{"id":54139,"date":"2023-10-16T00:00:00","date_gmt":"2023-10-16T00:00:00","guid":{"rendered":"urn:uuid:98fc9085-29a7-f6ff-d45e-56f7fa665cc1"},"modified":"2023-10-16T00:00:00","modified_gmt":"2023-10-16T00:00:00","slug":"beware-lumma-stealer-distributed-via-discord-cdn","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/","title":{"rendered":"Beware: Lumma Stealer Distributed via Discord CDN"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Lummastealer_Hero:Large?qlt=80\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"This blog discusses how threat actors abuse Discord\u2019s content delivery network (CDN) to host and spread Lumma Stealer, and talks about added capabilities to the information stealing malware. \"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,exploits &amp; vulnerabilities,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2023-10-16\"> <meta property=\"article:tag\" content=\"cyber threats\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/j\/beware-lumma-stealer-distributed-via-discord-cdn-.html\"> <title>Beware Lumma Stealer Distributed via Discord CDN <\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/j\/beware-lumma-stealer-distributed-via-discord-cdn-.html\"><br \/>\n<meta property=\"og:title\" content=\"Beware Lumma Stealer Distributed via Discord CDN \"><br \/>\n<meta property=\"og:description\" content=\"This blog discusses how threat actors abuse Discord\u2019s content delivery network (CDN) to host and spread Lumma Stealer, and talks about added capabilities to the information stealing malware. \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/Lummastealer_Hero.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Beware Lumma Stealer Distributed via Discord CDN \"><br \/>\n<meta name=\"twitter:description\" content=\"This blog discusses how threat actors abuse Discord\u2019s content delivery network (CDN) to host and spread Lumma Stealer, and talks about added capabilities to the information stealing malware. \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/Lummastealer_Hero.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.852700490998\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layers *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"59861498\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.2723214285714\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.008928571429\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">This blog discusses how threat actors abuse Discord\u2019s content delivery network (CDN) to host and spread Lumma Stealer, and talks about added capabilities to the information stealing malware. <\/p>\n<p class=\"article-details__author-by\">By: Carl Malipot <time class=\"article-details__date\">October 16, 2023<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"44.045092838196\">\n<div readability=\"34.257294429708\">\n<p>Our latest investigation revealed that threat actors are now delivering an information-stealing malware called Lumma Stealer via Discord, a popular chat platform for online gamers, content creators, and streamers. We\u2019ve observed that malicious actors are abusing Discord\u2019s content delivery network (CDN) to host and spread Lumma Stealer, while also using the social platform\u2019s application programming interface (API) to create bots that can communicate with the malware and control it remotely. Some of these bots also send stolen data to private Discord servers or channels.&nbsp;<\/p>\n<p>Lumma Stealer, which is written in the C programming language and steals user credentials, is one of the latest malware families to have been distributed by threat actors via Discord\u2019s CDN. This infostealer was first detected in <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.lumma\">August 2022<\/a>,&nbsp;and earlier this year, it was reported that Lumma Stealer operators targeted YouTube users via <a href=\"https:\/\/medium.com\/s2wblog\/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7\">spear-phishing emails<\/a>.<\/p>\n<p>Currently, Lumma Stealer is being sold as a service in underground forums with prices starting at USD$250 per month. The lowest plan allows users to view and upload logs and provides access to log analysis tools, while the professional plan has the same set of features plus access to traffic analysis tools. The corporate plan, which costs four times as much as the cheapest one, includes proactive defense bypass services. Lastly, at US$20,000, the most expensive plan allows users to access the source code and gives them the right to sell the infostealer.