Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

📟 News

Date: 24/01/2025

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into downloading the Lumma Stealer malware.

All fake Reddit pages use the same social engineering trick: they show a discussion thread on a specific issue. In most cases, the alleged thread creator asks for help with downloading a certain tool; while some ‘Good Samaritan’ offers help by supposedly uploading the required software to WeTransfer and posting a link to it. To make the scam look more credible, a third user thanks the ‘Good Samaritan’.

Unsuspecting users who click on such a link are taken to a fake WeTransfer site that mimics the popular file-sharing service. The “Download” button there downloads the Lumma Stealer payload from weighcobbweo[.]top.

Fake Reddit
Fake Reddit

Addresses of rogue sites used in this campaign contain the name of the brand they pretend to be (e.g. Reddit) followed by random numbers and symbols. Most of such fake sites use top-level domains (.org and .net).

The Sekoia analyst published a list of web pages used in this scam. In total, it includes 529 pages disguised as Reddit and 407 pages impersonating WeTransfer.

The number of victims lured to such fake resources remains unknown but Bleeping Computer notes that attacks can begin with malicious advertisements, SEO poisoning, malicious sites, messages sent via social networks and instant messengers, etc.

According to Netskope Threat Labs, malefactors actively spread Lumma Stealer using fake CAPTCHAs. Such attacks exploit the ClickFix (ClearFake or OneDrive Pastejacking) attack vector, which is quite popular among cybercriminals nowadays.

Victims are tricked into visiting rogue websites and running malicious PowerShell commands, thus, manually infecting their systems with malware. In most cases, malefactors require users to pass a fake CAPTCHA test or a verification procedure – allegedly, to solve a browser issue or join a channel.

Related posts:
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…

Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…

Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members

The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…

Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates

The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters

According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…

Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs

According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti

A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…

Full article →