Beyond Signatures: Detecting Lumma Stealer with an ML-Powered Sandbox
Essential information
- Published
- 25/09/2025 23:21
- Modified
- 26/09/2025 11:41
- Tags
- 2025-09-25 anti-analysis autoit evasion techniques lumma stealer machine learning nsis persistence sandbox
- Related entities
- 1 observables, 9 techniques (mitre), 1 malware, 3 others
Description
This analysis focuses on a new variant of Lumma Stealer, a malware that reemerged after a brief hiatus following a law enforcement operation. The article details the malware's code obfuscation, evasion techniques, and persistence mechanisms. It describes Netskope's machine learning-based detection approach, which utilizes a Cloud Sandbox enhanced with ML models to analyze runtime behavior, process trees, and other features. The specific sample analyzed is an NSIS installer file that abuses AutoIt for malicious purposes. The malware employs various anti-analysis techniques and establishes persistence through the Windows Startup folder. Netskope's multi-layered threat protection system successfully detected this Lumma Stealer variant.