AI-Assisted Lure Factory Targets Developers & Gamers
Essential information
- Published
- 08/05/2026 11:31
- Modified
- 11/05/2026 10:26
- Tags
- 2026-05-08 ai-generated lures credential-theft github infostealer luajit lummastealer prometheus obfuscator redline troyden two-component payload
- Related entities
- 9 observables, 1 intrusion sets (apt), 3 malware, 1 others
Description
A large-scale malware campaign tracked as TroyDen's Lure Factory has been identified distributing LuaJIT-based infostealers through over 300 delivery packages hosted on GitHub. The operation uses AI-generated lure names incorporating obscure biological taxonomy and medical terminology to target developers, gamers, Roblox players, and crypto users. The malware employs a two-component design with a renamed LuaJIT runtime and encrypted Lua payload that evades sandbox detection through anti-analysis checks and extreme sleep delays. Upon execution, it disables proxy detection, captures desktop screenshots, performs geolocation, and exfiltrates data to C2 servers in Frankfurt. The infrastructure demonstrates scalability with multiple IP addresses serving identical encrypted commands, while maintaining simultaneous campaigns across gaming cheats, developer tools, phone trackers, and VPN crackers.