Back to Intelligence

LummaStealer Supply Chain & TukTuk Ransomware C2: Multi-Vector Infostealer Analysis

SA
Security Arsenal Team
May 11, 2026
6 min read

Analysis of the latest OTX pulses reveals a convergence of high-volume credential theft operations and sophisticated ransomware precursors. Threat actors are aggressively abusing developer ecosystems (GitHub, NuGet) to distribute infostealers like Lumma, Redline, and Vidar, targeting credentials and crypto-wallets. Simultaneously, advanced intrusion sets are leveraging EtherRAT and TukTuk frameworks—utilizing blockchain for C2 resilience—to pave the way for The Gentlemen ransomware. A distinct, long-running campaign (Mr_Rot13) highlights the risk of unpatched infrastructure, specifically targeting cPanel to deploy persistent backdoors. The collective objective is clear: establish initial access via supply chain or web exploits, harvest credentials for lateral movement, and deploy ransomware or maintain persistence for long-term espionage.

Threat Actor / Malware Profile

TroyDen (AI-Assisted Lure Factory)

  • Malware: LuaJIT, Redline, LummaStealer.
  • Distribution: GitHub repositories hosting over 300 delivery packages. Uses AI-generated biological taxonomy terms to lure developers and gamers.
  • Behavior: Two-component payload utilizing Prometheus obfuscator. Focuses on stealing browser credentials and game session data.

Unknown (NuGet Supply Chain)

  • Malware: Lumma, Quantum, AgentRacoon, ArrowRAT.
  • Distribution: Typosquatting Chinese .NET UI libraries on NuGet. Uses .NET Reactor for obfuscation.
  • Behavior: Grafts malicious payload onto decompiled legitimate code. Targets browser credentials, SSH keys, and crypto wallets.

Unknown (EtherRAT / TukTuk)

  • Malware: EtherRAT, TukTuk, The Gentlemen Ransomware, Mimikatz, NetExec.
  • Distribution: Malicious MSI disguised as Sysinternals tools.
  • C2 Innovation: Uses "EtherHiding" via the Ethereum blockchain for dynamic configuration updates, making takedowns significantly harder.

Unknown (AutoIt Loader)

  • Malware: Vidar, Arkei.
  • Distribution: Masqueraded MicrosoftToolkit.exe with .dot files renamed to .bat.
  • Behavior: Multi-stage loader; terminates security processes and establishes C2 to exfiltrate sensitive data.

Mr_Rot13

  • Malware: Filemanager RAT, Cpanel-Python.
  • Distribution: Exploits CVE-2026-41940 in cPanel.
  • Behavior: Plants SSH keys and webshells. Highly active against Government and Defense sectors in Southeast Asia.

IOC Analysis

The provided indicators span multiple infrastructure types essential for detection:

  • IPv4 Addresses (e.g., 89.169.12.241, 213.176.73.x): Direct C2 servers for TroyDen and other campaigns. These should be blocked at the perimeter.
  • Domains (e.g., dns-providersa2.com, wrned.com): Used for payload staging and C2 communication. Note the use of Cloudflare tunnels (e.g., trycloudflare.com) for masking origins.
  • File Hashes (MD5, SHA1, SHA256): Critical for EDR correlation. Includes loaders for Vidar and backdoors used by Mr_Rot13.
  • CVEs (CVE-2025-55182, CVE-2026-41940): Vulnerability intelligence used for patch prioritization and vulnerability scanning.

SOC teams should operationalize these by loading the hashes into EDR alerting rules, blocking IPs/domains on firewalls and Secure Web Gateways (SWG), and searching for the CVEs in vulnerability management platforms.

Detection Engineering

YAML
title: Suspicious LuaJIT Execution - Potential Infostealer
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
description: Detects the execution of LuaJIT processes often associated with TroyDen campaigns distributing Redline and LummaStealer.
status: experimental
date: 2026/05/12
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6654321...
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\luajit.exe'
            - '\lua51.exe'
            - '\lua52.exe'
        CommandLine|contains:
            - '-e'
            - 'load'
    condition: selection
falsepositives:
    - Legitimate developer tools using LuaJIT
level: high
---
title: File Extension Masquerading via AutoIt
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
description: Detects suspicious file execution where .dot or .doc files are executed as .bat or scripts, a technique used by Vidar loaders.
status: experimental
date: 2026/05/12
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6654322...
tags:
    - attack.defense_evasion
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\wscript.exe'
        CommandLine|contains:
            - '.dot'
            - '.doc'
        CommandLine|endswith:
            - '.bat'
            - '.vbs'
    condition: selection
falsepositives:
    - Administrative script errors
level: medium
---
title: Potential EtherHiding or Blockchain C2 Traffic
id: c3d4e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
description: Detects processes making outbound connections to Ethereum RPC ports or known public nodes, indicative of EtherRAT activity.
status: experimental
date: 2026/05/12
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6654323...
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 8545
            - 30303
        Initiated: 'true'
    filter:
        Image|contains:
            - '\Ethereum\'
            - '\MetaMask\'
    condition: selection and not filter
falsepositives:
    - Legitimate Ethereum wallet software
level: high


