Netskope is recognized as a Leader again in the Gartner® Magic Quadrant™ for SASE Platforms. Get the Report

close
magnifying glass
Get Started
magnifying glass
chevron
Support Language
close
Your Network of Tomorrow
Your Network of Tomorrow
Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.
chevron Get the white paper
Experience Netskope
Get Hands-on With the Netskope Platform
Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
chevron Experience Netskope
A Leader in SSE. Now a Leader in Single-Vendor SASE.
Netskope is recognized as a Leader Furthest in Vision for both SSE and SASE Platforms
2X a Leader in the Gartner® Magic Quadrant for SASE Platforms
One unified platform built for your journey
chevron Get the report
Securing Generative AI for Dummies
Securing Generative AI for Dummies
Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
chevron Get the eBook
Modern data loss prevention (DLP) for Dummies eBook
Modern Data Loss Prevention (DLP) for Dummies
Get tips and tricks for transitioning to a cloud-delivered DLP.
chevron Get the eBook
Modern SD-WAN for SASE Dummies Book
Modern SD-WAN for SASE Dummies
Stop playing catch up with your networking architecture
chevron Get the eBook
Understanding where the risk lies
Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
chevron Watch the demo
The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
Netskope One Private Access is the only solution that allows you to retire your VPN for good.
chevron Get the eBook
Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
chevron Read the case study
Netskope GovCloud
Netskope achieves FedRAMP High Authorization
Choose Netskope GovCloud to accelerate your agency’s transformation.
chevron Learn about Netskope GovCloud
Netskope Technical Support
Netskope Technical Support
Our qualified support engineers are located worldwide and have diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ensuring timely and quality technical assistance
chevron Technical Support
Netskope video
Netskope Training
Netskope training will help you become a cloud security expert. We are here to help you secure your digital transformation journey and make the most of your cloud, web, and private applications.
chevron Explore Netskope Training
""
Achieve Business Value with Netskope One SSE
Netskope One Security Service Edge (SSE) enables enterprises to achieve considerable business value by consolidating business critical security services within the Netskope One platform
chevron Get the study
Let's do great things together
""
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.
chevron Netskope Partners

Beyond Signatures: Detecting Lumma Stealer with an ML-Powered Sandbox

Sep 25 2025
By Ghanashyam Satpathy, Xinjun Zhang

Introduction

In early 2025, LummaStealer was in widespread use by cybercriminals targeting victims throughout the world in multiple industry verticals, including telecom, healthcare, banking, and marketing. A sweeping law enforcement operation in May brought this all to an abrupt halt.  After a quiet period, we are now starting to see new variants of Lumma Stealer emerge. In light of this re-emergence, we are sharing this blog post to show one of the tools Netskope has in its arsenal to detect new and novel Lumma Stealer variants.

In January 2025, Netskope Threat Labs observed a Lumma Stealer campaign and documented its delivery mechanisms and tactics, techniques, and procedures (TTPs). This blog post presents a detailed technical analysis of a new Lumma Stealer sample, alongside Netskope AI Labs’ novel machine learning–based detection approach.

Our analysis focuses on three key aspects of Lumma Stealer’s operation:

  • Code obfuscation: How the malware conceals its true functionality.
  • Evasion techniques: Anti-sandbox and anti-analysis methods designed to bypass security defenses.
  • Persistence mechanisms: Techniques used to maintain a foothold on infected systems.

We specifically analyze the PE binary sample 87118baadfa7075d7b9d2aff75d8e730 in this post.

ML-based detection approach

At Netskope, we’ve built a comprehensive, multi-layered threat protection system to safeguard customer traffic. This system is powered by AI and machine learning across multiple engines, applied in both inline fast scans and deep scans that combine static and dynamic analysis.

Our Advanced Threat Protection platform includes a Cloud Sandbox, enhanced with ML models purpose-built to detect new, novel, and targeted malware. The Cloud Sandbox executes suspicious samples in an isolated Windows environment and records detailed runtime behavior, including:

  • Process trees (with API calls and DLL interactions)
  • Registry modifications
  • File operations
  • Network activity

The image below shows a typical structure of a malicious file’s process tree. Our AI model uses a tree transformer architecture to learn and understand the intricate patterns within process trees and their associated features. It employs tree positional embeddings to encode each node and its position within the tree.

Runtime behavioral features, such as registry modifications, file operations, and network communications, are also encoded into vectors. These feature vectors are then combined with the process tree embeddings to make a final malware classification.

Using a transformer-based architecture allows the model to capture generalized behavioral patterns. This patented approach not only prevents overfitting to training data but also significantly enhances our ability to detect previously unseen threats.

Our model successfully flagged the Lumma Stealer malware. The process tree embeddings, combined with runtime behaviors like registry modifications, file operations, and network activities, contributed to the high likelihood of it being malicious, proving the effectiveness of our approach against sophisticated and novel threats.

In-depth technical analysis

The analysis focused on a specific sample, identified by the hash 87118baadfa7075d7b9d2aff75d8e730. This sample was categorized as a Nullsoft Scriptable Install System (NSIS) installer file. This classification was apparent upon inspection using tools such as Detect It Easy (DIE), a screenshot of which confirmed its NSIS format. A critical aspect of this sample’s functionality involves its malicious use of AutoIt. AutoIt is a legitimate and widely used scripting language, characterized by its BASIC-like syntax, designed for automating various tasks within the Windows operating system. However, in this instance, the sample leverages AutoIt for illicit purposes, indicating a potential abuse of a trusted system utility for malicious operations. This highlights a common tactic employed by threat actors: repurposing legitimate tools and frameworks to evade detection and carry out their objectives.

When extracted with an unzip utility like 7z, the sample decompresses two items: a file with the .nsi extension and a directory named $TEMP.

[NSIS].nsi: Obfuscated NSIS script, will invoke Parish.m4a to initiate the chain
Parish.m4a: obfuscated batch file
Other *.m4a: Blobs for next stage payload 

The Windows batch file, Parish.m4a, is obfuscated. Its deobfuscated content is shown below:

The subsequent code snippet constitutes autoit3.exe, which is legitimate software.

The a3x file, which includes a malicious script, is composed of the following code snippet:

Finally the following code starts the renamed Autoit3.exe whose path is stored in the %yelZzJk% variable, the below command-line snippet is translated as.
%yelZzJk% -> Autoit3.exe
u%cGFjruHXQLgneWmWdHSnCYTtOGhn% -> u.a3x

The obfuscated AutoitScript, extracted from ‘u’, employs a while loop and switch-case obfuscation technique.

The script snippet below appears after deobfuscation:

Evasion technique used in AutoIt Script:

Due to its evasion and anti-analysis techniques, the sample initially exhibited a very low detection rate on VirusTotal (9/73) on its first submission, as shown in the screenshot below.

Evasion and anti-analysis technique used by this sample are as below:

Check execution environment:

The subsequent code snippet verifies the execution environment by checking if the COMPUTERNAME is not equal to a specified value. 

  • tz
  • NfZtFbPfH
  • ELICZ

Ensure USERNAME is not equal to :

  • test22

Ensure the following process is not present:

  • vmtoolsd.exe
  • VboxTray.exe
  • SandboxieRpcSs.exe
  • avastui.exe

Anti-debugging:

This prevalent anti-sandbox technique leverages the discrepancies in how real machines and analytical environments manage time and execution speed.

Anti-analysis:

The sample initiates an anti-analysis check by attempting to ping a fabricated domain. Should the domain be reachable, suggesting a controlled environment, the AutoIt process self-terminates. Conversely, if the domain is unreachable, it transitions into stealth mode by concealing its tray icon.

DLL Unhooking:

Security software typically intercepts critical Windows API functions within a process’s memory. This involves altering the initial bytes of legitimate functions (e.g., NtCreateProcess in ntdll.dll) to reroute their execution to the security product’s own code. This allows the security mechanism to examine or block the call before it reaches the operating system. Malware can bypass this by restoring the original, unhooked function bytes, thereby nullifying the security control.

