Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

📟 News

Date: 24/01/2025

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into downloading the Lumma Stealer malware.

All fake Reddit pages use the same social engineering trick: they show a discussion thread on a specific issue. In most cases, the alleged thread creator asks for help with downloading a certain tool; while some ‘Good Samaritan’ offers help by supposedly uploading the required software to WeTransfer and posting a link to it. To make the scam look more credible, a third user thanks the ‘Good Samaritan’.

Unsuspecting users who click on such a link are taken to a fake WeTransfer site that mimics the popular file-sharing service. The “Download” button there downloads the Lumma Stealer payload from weighcobbweo[.]top.

Fake Reddit
Fake Reddit

Addresses of rogue sites used in this campaign contain the name of the brand they pretend to be (e.g. Reddit) followed by random numbers and symbols. Most of such fake sites use top-level domains (.org and .net).

The Sekoia analyst published a list of web pages used in this scam. In total, it includes 529 pages disguised as Reddit and 407 pages impersonating WeTransfer.

The number of victims lured to such fake resources remains unknown but Bleeping Computer notes that attacks can begin with malicious advertisements, SEO poisoning, malicious sites, messages sent via social networks and instant messengers, etc.

According to Netskope Threat Labs, malefactors actively spread Lumma Stealer using fake CAPTCHAs. Such attacks exploit the ClickFix (ClearFake or OneDrive Pastejacking) attack vector, which is quite popular among cybercriminals nowadays.

Victims are tricked into visiting rogue websites and running malicious PowerShell commands, thus, manually infecting their systems with malware. In most cases, malefactors require users to pass a fake CAPTCHA test or a verification procedure – allegedly, to solve a browser issue or join a channel.

Related posts:
2025.01.27 — YouTube plays hour-long ads to users with ad blockers

Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…

Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello

Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails

The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…

Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters

According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →
2025.03.16 — Researchers force DeepSeek to write malware

According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…

Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →