According to a report from Bleeping Computer, hackers are spreading a harmful malware called Lumma Stealer by tricking you into clicking on links found in fake Reddit threads. These threads offer solutions to common problems but redirect you to fraudulent websites designed to mimic WeTransfer. Once on these fake sites, you may unknowingly download malicious files.
How the fake sites operate
Around 1,000 malicious domains are hosting webpages impersonating Reddit and WeTransfer, redirecting users to download password-protected archives
— crep1x (@crep1x) January 20, 2025
These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia_io, which executes #Lumma Stealer
IoCs โฌ๏ธ pic.twitter.com/SlnvaAYkiq
Security researcher Crep1x from Sekoia.io uncovered nearly 1,000 fraudulent websites being used to spread the malware. Of these, 529 impersonate Reddit, while 407 mimic WeTransfer. To appear credible, these fake sites are crafted with domain names that combine random letters, numbers, and the brand name, typically ending in .org or .net.
A common tactic used by hackers involves creating a fake Reddit thread in which one user claims they need help downloading a specific tool. Another user responds, offering a WeTransfer link to the requested file along with a thank-you message to make it seem authentic. To create a sense of urgency, the post often mentions that the link will expire in two days.
When you click on the link, you are redirected to a website that looks almost identical to WeTransfer but is fake. Downloading the file leads to installing Lumma Stealer, which can compromise your personal information.
Why Lumma Stealer is dangerous
Lumma Stealer is highly advanced and designed to steal your data while avoiding detection. It has been distributed through several methods, including direct messages on social media, search engine optimisation (SEO) poisoning, malicious websites, and even deepfake nude generator sites.
Once the malware is downloaded, it can collect sensitive information, such as login credentials, payment details, and other personal data. The stolen information is then sent to the hackers, putting you at risk of identity theft and financial fraud.
Researcher Crep1x could not confirm precisely how victims initially encountered the fake links. However, the malware payload is hosted on a suspicious site called โweighcobbweo[.]top.โ
How to protect yourself
To stay safe, avoid clicking on suspicious links, even if they seem to come from familiar platforms like Reddit or WeTransfer. Always double-check URLs for authenticity and ensure they match the official websiteโs domain. Installing reliable antivirus software is also essential to help detect and block malware threats.
Hackers continue to develop creative methods to spread malware like Lumma Stealer, so being cautious online is your best defence.