Persistence:

The sample utilizes the CreateProcessW API to execute cmd.exe. This action creates an internet shortcut (.url) in the Windows Startup folder, thereby establishing persistence. Upon system startup, this shortcut launches a JScript, which then uses an ActiveXObject to instantiate a Wscript.Shell object, culminating in the execution of the AutoIt payload.

Decrypted next phase payload by self-definition function

After decryption, the malware separates into two functions using 0x89C0. The first function is responsible for decrypting the in-memory key mapping, while the second decrypts the LZ-compressed data, as shown in the image.

Uncompress next phase payload by Windows API

The malware utilizes the RtlDecompressFragmentWindows API call to decompress a memory-resident payload. This decompression is executed using the LZ compression format, indicated by the 0x2 parameter. Subsequently, the decompression process unveils a portable executable (PE) file within memory, as depicted in the accompanying image.

Due to the C2 server’s inactivity at the time of analysis, further investigation into the next-stage payload was not possible for this blog post.

Netskope Detection

Netskope Advanced Threat Protection provides proactive coverage against threats like Lumma Stealer. Our multi-layered approach uses both static analysis and our machine learning-powered cloud sandbox to detect zero-day and advanced persistent threat (APT) samples.

Detection response codes include:

  • Win32.Exploit.Generic: This signature provides broad protection against this threat.
  • Gen.Detect.By.NSCloudSandbox.tr: This detection specifically indicates that the sample was identified by our Cloud Sandbox engine.

The screenshot below confirms that sample 87118baadfa7075d7b9d2aff75d8e730 was successfully detected by the Netskope Cloud Sandbox.

Conclusion

Lumma Stealer has been highly active recently, with its operators employing increasingly sophisticated payloads and evasion techniques to hinder detection. This underscores the critical need for:

  • Advanced threat protection solutions that combine static, dynamic, and ML-based detection.
  • User awareness and training, as many infection chains rely on users opening malicious attachments or clicking on suspicious links.

We will continue to monitor Lumma Stealer campaigns, providing updates as its tactics, techniques, and procedures (TTPs) evolve.

IOCs

MD5
87118baadfa7075d7b9d2aff75d8e730
SHA-1
78da004e332be8eaa5e111c34d6db3a28abb9767
SHA-256
ff7a1388fa59a9e1b43c5c88a1ee30e4abcec21a39882812a045aa9d9b865170

Domain:
annwt[.]xyz
ungryo[.]shop
vervzv[.]xyz
sorrij[.]top
prvqhm[.]shop
bardj[.]xyz
greqjfu[.]xyz

Thanks to Hung-Chun Chu and Jerry Chen for their contributions to this blog, including their assistance with sample file analysis.

< AI Labs
Next Story >
< Back
Next >
author image
Ghanashyam Satpathy
Ghanashyam is a Principal Researcher with the Netskope Efficacy team. His background is building threat detection products using AI/ML technology.
Ghanashyam is a Principal Researcher with the Netskope Efficacy team. His background is building threat detection products using AI/ML technology.
Read More
More Articles by Ghanashyam Satpathy
Read full Bio
More articles
author image
Xinjun Zhang
Meet Xinjun Zhang, Senior Staff ML Scientist at Netskope. He develops AI for malware detection & data loss prevention, and uses LLMs for ticket quality.
Meet Xinjun Zhang, Senior Staff ML Scientist at Netskope. He develops AI for malware detection & data loss prevention, and uses LLMs for ticket quality.
Read More
More Articles by Xinjun Zhang
Read full Bio
More articles

Related Articles

card shape
Platform, Products, & Services

Is DeepSeek’s Latest Open-source R1 Model Secure?

By Milon Bhattacharya
chevron Read the blog
card shape
AI Labs

Train Your Own Classifier (TYOC) for Image Data Protection

By Jason Bryslawskyj
chevron Read the blog
card shape
AI Labs

Here’s What ChatGPT and Netskope’s Inline Phishing Detection Have in Common

By Netskope AI Labs Team
chevron Read the blog
Show More
Connect with Netskope

Subscribe to the Netskope Blog

Sign up to receive a roundup of the latest Netskope content delivered directly in your inbox every month.
Subscribe now