A new campaign distributing the notorious Lumma Stealer malware has been discovered by security analyst Crep1x at Sekoia. Threat actors are utilizing over 80 second-level domains to generate over 1,000 fully qualified domain names impersonating Reddit and WeTransfer. Websites impersonating Reddit feature a fake thread designed to deceive victims into downloading the malware. While it remains unclear how users are redirected to these malicious domains, it is believed that SEO poisoning, combined with various social engineering tactics, may be to blame. The campaign aims to steal sensitive data, including login credentials, financial information, and other valuable assets from victims.
Attack Chain
Malicious domains designed to impersonate Reddit and WeTransfer
- Domain names contain the words “reddit” or “wetransfer” at the beginning, followed by numbers or special characters, to appear authentic
- Victims are redirected to a convincing fake Reddit page displaying a fraudulent thread
- Attackers use valid SSL certificates with padlock symbols to suggest secure connections (Cyber Security News, 2025)
The victim is redirected to a malware-hosting WeTransfer page
- A seemingly legitimate tool or software link is embedded in the fake Reddit thread.
- The download button delivers the Lumma Stealer payload (Bleeping Computer, 2025)
Payload is executed
- Once installed, Lumma Stealer communicates with a command-and-control server (C2) and exfiltrates sensitive data, including:
- Credentials
- Cryptocurrency wallet information
- Session tokens
Indicators of Compromise ( IOCs)
Security analyst Crep1x at Sekoia has made available a GitHub repository containing a list of subdomains hosting fake “Reddit” and “WeTransfer” webpages.
Mitigation Strategies
The campaign has employed similar tactics impersonating various reputable platforms in order to deliver malware. To counter the growing threat of these types of attacks, the following guidelines are recommended:
- Verify the website URL – Always check for potential fake domains
- Implement multi-factor authentication (MFA) – Adds an extra layer of protection against stolen credentials
- Conduct user training – Educate users to recognize and avoid phishing attacks
- Update & Patch – Ensure anti-malware software and operating systems are up to date
Centripetal’s Perspective
Centripetal has been alerted to this campaign and is actively monitoring its developments. While it is important to remain cautious and vigilant for suspicious activity, we want to assure our users that our threat intelligence provides extensive coverage against this threat and its indicators of compromise (IOCs). Our intelligence feeds are continuously updated to detect and mitigate these types of attacks.
CleanINTERNET® will continue to deliver dynamic, threat intelligence-based protection against known indicators of compromise, reducing threat actors’ ability to launch successful attacks.
Centripetal’s Coverage
Coverage analysis of Centripetal’s intelligence feeds shows a growing number of ingested Indicators of Compromise (IOCs) leading up to the reported incident on January 20, 2025, with overall coverage at 80% then, reaching 100% as of January 26th, 2025. (Figure 2)
A deeper analysis of each domain name registration date, along with dates reported in threat intelligence, provides insight into the average time these domains remained undetected or unused by the threat actor. Overall, most domains appeared in threat intelligence feeds within a few days of creation, some as early as the next day, with an average detection time of 4 days. The majority of these malicious domains were registered between December and early January. Our extensive coverage ensures that our customers remain protected throughout its development. (Figure 3)
Conclusion
The discovery of this large phishing campaign to deliver malware highlights the increasing sophistication of cyber threats. Through impersonating trusted platforms like Reddit and WeTransfer, attackers successfully trick users into downloading Lumma Stealer—malware specifically designed to steal sensitive data. Deceptive tactics, such as the use of valid SSL certificates and slight variations in domain names, further complicate detection, making user awareness and proactive security measures essential.
To mitigate the risks associated with this campaign users must continue shielding, remain vigilant by verifying website URLs, enable multi-factor authentication, update and patch anti-malware tools and operating systems and undergo regular cybersecurity training. By adopting these precautions, individuals and businesses can strengthen their defenses against phishing attacks and malware infections.
Centripetal is pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.