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/j\/lumma-stealer-distributed-via-discord-cdn\/LummaStealer_Fig1.2_lummastealer%20plans.png\" alt=\"Figure 1. Lumma Stealer service plans available in underground forums \"> <\/p>\n<div class=\"caption-image-container remove-top-padding\"><figcaption>Figure 1. Lumma Stealer service plans available in underground forums <\/figcaption><\/div>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><span class=\"body-subhead-title\">Technical analysis<\/span><\/p>\n<p>Lumma Stealer operators typically use random Discord accounts to send direct messages to victims. Malicious actors also use compromised Discord accounts to target the compromised accounts\u2019 connections. The attackers attempt to trick victims by seeking help for a project and offering US$10 or a Discord Nitro boost in exchange for the victims\u2019 assistance. Nitro boosts are part of the platform\u2019s subscription-based Server Boosting that allows users to buy special perks and features for specific servers. These boosts serve as an attractive offer in exchange for the victims&#8217;&nbsp;playing a game and providing a review for it, something that threat actors promise will only take four to five minutes of their time. If a victim agrees to the attacker\u2019s offer, the victim would be prompted to download a file. &nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/j\/lumma-stealer-distributed-via-discord-cdn\/LummaStealer_Fig2_DiscordDirectmessage.PNG\" alt=\"Figure 2. An example of a Discord direct message sent to would-be victims, prompting them to download and execute a file containing Lumma Stealer \"> <\/p>\n<div class=\"caption-image-container remove-top-padding\"><figcaption>Figure 2. An example of a Discord direct message sent to would-be victims, prompting them to download and execute a file containing Lumma Stealer <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>In our investigation, we saw that the victim accessed the fraudulent Discord message via Google Chrome on a work computer. Upon selecting the malicious link, it triggered multiple downloads of the malicious file \u201c<i>4_iMagicInventory_1_2_s.exe<\/i>\u201d that contains the Lumma Stealer malware.\u202f<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/j\/lumma-stealer-distributed-via-discord-cdn\/LummaStealer_Fig3_V1ExecutionProfileDiscordAccessedViaChrome.png\" alt=\"Figure 3. The user accessed Discord via Google Chrome to download the malicious file \u201c4_iMagicInventory_1_2_s.exe\u201d that contains Lumma Stealer, as seen on the Trend Vision One\u2122 Workbench. \"> <\/p>\n<div class=\"caption-image-container remove-top-padding\"><figcaption>Figure 3. The user accessed Discord via Google Chrome to download the malicious file \u201c4_iMagicInventory_1_2_s.exe\u201d that contains Lumma Stealer, as seen on the Trend Vision One\u2122 Workbench. <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/j\/lumma-stealer-distributed-via-discord-cdn\/LummaStealer_Fig4_V1Downloadedmultipletimes.png\" alt=\"Figure 4. The Lumma Stealer file was downloaded multiple times when the URL sent via the Discord direct message was accessed. \"> <\/p>\n<div class=\"caption-image-container remove-top-padding\"><figcaption>Figure 4. The Lumma Stealer file was downloaded multiple times when the URL sent via the Discord direct message was accessed. <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>When executed, the file sample connects to a malicious domain, <i>gapi-node[.]io<\/i>, and tries to steal cryptocurrency wallets and browser data from the user.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/j\/lumma-stealer-distributed-via-discord-cdn\/LummaStealer_Fig5_lookingforcryptowallets.png\" alt=\"Figure 5. Lumma Stealer looking for cryptocurrency wallets \"> <\/p>\n<div class=\"caption-image-container remove-top-padding\"><figcaption>Figure 5. Lumma Stealer looking for cryptocurrency wallets <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/j\/lumma-stealer-distributed-via-discord-cdn\/LummaStealer_Fig6_lookingforbrowseruserdata.png\" alt=\"Figure 6. Lumma Stealer looking for browser user data \"> <\/p>\n<div class=\"caption-image-container remove-top-padding\"><figcaption>Figure 6. Lumma Stealer looking for browser user data <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The threat actors behind Lumma Stealer have shared in underground forums that the malware now has the capability to load other files, and based on our observation, these files lead to other malware. Lumma Stealer threat actors also announced that the malware has the ability to detect &#8220;bots&#8221; using artificial intelligence and deep learning to filter out fruitless infections from their affiliates\u2019 logs. We presume that the term \u201cbots\u201d refers to researchers or analysis environments and emulators.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/j\/lumma-stealer-distributed-via-discord-cdn\/LummaStealer_Fig8_copy.jpg\" alt=\"Figure 8. A post of an apparent Lumma Stealer reseller in an underground forum detailing the malware\u2019s ability to load new files. The English translation of the update is seen on the lower left part of the image.\"> <\/p>\n<div class=\"caption-image-container remove-top-padding\"><figcaption>Figure 8. A post of an apparent Lumma Stealer reseller in an underground forum detailing the malware\u2019s ability to load new files. The English translation of the update is seen on the lower left part of the image.