{
  "name": "AI-Assisted Lure Factory Targets Developers & Gamers",
  "slug": "ai-assisted-lure-factory-targets-developers-gamers",
  "description": "A large-scale malware campaign tracked as TroyDen's Lure Factory has been identified distributing LuaJIT-based infostealers through over 300 delivery packages hosted on GitHub. The operation uses AI-generated lure names incorporating obscure biological taxonomy and medical terminology to target developers, gamers, Roblox players, and crypto users. The malware employs a two-component design with a renamed LuaJIT runtime and encrypted Lua payload that evades sandbox detection through anti-analysis checks and extreme sleep delays. Upon execution, it disables proxy detection, captures desktop screenshots, performs geolocation, and exfiltrates data to C2 servers in Frankfurt. The infrastructure demonstrates scalability with multiple IP addresses serving identical encrypted commands, while maintaining simultaneous campaigns across gaming cheats, developer tools, phone trackers, and VPN crackers.",
  "published": "2026-05-08T09:31:46+00:00",
  "created_at": "2026-05-08T09:31:46+00:00",
  "modified_at": "2026-05-11T08:26:31+00:00",
  "created_at_opencti": "2026-05-08T09:31:46+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-05-08",
    "ai-generated lures",
    "credential-theft",
    "github",
    "infostealer",
    "luajit",
    "lummastealer",
    "prometheus obfuscator",
    "redline",
    "troyden",
    "two-component payload"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "213.176.73.159"
      },
      {
        "id": "",
        "name": "217.119.129.122"
      },
      {
        "id": "",
        "name": "217.119.129.121"
      },
      {
        "id": "",
        "name": "217.119.129.118"
      },
      {
        "id": "",
        "name": "213.176.73.80"
      },
      {
        "id": "",
        "name": "213.176.73.130"
      },
      {
        "id": "",
        "name": "217.119.129.76"
      },
      {
        "id": "",
        "name": "89.169.12.241"
      },
      {
        "id": "",
        "name": "94.156.154.6"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:22cebae9fb28ad81",
        "name": "LummaStealer",
        "slug": "lummastealer"
      },
      {
        "id": "legacy:malware:25878cbc384641c1",
        "name": "Redline",
        "slug": "redline"
      },
      {
        "id": "legacy:malware:a44231a747098a2f",
        "name": "LuaJIT",
        "slug": "luajit"
      }
    ],
    "intrusion_sets": [
      {
        "id": "ebefe67d-0551-429c-9e96-0b1669e84008",
        "name": "TroyDen",
        "slug": "troyden"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Technology"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69fdc9a2b94badfe5abacbcb",
    "https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers"
  ]
}