Fake Cloudflare Verification Results in LummaStealer Trojan Infections

SUMMARY :

A malicious campaign targeting Windows users through WordPress websites is deploying the LummaStealer trojan. Attackers use fake Cloudflare verification prompts to trick users into running malicious PowerShell commands. The infection is spread through compromised plugins or injected JavaScript in legitimate files. Victims are directed to execute commands that download and install the LummaStealer malware, which can steal sensitive data like login credentials and cryptocurrency information. The attackers also create hidden admin users in infected WordPress sites for persistence. Multiple variants of this attack have been observed, with some using URL shortening services to obfuscate malicious links. Website owners are advised to keep software updated, use strong passwords, and implement 2FA to mitigate risks.

OPENCTI LABELS :

powershell,trojan,infostealer,wordpress,lummac2,cloudflare,lummastealer,javascript injection


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Fake Cloudflare Verification Results in LummaStealer Trojan Infections