A recent sophisticated cyberattack by Russian threat actors has been uncovered, wherein multiple cloud service providers, including Oracle Cloud Infrastructure (OCI), Scaleway Object Storage, and Tigris, were exploited to host malicious content for delivering the Lumma Stealer malware.

According to the Researcher, this campaign leverages legitimate cloud platforms as a resilient and distributed infrastructure, allowing attackers to bypass traditional security controls and maintain persistence even if one hosting location is blocked. By strategically dispersing their malicious components, the adversaries create redundancy, making detection and mitigation efforts significantly more difficult for defenders.

The attack employs social engineering tactics to lure victims, primarily privileged users, through disguised free game downloads and fake reCAPTCHA verification pages hosted on the aforementioned cloud providers. These deceptive elements appear legitimate, enticing users to engage with them unknowingly. Upon interaction, users download a ZIP archive containing a signed executable masquerading as a legitimate installer, which then executes the Lumma Stealer malware directly from memory. This stealthy in-memory execution helps the malware evade traditional endpoint security and enables the theft of sensitive data, including credentials and cryptocurrency wallets.

Further enhancing the attack’s sophistication is the use of DLL search order hijacking via a malicious MpGear.dll file, which ensures the malware persists on infected systems by automatically loading when certain legitimate applications run. This persistence mechanism facilitates continuous data exfiltration over extended periods, posing a significant risk to enterprise environments, especially as the campaign targets privileged accounts that have access to critical organizational assets. The infection chain begins with phishing emails or compromised websites, guiding victims to cloud-hosted malicious URLs designed to initiate the infection stealthily.

Security experts advise organizations to bolster defenses against such multi-cloud attacks by deploying advanced threat detection systems capable of monitoring suspicious cloud-hosted content, enforcing strict access controls for privileged users, and implementing comprehensive endpoint protection solutions. The use of trusted cloud platforms by threat actors underscores the growing complexity and evolving tactics in cyber threats, highlighting the need for enhanced visibility and proactive security measures tailored to the cloud environment to prevent data breaches and credential theft.