<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/j\/lumma-stealer-distributed-via-discord-cdn\/LummaStealer_Fig9_copy.jpg\" alt=\"Figure 9. A post of an apparent Lumma Stealer reseller in an underground forum detailing how the malware uses deep learning for bot detection \"> <\/p>\n<div class=\"caption-image-container remove-top-padding\"><figcaption>Figure 9. A post of an apparent Lumma Stealer reseller in an underground forum detailing how the malware uses deep learning for bot detection <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>In our investigation, we detected the latest version of Lumma Stealer malware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/j\/lumma-stealer-distributed-via-discord-cdn\/LummaStealer_Fig10_BehaviorMonitoringvsLummastealer.png\" alt=\"Figure 10. Lumma Stealer execution as seen on the Trend Vision One Workbench\"> <\/p>\n<div class=\"caption-image-container remove-top-padding\"><figcaption>Figure 10. Lumma Stealer execution as seen on the Trend Vision One Workbench<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><span class=\"body-subhead-title\">Conclusion and recommendations<\/span><\/p>\n<p>Users should be careful when selecting links or downloading files from unknown sources, as they could be infected with Lumma Stealer or other malware. Users can also benefit from adhering to the following security recommendations to avoid falling victim to infostealers:&nbsp;<\/p>\n<ol>\n<li>Users should be cautious of unexpected or unsolicited direct messages. Before opening any attachments or selecting links, users should first verify the sender\u2019s identity.\u202f<\/li>\n<li>Use reliable antivirus software to scan and protect devices from malicious threats.\u202f<\/li>\n<li>Have an inventory of communication tools within your environment and consider adding unsanctioned tools to the Trend Vision One Suspicious Objects List.\u202f<\/li>\n<li>Organizations should ensure that their employees are trained to spot and avoid social engineering scams. Enterprises should conduct regular information security training sessions to help keep everyone informed and up to date.\u202f<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"45.039079229122\">\n<div readability=\"39.52408993576\">\n<p><span class=\"body-subhead-title\">Trend Micro solutions<\/span><\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/services\/managed-xdr.html\">Managed XDR<\/a>\u202fuses expert analytics to analyze vast amounts of data collected from various Trend technologies. XDR employs advanced AI and expert security analytics to correlate data from both customer environments and global threat intelligence, resulting in fewer but more accurate alerts and leading to quicker detection. Additionally, Vision One provides a single console that has prioritized alerts and is supported with guided investigation, making it easier for organizations to understand the full scope of an attack and its impact.\u202f<\/p>\n<p>With\u202f<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/services\/service-one.html\">Trend One\u2122<\/a>, businesses can enhance their resilience with round-the-clock premium support, managed XDR, and incident response services. This service includes automated updates and upgrades for solutions, on-demand training, access to best practice guides, and the ability to consult with cybersecurity experts.\u202f<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint.html\">Trend Micro Apex One\u2122<\/a>\u202fcombines threat detection, response, and investigation in one solution. It automatically detects and responds to many types of threats, such as ransomware and fileless attacks. Apex One has advanced tools to detect and respond to attacks and can integrate with security information and event management (SIEM) systems.&nbsp;&nbsp;<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/endpoint-security.html\">Trend Cloud One\u2122 \u2013 Endpoint Security\u202f<\/a>and\u202f<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/cloud-one-workload-security.html\">Workload Security\u202f<\/a>protect endpoints, servers, and cloud workloads through unified visibility, management, and role-based access control. These services provide specialized security optimized for your diverse endpoint and cloud environments, which eliminate the cost and complexity of multiple point solutions. Meanwhile, the\u202f<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/cloud-one-network-security.html\">Trend Cloud One\u2122 \u2013 Network Security\u202f<\/a>solution goes beyond traditional intrusion prevention system (IPS) capabilities and includes virtual patching and post-compromise detection and disruption as part of a powerful hybrid cloud security platform.\u202f<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p><span class=\"body-subhead-title\">Indicators of compromise<\/span><\/p>\n<p>C&amp;C: <i>gapi-node[.]io\u202f<\/i><\/p>\n<p>SHA256: 674d96c42621a719007e64e40ad451550da30d42fd508f6104d7cb65f19cba51<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/j\/beware-lumma-stealer-distributed-via-discord-cdn-.