Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a new campaign distributing the LummaC2 infostealer malware disguised as a cracked version of Total Commander, a popular Windows file management tool.
Total Commander, known for its advanced file-handling features such as folder synchronization and FTP/SFTP support, is typically offered as shareware with a one-month free trial.
However, cybercriminals are exploiting users seeking illegal “cracked” versions of the software to propagate malware.
The attack begins when users search for “Total Commander Crack” online.
Clicking on search results leads them through multiple deceptive pages, including Google Colab drives and fake Reddit posts, before arriving at the malicious download site.
Unlike automated redirection, this method requires users to actively click through links, making it clear that the attackers are targeting individuals deliberately seeking unauthorized software.
The downloaded ZIP file contains a password-protected RAR archive with an executable named “installer_1.05_38.2.exe,” which infects the system with LummaC2 upon execution.
Technical Details of the Malware
LummaC2 is a heavily obfuscated malware designed to steal sensitive information such as browser-stored credentials, email account details, cryptocurrency wallet data, and auto-login credentials.
The executable is compressed using NSIS and AutoIt scripts, which complicate detection and analysis.
Upon execution, an NSIS script launches an obfuscated batch script that sets up the malware’s environment.
The batch script uses variable substitution and meaningless strings to evade detection while executing commands.
The malware payload is embedded within an encrypted AutoIt script (.a3x file).
During runtime, this script decrypts and loads the LummaC2 binary directly into memory, bypassing traditional antivirus mechanisms.
This technique is a common tactic among threat actors using AutoIt scripts to distribute malware.
Once installed, LummaC2 exfiltrates stolen data to the attacker’s command-and-control (C&C) server.
This information can be sold on the dark web or used in secondary attacks, posing risks not only to individual victims but also to corporate networks if compromised credentials are linked to business accounts.
Broader Implications
This campaign highlights the risks associated with downloading cracked software from unverified sources.
LummaC2’s ability to target browser data, email clients like Thunderbird, and even cryptocurrency wallets underscores its potential for significant financial and privacy damage.
ASEC report indicate that stolen personal data has been used in subsequent attacks on corporate systems, amplifying its impact.
To mitigate such threats, users are strongly advised to download software exclusively from official distribution channels.
Organizations should also educate employees about the dangers of cracked software and implement robust endpoint security solutions capable of detecting obfuscated malware like LummaC2.
This incident serves as a stark reminder of how cybercriminals exploit human behavior specifically the lure of free software to distribute sophisticated malware capable of causing widespread harm.
