Cybersecurity researchers have uncovered a malicious campaign that uses a fraudulent Telegram Premium website to distribute a dangerous variant of the Lumma Stealer malware. According to a report by Cyfirma, the fake domain telegrampremium[.]app closely imitates the official Telegram Premium branding and hosts a file named start.exe.

The executable, developed in C/C++, is automatically downloaded when a user visits the site—no clicks required. Once executed, it collects sensitive data, including stored browser credentials, cryptocurrency wallet information, and system details, significantly raising the risk of identity theft. The site acts as a drive-by download, meaning malware is delivered without user consent.

Researchers noted the executable’s high entropy, indicating the use of a cryptor to conceal its operations and evade traditional security detection. Static analysis revealed that the malware imports numerous Windows API functions, giving it the ability to alter files, edit registry entries, access the clipboard, launch further payloads, and bypass defenses.

The Lumma Stealer variant also makes DNS queries through Google’s public DNS, sidestepping corporate network restrictions. It communicates with legitimate platforms like Telegram and Steam Community for possible command-and-control (C2) operations, while also relying on algorithmically generated domains to avoid domain takedowns.

The attackers rely on newly registered infrastructure, pointing to short-lived but highly targeted operations. The malware also drops disguised files in the %TEMP% directory, including encrypted payloads hidden as image files. These are later renamed and executed as obfuscated scripts, which help the malware erase its tracks.

Advanced evasion techniques include the use of commands like Sleep to delay execution and LoadLibraryExW to discreetly load DLLs, making early detection more difficult for security analysts.