Security researchers are raising alarms about a newly emerging cyber threat involving counterfeit VPN software distributed through GitHub. According to a recent report by Cyfirma, threat actors are disguising malware as a legitimate tool called “Free VPN for PC” to trick users into downloading what is actually a dropper for the notorious Lumma Stealer malware.
This deceptive malware has also been spotted masquerading as a “Minecraft Skin Changer,” targeting unsuspecting gamers and individuals seeking free utilities. Once installed, it activates a multi-layered attack process that includes techniques such as obfuscation, dynamic DLL loading, memory injection, and misuse of trusted Windows components like MSBuild.exe and aspnet_regiis.exe—all designed to stay hidden and maintain control over the infected system.
A key part of the attack’s effectiveness lies in its use of GitHub for distribution. One example includes the repository at github[.]com/SAMAIOEC, which hosted password-protected ZIP archives and provided usage instructions to enhance the appearance of legitimacy.
The malware payload, encoded in Base64 and peppered with French text, is concealed within these ZIP files.
“What begins with a deceptive free VPN download ends with a memory-injected Lumma Stealer operating through trusted system processes,” Cyfirma reports.
Upon launching, a file named Launch.exe begins decoding a Base64-encoded string, ultimately dropping a DLL file named msvcp110.dll into the user’s AppData directory. This DLL remains hidden, is loaded only during runtime, and calls a function—GetGameData()—that triggers the final payload.
Reverse engineering the threat is difficult, thanks to anti-debugging measures like IsDebuggerPresent() and heavily obfuscated control flows.
This attack is aligned with known MITRE ATT&CK tactics, including DLL side-loading, sandbox evasion, and in-memory execution.
How to Stay Protected:
- Avoid unofficial software: Stay away from tools claiming to offer free VPNs or game modifications from unknown sources.
- Be cautious with GitHub downloads: Even if hosted on trusted platforms, avoid downloading password-protected ZIP files or tools with unclear installation instructions.
- Block executables in risky folders: Prevent programs from running in directories like AppData, commonly used by attackers to conceal malicious files.
- Scrutinize DLL files: Investigate any suspicious DLLs found in roaming or temp folders.
- Monitor unusual system behavior: Keep an eye on tasks like MSBuild.exe in your task manager that may indicate malicious activity.
- Use behavior-based security tools: Employ antivirus solutions with behavioral detection, DDoS protection, and full endpoint security to safeguard against advanced threats such as memory injection and API misuse.
By remaining vigilant and using comprehensive cybersecurity tools, users can defend themselves against sophisticated attacks like this one.