Lumma Stealer Malware Distributed via Fake Game Updates on Itch.io and Patreon
A new malware campaign has targeted users of the indie game platform Itch.io and Patreon by distributing the Lumma Stealer malware through fake game update links. Attackers created new accounts to spam comment sections of legitimate games on Itch.io, posting templated messages that claimed to offer game updates. These messages included links to archives such as “Updated Version.zip,” which, when downloaded, contained a malicious executable designed to deploy Lumma Stealer. The campaign also leveraged a reflective Node.js loader to evade detection and increase the likelihood of successful infection.
Security researchers observed that the attackers used a shotgun approach, spamming multiple games to maximize reach and exploit users unfamiliar with the platform. The malicious files were often hidden among benign files in the downloaded archive, making it harder for users to detect the threat. This campaign highlights the growing trend of threat actors targeting indie gaming communities and platforms beyond mainstream services like Steam, using social engineering and technical obfuscation to distribute credential-stealing malware.
Related Entities
Malware
Sources
Related Stories
FBI Investigates Malware-Laced Games Distributed on Steam
The **FBI** is seeking victims as it investigates a suspected cybercriminal who published multiple **malware-tainted games** on **Steam**, using seemingly legitimate titles as Trojan horses to infect players' systems. The games named by the agency include **BlockBlasters/BlockBasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova**, and were reportedly available between **2024 and 2026**. Both reports indicate the titles were functional enough to appear legitimate, but were designed to deliver malware and compromise users after installation. The reported impact includes **account compromise, information theft, and crypto-wallet draining**, with one cited case involving the theft of **$32,000 in cancer donations** from a streamer after exposure to one of the malicious games. The investigation suggests the listed titles may have been developed by the **same threat actor**, and that the number of affected users remains unknown. The case also highlights ongoing weaknesses in marketplace screening, as malicious games were able to reach Steam users before being removed by **Valve**.
Today
Lumma Stealer Infections with Follow-Up Malware
Multiple incidents have been documented involving the deployment of the Lumma Stealer malware on Windows systems, followed by the installation of additional malicious payloads. Technical analysis reveals that the Lumma Stealer installer, a large PE32 executable, temporarily saves several files to the infected host, including AutoIt3 scripts and various data files. The infection process also generates a custom `.a3x` AutoIt3 script and establishes command-and-control (C2) communications with domains such as `offenms[.]cyou`. Network traffic captures and file samples from these incidents have been made available for further analysis, providing insight into the infection chain and the nature of the follow-up malware. Indicators of compromise (IOCs), packet capture files, and extracted malware samples have been published to assist defenders in identifying and mitigating these threats. The technical details include SHA256 hashes of the malware, file paths used during infection, and specifics about the C2 infrastructure. These resources enable security teams to detect similar infections and understand the tactics used by threat actors leveraging Lumma Stealer in multi-stage attacks.
2 months ago
Resurgence of Windows infostealers using stealth packaging and social-engineering lures
Threat researchers reported renewed activity from **Windows credential-stealing malware** that is designed to evade detection and rapidly scale infections. CYFIRMA described **LTX Stealer** as being delivered via a heavily obfuscated installer that abuses trusted developer and packaging tools—using *Inno Setup* to masquerade as legitimate software, embedding a full **Node.js runtime**, and compiling malicious JavaScript into bytecode to hinder reverse engineering. The installer reportedly contains an unusually large encrypted archive (hundreds of MB) intended to frustrate static scanning, and drops a payload (e.g., `updater.exe`) that functions as the bundled Node.js runtime used to execute the stealer logic. Separately, reporting citing Bitdefender said **Lumma Stealer** has returned “back at scale” after prior law-enforcement disruption of its infrastructure, rebuilding domains and command-and-control capacity to resume widespread credential and data theft. Lumma’s malware-as-a-service ecosystem continues to rely on high-conversion distribution methods, including lure sites offering pirated/cracked content and the **ClickFix** social-engineering technique that tricks users into infecting their own systems, underscoring how infostealer operators are combining resilient infrastructure with user-driven execution to maintain volume despite takedowns.
1 months ago