Telegram: A Rising Platform for Malware Distribution via Lumma Stealer

Telegram Used for Malware Distribution

Telegram is becoming a popular platform for spreading malware, according to a report by McAfee. Researchers from the company found that Lumma Stealer, a widely-used infostealer, is being shared through Telegram channels.

Channels Sharing Lumma Stealer

McAfee identified two main Telegram channels that distribute Lumma Stealer. The first channel, VIP HitMaster Program, has over 42,000 subscribers. The second, MegaProgram +, has 8,660. These channels frequently share messages with each other. The primary targets of this malware are users in India, followed by users in the US and Europe.

Fake Software Delivery

In one case, McAfee analyzed a file posing as CCleaner 2024. This file was claimed to be a tool for system cleaning and performance optimization. However, once users extracted the file, it included Lumma Stealer and another payload disguised as ‘CCleaner.exe.’

Command and Control Connection

The malicious file had several features that disguised its true purpose. It included code that connected to a Steam account. The attackers obfuscated the user’s name and linked it to various aliases. This method decoded a command and control (C2) server address. As a result, the malware could connect to the attacker’s server, enabling data theft and the download of additional malicious files.

Conclusion

The spread of infostealers like Lumma Stealer through Telegram shows how easily malware can reach a wide audience. Lumma Stealer can steal sensitive information, posing significant risks to user privacy. This highlights the need for increased awareness of cybersecurity threats on popular platforms.