Fake Telegram Premium Site Distributes New Lumma Stealer Variant

Executive Summary

CYFIRMA Threat Intelligence has observed an ongoing malicious campaign leveraging the domain telegrampremium[.]app, which fraudulently mimics the official Telegram Premium platform. This domain hosts a downloadable executable file start.exe containing a newly identified variant of the Lumma Stealer malware, a sophisticated information-stealing trojan. The malware is capable of exfiltrating a wide range of sensitive data, including browser-stored credentials, cryptocurrency wallet details, and system information. Critically, the payload is delivered automatically upon accessing the URL, without requiring user interaction, thereby significantly elevating the threat level. This operation highlights the adversaries’ continued use of brand impersonation and social engineering techniques to facilitate large-scale malware distribution.

CYFIRMA strongly recommends the immediate blocking of the domain, comprehensive endpoint scanning, and prompt credential rotation to mitigate potential impact and prevent further compromise.

To read the complete article see:

https://www.cyfirma.com/research/fake-telegram-premium-site-distributes-new-lumma-stealer-variant/