From Shadow to Spotlight: The Evolution of LummaStealer and Its Hidden Secrets

This Cybereason report analyzes LummaStealer — a mature info‑stealer MaaS — detailing a newly observed mshta-based delivery that uses fake CAPTCHA phishing pages, multi-layer obfuscation (HEX/JS → obfuscated PowerShell → AES decryption → XOR/Base64 → in‑memory .NET assembly), AMSI bypass via memory patching, and operational monetization via a Telegram marketplace; the report includes IOCs (domains, IPs, hashes), technical deobfuscation steps and actionable containment recommendations (isolate, reimage, reset credentials, block IOCs, user education).