- Lumma Stealer malware hides in a fake Telegram Premium site, launching without user clicks
- Executable uses cryptor obfuscation to bypass most traditional antivirus scanning techniques entirely
- Malware connects to real Telegram servers while secretly sending stolen data to hidden domains
A malicious campaign is targeting users through a fraudulent Telegram Premium website, delivering a dangerous variant of the Lumma Stealer malware.
A report from Cyfirma claims the domain telegrampremium[.]app closely mimics the legitimate Telegram Premium brand and hosts a file named start.exe.
This executable, built in C/C++, is automatically downloaded upon visiting the site, requiring no user interaction.
A closer look at the malware delivery
Once executed, it harvests sensitive data, including browser-stored credentials, cryptocurrency wallet details, and system information, increasing risks such as identity theft.
The fake site operates as a drive-by download mechanism, a method where malicious payloads are delivered automatically without explicit consent.
The high entropy of the executable suggests the use of a cryptor for obfuscation, which complicates detection by traditional security suites.
Static analysis shows that the malware imports numerous Windows API functions, enabling it to manipulate files, modify the registry, access the clipboard, execute additional payloads, and evade detection.
The malware also initiates DNS queries via Google’s public DNS server, circumventing internal network controls.
It communicates with both legitimate services like Telegram and Steam Community for possible command-and-control purposes and with algorithmically generated domains to evade domain takedowns.
These techniques allow the malware to maintain communication channels while avoiding detection by firewalls and conventional monitoring tools.
The domain involved is newly registered, with hosting characteristics suggesting it was set up for short-lived, targeted activity.
The malware drops multiple disguised files in the %TEMP% directory, including encrypted payloads masquerading as image files.
Some are later renamed and executed as obfuscated scripts, enabling the malware to clean its traces.
It uses functions like Sleep to delay execution and LoadLibraryExW to stealthily load DLLs, making it more difficult for analysts to detect its presence during initial inspection.
Staying safe from threats of this nature requires a combination of technical measures and user awareness.
How to stay safe
- Organizations should implement endpoint detection and response solutions capable of identifying suspicious behavior patterns associated with Lumma Stealer
- Block all access to malicious domains
- Enforce strict download controls to prevent payload delivery
- Multi-factor authentication is essential to limit damage if credentials are compromised
- Regular credential rotation helps reduce the risk of long-term access by attackers
- Continuous monitoring for suspicious activity allows faster detection and response to potential breaches
