Page details

id

2916130120

type

0 (not classified)

status

21 (imported old-v2, waiting for another import)

review version

0

cleanup version

0

pending deletion

0 (-)

created at

2025-11-06 06:33:36

updated at

2025-11-06 06:33:37

url

https://labs.withsecure.com/publications/reverse-engineering-a-lumma-infection

url length

78

url crc

15021

url crc32

605371053

location type

1 (url matches target location, page_location is empty)

canonical status

10 (verified canonical url)

canonical page id

2916130120

domain id

2284382

domain tld

2211

domain parts

0

originating warc id

-

originating url

https://data.commoncrawl.org/crawl-data/CC-MAIN-2025-33/segments/1754151280106.5/warc/CC-MAIN-20250809141352-20250809171352-00876.warc.gz

source type

11 (CommonCrawl)

server ip

23.62.230.165

Publication date

2025-08-09 15:52:54

Fetch attempts

0

Original html size

465475

Normalized and saved size

440849

title

Reverse engineering a Lumma infection

excerpt

content

 
 Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.
 
 In this post we will focus on a Lumma infection with an initial loader written in .NET/C#, that was observed during a review of open source samples between February and March of 2025.
  
  
 # Background
  
 Besides vulnerabilities in externally facing infrastructure, which are often the entry point to compute environments, threat actors often rely on leaked or stolen credentials.
 A leak implies an infrastructure breach of some kind, such as of a website, and user credential exfiltration. In such as scenario, threat actors either obtain a database of credentials, pick users, and try to crack and reuse their credentials across websites and services, or purchase credentials or targeted initial access i...

author

updated

2025-12-11 17:55:41

block type

0

extracted fields

105

extracted bits

featured image
title
full content
content was extracted heuristically

detected location

0

detected language

1 (English)

category id

Serwisy SEC (10)

index version

2025110801

paywall score

0

spam phrases

0

text nonlatin

0

text cyrillic

0

text characters

49378

text words

9767

text unique words

1937

text lines

1

text sentences

419

text paragraphs

1

text words per sentence

23

text matched phrases

56

text matched dictionaries

13

links self subdomains

0

links other subdomains

5 - bazaar.abuse.ch, blog.checkpoint.com, attack.mitre.org, cr.yp.to

links other domains

2 - unpac.me, loaderinsight.agency

links spam adult

0

links spam random

0

links spam expired

0

links ext activities

0

links ext ecommerce

0

links ext finance

0

links ext crypto

0

links ext booking

0

links ext news

1

links ext leaks

1

links ext ugc

3 - g0njxa.medium.com

links ext klim

0

links ext generic

21

status

0

updated

2025-12-11 17:55:41

image author

featured image

https://labs.withsecure.com/content/dam/labs/og/OG-image.png