{"id":7880,"date":"2024-05-29T08:59:29","date_gmt":"2024-05-29T08:59:29","guid":{"rendered":"\/cybersecurity-blog\/?p=7880"},"modified":"2024-06-05T08:28:50","modified_gmt":"2024-06-05T08:28:50","slug":"lumma-github-campaign","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/","title":{"rendered":"Vidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla"},"content":{"rendered":"\n<p>Researchers report about a new campaign that\u2019s delivering a variety of malware, by exploiting GitHub, FileZilla and potentially other legitimate services.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s happening?&nbsp;<\/h2>\n\n\n\n<p>Adversaries are <a href=\"https:\/\/thehackernews.com\/2024\/05\/cyber-criminals-exploit-github-and.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">impersonating<\/a> 1Password, Bartender 5, Pixelmator Pro, and other software on GitHub and FileZilla to deliver multiple threats in a massive campaign.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The campaign uses multiple stealers, allowing it to target Windows, MacOS, and Android users. Researchers believe that hackers are centrally controlling these families from a shared C2.&nbsp;<\/p>\n\n\n\n<p>The following table shows which malware families affect which systems:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-98\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"5\"\n           data-wpID=\"98\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Malware\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Target system\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" href=\"https:\/\/any.run\/malware-trends\/vidar\"  rel=\"\" target=\"_self\" data-cell-id=\"10\" data-link-url=\"https:\/\/any.run\/malware-trends\/vidar\" data-link-text=\"Vidar\" data-link-target=\"0\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\">Vidar<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Windows\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" href=\"https:\/\/any.run\/malware-trends\/lumma\"  rel=\"\" target=\"_self\" data-cell-id=\"20\" data-link-url=\"https:\/\/any.run\/malware-trends\/lumma\" data-link-text=\"Lumma\" data-link-target=\"0\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\">Lumma<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Windows\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Atomic\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        MacOS\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Octo\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Android\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-98'>\ntable#wpdtSimpleTable-98{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-98 td, table.wpdtSimpleTable98 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p><strong>Vidar <\/strong>and <strong>Lumma <\/strong>are both modern info-stealers.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Vidar, a Malware-as-a-Service (MaaS), first appeared in the wild in 2018. Lumma is even newer \u2014 experts have known about it since late 2022 or early 2023.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze Vidar, Lumma, and other malware<br> in <span class=\"highlight\">ANY.RUN sandbox<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=lumma-github-campaign&#038;utm_term=290524&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Breaking down the attack chain&nbsp;<\/h2>\n\n\n\n<p>Malvertising and SEO poisoning drives victims to fake repositories made to look like legitimate software. But in reality, the repositories contain malware-infected software.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"728\" height=\"496\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-3.png\" alt=\"\" class=\"wp-image-7882\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-3.png 728w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-3-300x204.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-3-370x252.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-3-270x184.png 270w\" sizes=\"(max-width: 728px) 100vw, 728px\" \/><figcaption class=\"wp-element-caption\">Source: <a href=\"https:\/\/thehackernews.com\/2024\/05\/cyber-criminals-exploit-github-and.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Hackernews<\/a>.<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Another case of GitHub abuse&nbsp;<\/h2>\n\n\n\n<p>This campaign shows that hackers can exploit services users already trust. The tactic has been gaining popularity recently. Read about a<a href=\"https:\/\/any.run\/cybersecurity-blog\/new-redline-version\/\" target=\"_blank\" rel=\"noreferrer noopener\"> new version of Redline being distributed via GitHub<\/a>, and how<a href=\"https:\/\/any.run\/cybersecurity-blog\/strrat-vcurms-phishing-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\"> STRRAT and VCRAT used GitHub for distribution<\/a>.&nbsp;<\/p>\n\n\n\n<p>The same group behind this campaign also distributes<a href=\"https:\/\/any.run\/malware-trends\/rhadamanthys\" target=\"_blank\" rel=\"noreferrer noopener\"> Rhadamanthys malware<\/a>. The infection process is similar: victims are lured to fake websites that then redirect them to malicious hosts on Bitbucket and Dropbox, where the hackers have uploaded the malware.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Vidar \u2014 a popular threat&nbsp;<\/h2>\n\n\n\n<p>Vidar has been gaining popularity as of late, according to our threat data:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"523\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-4-1024x523.png\" alt=\"\" class=\"wp-image-7883\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-4-1024x523.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-4-300x153.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-4-768x392.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-4-1536x785.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-4-2048x1047.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-4-370x189.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-4-270x138.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-4-585x300.png 585w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-4-740x378.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Vidar is the most common malware in ANY.RUN\u2019s Malware Trends Tracker&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The<a href=\"https:\/\/any.run\/malware-trends\/\" target=\"_blank\" rel=\"noreferrer noopener\"> ANY.RUN Malware Trends Tracker<\/a> shows the popularity of malware families from the data that 400,000 researchers submit to our sandbox for analysis. It shows that at the time of writing Vidar&#8217;s detections have spiked.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analyzing Lumma in ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>In<a href=\"https:\/\/app.any.run\/tasks\/32ff7b18-f608-44df-9048-8feb4b8d0511\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lumma-github-campaign&amp;utm_term=290524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\"> this anlysis session in ANY.RUN<\/a>, we can see that a program called <strong>Lazesoft Recover My Password Professional Edition Setup<\/strong> immediately begins its malicious activities upon starting.