Lumma Stealer via ClickFix Phishing
This is one of many simulated SOC tickets completed on LetsDefend to document my analyst methodology and build a portfolio of realistic investigation walkthroughs. This particular alert was selected because it covers the full attack chain. from a socially engineered phishing email through to confirmed infostealer execution and C2 contact. across email, endpoint, process, and network evidence.
Alert Claimed
Before any investigation begins, ownership of the alert is taken. This is standard SOC practice. claiming the ticket prevents two analysts from working the same case and establishes a clear chain of accountability.

Findings
- ›Alert: SOC338 - Lumma Stealer - DLL Side-Loading via ClickFix Phishing
- ›EventID: 316 | Severity: Critical | Type: Data Leakage
- ›Ticket is claimed before any investigation steps are taken. this is non-negotiable SOC hygiene
- ›Claiming the ticket locks it to one analyst and prevents duplicate investigation work
- ›Level: Security Analyst. scoped to Tier 1 triage with a clear Tier 2 escalation path
- ›First read of the trigger reason: "Redirected site contains a ClickFix type script for Lumma Stealer distribution". this immediately signals social engineering delivery rather than a malicious attachment
MITRE ATT&CK Coverage
Full IOC Summary
| Type | Value |
|---|---|
| Sender IP / C2 | 132.232.40.201 |
| Sender Email | update@windows-update.site |
| Phishing Domain | windows-update.site |
| C2 / Payload Domain | overcoatpassably.shop |
| Payload URL | https://overcoatpassably.shop/Z8UZbPyVpGfdRS/maloy.mp4 |
| Payload Hash (SHA256) | 15c80b5be235bf2a8c38291eb697a702c07dde087eb459e9ea46a2bee17c5f03 |
| Cloudflare CDN IP | 172.67.139.19 |
| Suspected Exfil IP | 77.88.21.119 (Yandex) |
| LOLBin Abused | mshta.exe (T1218.005) |
| Malware Family | Lumma Stealer / LummaC2 |
| Lure Text | I am not a robot - reCAPTCHA Verification ID: 3824 |
Key Takeaways
LOLBin abuse bypasses AV
mshta.exe is a legitimate signed Microsoft binary. It will not trigger AV because it is supposed to exist. Behavioral detection is what catches this pattern, not signatures.
ClickFix puts the user in the kill chain
No file hits disk from the email. The malicious execution happens when the user pastes a clipboard-injected command into PowerShell. Attachment scanning is completely irrelevant.
Obfuscation does not need to be complex
Inserting ]]] into mshta.exe and stripping it with -replace at runtime is trivially simple, but it breaks most static YARA signatures looking for the literal string.
Infostealers require session invalidation
Lumma steals session cookies, not just passwords. A password reset by itself is not enough. every active session needs to be invalidated separately after a compromise like this.
Timing in network logs tells the story
The Yandex connection appeared 55 seconds after mshta.exe fired. That gap lines up with Lumma completing a credential sweep before pushing data out to a secondary endpoint.
Fresh AV signatures did not help
Defender updated its definitions 37 seconds before mshta.exe ran. The payload still executed. LOLBin abuse targets the gap between signature-based controls and behavioral detection.
Tier 2 Handoff Brief
For IR TeamA summary of everything Tier 1 established. what IR inherits, what still needs answering, and where to focus first.
What Tier 1 Confirmed
Dylan received a phishing email from update@windows-update.site (SMTP: 132.232.40.201) at 09:44 AM impersonating a Microsoft Windows 11 upgrade prompt. The email landed in the inbox unblocked. The sender IP is confirmed in LetsDefend Threat Intel as a known Lumma Stealer C2.
Later that evening Dylan visited the redirected phishing site and was socially engineered via a fake reCAPTCHA prompt into manually pasting and running a clipboard-injected PowerShell command. The command was obfuscated using string fragmentation (ms]]]ht]]]a]]] reconstructed to mshta.exe via -replace) to evade static AV, and ran with -WindowStyle Hidden so no terminal was visible to the user.
mshta.exe (PID 7284) was confirmed spawned from powershell.exe and fetched the payload from https://overcoatpassably.shop/Z8UZbPyVpGfdRS/maloy.mp4. The .mp4 extension is a content filter bypass. VirusTotal confirms the file as 22/58 malicious, threat label trojan.sagent/emmenhtal, with Ikarus explicitly naming Trojan.PowerShell.LummaStealer. The rule name also flags DLL Side-Loading as the next-stage persistence mechanism. this was not verified at Tier 1 and should be the first IR focus.
Network logs show an outbound connection to 132.232.40.201 at 23:26:08 (12 seconds before execution), payload delivery via Cloudflare-fronted 172.67.139.19 at 23:26:20, and a connection to 77.88.21.119 (Yandex) at 23:27:15. roughly 55 seconds after execution. That timing lines up with Lumma completing a credential harvest cycle before exfiltrating. Treat data exfiltration as confirmed until proven otherwise.
The host (Dylan / 172.16.17.216) has been contained. The phishing email has been quarantined and both the sender IP and C2 domain are blocked at the gateway.
Open Questions for IR
- 1.What did mshta.exe drop? Check %APPDATA%, %TEMP%, and %LOCALAPPDATA% for executables or DLLs written around 23:26:20
- 2.Was DLL Side-Loading executed? Per the rule name, look for a signed binary loading an unsigned DLL from a non-standard path
- 3.What did the Yandex IP (77.88.21.119) receive? Determine data volume transferred. if it is significant, credential exfiltration should be treated as complete
- 4.Which browser credentials are at risk? Lumma targets Chrome, Edge, and Firefox saved passwords and session cookies. assume everything stored in the browser on this machine is compromised
- 5.Were any other hosts in contact with overcoatpassably.shop or 132.232.40.201? Check DNS and proxy logs across the org for broader campaign exposure
- 6.Did Dylan interact with any corporate SSO or VPN sessions after the infection? Session cookies stolen by Lumma remain valid after a password reset
- 7.Was the payload executed once or twice? Terminal history shows two identical obfuscated entries. confirm whether two separate mshta.exe processes fired
Immediate IR Priorities
- ›Full memory acquisition of the endpoint before reimaging. Lumma may still be resident
- ›Invalidate all of Dylan's active sessions across every platform, not just a password reset. Session tokens remain valid after credential changes.
- ›Pull the full process tree for PID 7284 (mshta.exe). every child process, file write, and network connection it made
- ›Search DNS and proxy logs for overcoatpassably.shop and 132.232.40.201 across all endpoints to determine if this is isolated or part of a broader campaign
- ›Brief Dylan's manager and flag the user for ClickFix awareness training. this technique is being used actively and will come up again
- ›Check for persistence: scheduled tasks, registry Run keys, and any services installed between 23:26 and 23:28
Note on execution timing: The phishing email arrived at 09:44 AM and execution occurred at 23:26 PM the same day. This gap suggests Dylan may have seen the email earlier and returned to it later in the evening. The post-incident login on Mar 14 at 12:05 PM confirms the user remained active after the infection. Interview the user to establish what they did between receiving the email and running the command, and whether anything looked or felt unusual afterward.