SOC338 — Lumma Stealer — DLL Side-Loading via Click Fix Phishing

Hello, my digital adventurers! Today, I’m going to investigate the Letsdefend alert about “DLL Side-Loading via Click Fix Phishing”

According to Malpedia: Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor “Shamel”, who goes by the alias “Lumma”. Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim’s machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent “TeslaBrowser/5.5”.” The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.

Let’s investigate it.

Here are the artifacts we collected.

• EventID: 316
• Event Time: Mar, 13, 2025, 09:44 AM
• SMTP Address: 132.232.40.201
• Source Address: update@windows-update.site
• Destination Address: dylan@letsdefend.io
• E-mail Subject: Upgrade your system to Windows 11 Pro for FREE
• Device Action: Allowed
• Trigger Reason: Redirected site contains a click fix type script for Lumma Stealer distribution.

Analysis

Since this is an email, we need to check the “Email Security” page to analyze it for any suspicious activity.

Search for the SMTP address

We can check the URL to which the Update button redirects to determine whether it is a malicious website or not. To do this, I will submit the url to the VirusTotal.