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog discusses how threat actors abuse Discord\u2019s content delivery network (CDN) to host and spread Lumma Stealer, and talks about added capabilities to the information stealing malware. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":54140,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9555,9513,9509],"class_list":["post-54139","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Beware: Lumma Stealer Distributed via Discord CDN 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Beware: Lumma Stealer Distributed via Discord CDN 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-10-16T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Lummastealer_Hero:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/beware-lumma-stealer-distributed-via-discord-cdn\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/beware-lumma-stealer-distributed-via-discord-cdn\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Beware: Lumma Stealer Distributed via Discord CDN\",\"datePublished\":\"2023-10-16T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/beware-lumma-stealer-distributed-via-discord-cdn\\\/\"},\"wordCount\":1178,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/beware-lumma-stealer-distributed-via-discord-cdn\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/beware-lumma-stealer-distributed-via-discord-cdn.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Exploits&amp;Vulnerabilities\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/beware-lumma-stealer-distributed-via-discord-cdn\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/beware-lumma-stealer-distributed-via-discord-cdn\\\/\",\"name\":\"Beware: Lumma Stealer Distributed via Discord CDN 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/beware-lumma-stealer-distributed-via-discord-cdn\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/beware-lumma-stealer-distributed-via-discord-cdn\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/beware-lumma-stealer-distributed-via-discord-cdn.png\",\"datePublished\":\"2023-10-16T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/beware-lumma-stealer-distributed-via-discord-cdn\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/beware-lumma-stealer-distributed-via-discord-cdn\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/beware-lumma-stealer-distributed-via-discord-cdn\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/beware-lumma-stealer-distributed-via-discord-cdn.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/beware-lumma-stealer-distributed-via-discord-cdn.png\",\"width\":902,\"height\":271},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/beware-lumma-stealer-distributed-via-discord-cdn\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Beware: Lumma Stealer Distributed via Discord CDN\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Beware: Lumma Stealer Distributed via Discord CDN 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/","og_locale":"en_US","og_type":"article","og_title":"Beware: Lumma Stealer Distributed via Discord CDN 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-10-16T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Lummastealer_Hero:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Beware: Lumma Stealer Distributed via Discord CDN","datePublished":"2023-10-16T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/"},"wordCount":1178,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/10\/beware-lumma-stealer-distributed-via-discord-cdn.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Exploits&amp;Vulnerabilities","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/","url":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/","name":"Beware: Lumma Stealer Distributed via Discord CDN 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/10\/beware-lumma-stealer-distributed-via-discord-cdn.png","datePublished":"2023-10-16T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/10\/beware-lumma-stealer-distributed-via-discord-cdn.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/10\/beware-lumma-stealer-distributed-via-discord-cdn.png","width":902,"height":271},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/beware-lumma-stealer-distributed-via-discord-cdn\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Beware: Lumma Stealer Distributed via Discord CDN"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54139","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=54139"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/54139\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/54140"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=54139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=54139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=54139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}