kql
// Hunt for Indicators of Compromise (IOCs) related to May 2026 Pulses
// Includes Network connections and File hashes
let IOCIps = dynamic(["89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118"]);
let IOCDomains = dynamic(["dns-providersa2.com", "git.justdotrip.com", "g8way.io", "witch-skins-lip-coal.trycloudflare.com", "gz.technicalprorj.xyz", "wrned.com", "wpsock.com"]);
let IOCHashes = dynamic(["efb675de4b3af3dac3c9cae91075fd7cc2f4f98e", "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824", "73ce2438d4ed475e03727b7b000d2794", "7ac9278876c83c9b597fae68acb6fbf9", "02a5990b11293236e01f174f5999df20"]);
// Network Hunt
DeviceNetworkEvents
| where RemoteIP in (IOCIps) or RemoteUrl has_any (IOCDomains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| union (
    DeviceProcessEvents
    | where SHA1 in~ (IOCHashes) or SHA256 in~ (IOCHashes) or MD5 in~ (IOCHashes)
    | project Timestamp, DeviceName, AccountName, FileName, SHA1, SHA256, MD5, FolderPath
)


powershell
# IOC Hunter for Lumma/Vidar/TroyDen Artifacts
# Checks for suspicious processes and file modifications

$suspiciousHashes = @(
    "efb675de4b3af3dac3c9cae91075fd7cc2f4f98e",
    "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
    "73ce2438d4ed475e03727b7b000d2794"
)

$suspiciousIPs = @(
    "89.169.12.241",
    "213.176.73.80",
    "217.119.129.76"
)

Write-Host "Checking for established network connections to known C2 IPs..."
$netConnections = Get-NetTCPConnection -State Established | Where-Object { $suspiciousIPs -contains $_.RemoteAddress }
if ($netConnections) {
    Write-Warning "[ALERT] Found connection to malicious IP:"
    $netConnections | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess -AutoSize
} else {
    Write-Host "No suspicious connections found."
}

Write-Host "\nScanning for processes matching known malicious hashes..."
$processes = Get-Process | Where-Object { $_.Path -ne $null }
foreach ($proc in $processes) {
    $fileHash = (Get-FileHash -Path $proc.Path -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($suspiciousHashes -contains $fileHash) {
        Write-Warning "[ALERT] Malicious process detected: $($proc.ProcessName) ($($proc.Id))"
    }
}

Write-Host "\nChecking for suspicious startup registry keys..."
$regPaths = @("HKCU:\Software\Microsoft\Windows\CurrentVersion\Run", "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run")
foreach ($path in $regPaths) {
    if (Test-Path $path) {
        Get-ItemProperty $path | Where-Object { $_.PSObject.Properties.Name -match "LuaJIT|AutoIt3|MicrosoftToolkit" } | Format-List
    }
}


# Response Priorities

Immediate (0-4 Hours)

  1. Block IOCs: Immediately block all listed IP addresses and domains on network firewalls, proxies, and endpoints.
  2. Hunt for Malware: Execute the PowerShell script or KQL queries to identify active infections or C2 beacons.
  3. Isolate: Isolate any endpoints showing positive matches for the file hashes or network connections.

24 Hours

  1. Credential Audit: Given the prevalence of Redline, Lumma, and Vidar, assume credentials (browser cookies, crypto wallets) are compromised. Force password resets for privileged accounts identified on infected hosts.
  2. Vulnerability Scan: Scan all external-facing cPanel instances for CVE-2026-41940.

1 Week

  1. Supply Chain Hardening: Implement strict package verification for NuGet and GitHub repositories. Block execution of unsigned binaries in developer environments.
  2. Application Control: Create application allowlisting policies to prevent the execution of LuaJIT and AutoIt interpreters by unauthorized users.
  3. Patch Management: Patch Sysinternals usage vectors and ensure MSI installations are vetted if deployed outside of SCCM/Intune.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealertuktuk-ransomwaresupply-chain-attackinfostealercpanel-exploit

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action