Lumma Stealer malware hides in a fake Telegram Premium site, launching without user clicksExecutable uses cryptor obfuscation to bypass most traditional antivirus scanning techniques entirelyMalware connects to real Telegram servers while secretly sending stolen data to hidden domainsA malicious campaign is targeting users through a fraudulent Telegram Premium website, delivering a dangerous variant of the Lumma Stealer malware.A report from Cyfirma claims the domain telegrampremium[.]app closely mimics the legitimate Telegram Premium brand and hosts a file named start.exe.This executable, built in C/C++, is automatically downloaded upon visiting the site, requiring no user interaction.A closer look at the malware deliveryOnce executed, it harvests sensitive data, including browser-stored credentials, cryptocurrency wallet details, and system information, increasing risks such as identity theft.The fake site operates as a drive-by download mechanism, a method where malicious payloads are delivered automatically without explicit consent.The high entropy of the executable suggests the use of a cryptor for obfuscation, which complicates detection by traditional security suites.Static analysis shows that the malware imports numerous Windows API functions, enabling it to manipulate files, modify the registry, access the clipboard, execute additional payloads, and evade detection.The malware also initiates DNS queries via Google’s public DNS server, circumventing internal network controls.It communicates with both legitimate services like Telegram and Steam Community for possible command-and-control purposes and with algorithmically generated domains to evade domain takedowns.These techniques allow the malware to maintain communication channels while avoiding detection by firewalls and conventional monitoring tools.The domain involved is newly registered, with hosting characteristics suggesting it was set up for short-lived, targeted activity.The malware drops multiple disguised files in the %TEMP% directory, including encrypted payloads masquerading as image files.Some are later renamed and executed as obfuscated scripts, enabling the malware to clean its traces.It uses functions like Sleep to delay execution and LoadLibraryExW to stealthily load DLLs, making it more difficult for analysts to detect its presence during initial inspection.Staying safe from threats of this nature requires a combination of technical measures and user awareness.How to stay safeOrganizations should implement endpoint detection and response solutions capable of identifying suspicious behavior patterns associated with Lumma StealerBlock all access to malicious domainsEnforce strict download controls to prevent payload deliveryMulti-factor authentication is essential to limit damage if credentials are compromisedRegular credential rotation helps reduce the risk of long-term access by attackersContinuous monitoring for suspicious activity allows faster detection and response to potential breachesYou might also likeThese are the best firewall offerings around todayAllianz Life data leaked following recent breach - our tips on how to stay safeThese are the best VPNs with antivirus you can use right now