&nbsp;<\/p>\n\n\n\n<p>It injects into the system process <strong>BitLockerToGo<\/strong> to evade process-based defenses and potentially elevate privileges.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-min-1024x566.png\" alt=\"\" class=\"wp-image-7884\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-min-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-min-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-min-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-min-1536x850.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-min-2048x1133.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-min-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-min-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-min-740x409.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Lumma sample as seen in ANY.RUN<\/figcaption><\/figure><\/div>\n\n\n<p><strong>BitLockerToGo<\/strong> is a feature of Microsoft&#8217;s BitLocker full-disk encryption software that specifically targets removable drives, such as USB flash drives and external hard drives.&nbsp;<\/p>\n\n\n\n<p>The malware was detected by both Yara and Suricata rules.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTry all features of <span class=\"highlight\">ANY.RUN sandbox<\/span><br>\nGet 14 days of free trial&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=lumma-github-campaign&#038;utm_term=290524&#038;utm_content=linktodemo\/\" rel=\"noopener\" target=\"_blank\">\nRequest trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lumma-github-campaign&amp;utm_term=290524&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Advantages of ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps you analyze threats faster while improving detection rates. The platform detects common malware families with YARA and Suricata rules and identifies malware behavior with signatures when detection by family is not possible.&nbsp;<\/p>\n\n\n\n<p><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in under 40s.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Interact with samples in real time.&nbsp;<\/li>\n\n\n\n<li>Save time and money on sandbox setup and maintenance&nbsp;<\/li>\n\n\n\n<li>Record and study all aspects of malware behavior.&nbsp;<\/li>\n\n\n\n<li>Collaborate with your team&nbsp;<\/li>\n\n\n\n<li>Scale as you need.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Try the full power of ANY.RUN for free&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=lumma-github-campaign&amp;utm_term=290524&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request free trial \u2192&nbsp;<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers report about a new campaign that\u2019s delivering a variety of malware, by exploiting GitHub, FileZilla and potentially other legitimate services.&nbsp; What\u2019s happening?&nbsp; Adversaries are impersonating 1Password, Bartender 5, Pixelmator Pro, and other software on GitHub and FileZilla to deliver multiple threats in a massive campaign.&nbsp;&nbsp; The campaign uses multiple stealers, allowing it to target [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7886,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[57,34,40],"class_list":["post-7880","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-anyrun","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Vidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn about a new campaign that\u2019s delivering a variety of malware, by exploiting GitHub, FileZilla and potentially other legitimate services.\u00a0\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jack Zalesskiy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/\"},\"author\":{\"name\":\"Jack Zalesskiy\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Vidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla\",\"datePublished\":\"2024-05-29T08:59:29+00:00\",\"dateModified\":\"2024-06-05T08:28:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/\"},\"wordCount\":606,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/\",\"name\":\"Vidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-05-29T08:59:29+00:00\",\"dateModified\":\"2024-06-05T08:28:50+00:00\",\"description\":\"Learn about a new campaign that\u2019s delivering a variety of malware, by exploiting GitHub, FileZilla and potentially other legitimate services.\u00a0\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/news\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Vidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jack Zalesskiy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"caption\":\"Jack Zalesskiy\"},\"description\":\"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Vidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn about a new campaign that\u2019s delivering a variety of malware, by exploiting GitHub, FileZilla and potentially other legitimate services.\u00a0","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/","twitter_misc":{"Written by":"Jack Zalesskiy","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/"},"author":{"name":"Jack Zalesskiy","@id":"https:\/\/any.run\/"},"headline":"Vidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla","datePublished":"2024-05-29T08:59:29+00:00","dateModified":"2024-06-05T08:28:50+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/"},"wordCount":606,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","malware analysis","malware behavior"],"articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/","url":"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/","name":"Vidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-05-29T08:59:29+00:00","dateModified":"2024-06-05T08:28:50+00:00","description":"Learn about a new campaign that\u2019s delivering a variety of malware, by exploiting GitHub, FileZilla and potentially other legitimate services.\u00a0","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/lumma-github-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"News","item":"https:\/\/any.run\/cybersecurity-blog\/category\/news\/"},{"@type":"ListItem","position":3,"name":"Vidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Jack Zalesskiy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","caption":"Jack Zalesskiy"},"description":"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7880"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7880"}],"version-history":[{"count":6,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7880\/revisions"}],"predecessor-version":[{"id":7925,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7880\/revisions\/7925"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7886"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7880"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7880"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7880"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}