Often spawns a sub-process like GreenHell.exe or a random string (e.g., svchost.exe injection).
Contacting external IPs via HTTP/POST requests to exfiltrate ZIP archives of stolen data.
: Reports highlight that the malware specifically searches for directories related to Telegram Desktop , Discord , and various Chromium-based browsers to strip saved login credentials. Technical Indicators Observation File Type WinRAR Archive (RAR) Threat Level Critical (100/100) Main Process
: The archive typically contains an executable (often hidden behind a double extension or a fake icon) that, when run, deploys Lumma Stealer. This malware targets cryptocurrency wallets, browser passwords, cookies, and 2FA session tokens.
Analysis of this file across platforms like ANY.RUN and Hybrid Analysis reveals several critical red flags:
