 2023 but up from 63 in 2022. This year's exploitation continued a trend towards targeting enterprise technologies over end-user products. Key findings included:

  1. Trends in Exploitation: 44% of vulnerabilities targeted enterprise software, up from 37% in 2023. Vendors are improving security, reducing exploits on popular targets like browsers.
  2. Notable Targets: Security and networking products saw increased exploitation, with a significant focus on Ivanti and Palo Alto. Attackers' focus is shifting from end-user devices to critical enterprise infrastructures.
  3. Actor Analysis: State-sponsored espionage actors, particularly from China and North Korea, accounted for the majority of attributable exploitation, often blending espionage with financial motives.
  4. Exploited Vulnerability Types: The most common were remote code execution and privilege escalation vulnerabilities, often resulting from software coding errors.

Overall, while detection and vendor defenses improve, zero-day vulnerabilities remain appealing to threat actors, necessitating stronger vendor security practices.

https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends/

Cybersecurity Vendors Are Themselves Under Attack by Hackers, SentinelOne Says

Cybersecurity firms like SentinelOne face significant threats from hackers, including ransomware and state-sponsored attacks from China and North Korea. Despite their role in protecting clients, they are prime targets due to their access and insights into many systems. A recent report highlighted the taboo around discussing such attacks within the industry, as companies feel uncomfortable admitting vulnerabilities.

https://cyberscoop.com/cybersecurity-vendors-are-under-attack-sentinelone-says/

Scroll to Top