Security researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a sophisticated malware campaign distributing the LummaC2 information stealer, disguised as a cracked version of Total Commander—a widely used file management tool for Windows.
The operation preys on users seeking unauthorized access to the software’s premium features, exploiting their tendency to download pirated copies from unverified sources. This campaign highlights the growing trend of cybercriminals weaponizing legitimate software tools to bypass user suspicion.
Total Commander, a dual-pane file manager with FTP support, encryption, and advanced search, operates on a freemium model, offering a 30-day trial before requiring a paid license. Despite its official availability at ghisler[.]com, attackers have created fake “cracked” versions containing malware.
ASEC’s investigation reveals that the attackers mimic Total Commander’s interface and version history to appear legitimate, further deceiving victims.
Multi-Stage Social Engineering Attack
The infection process begins when users search for “Total Commander Crack” on search engines like Google. They are led to a Google Colab page posing as a download portal.
Once on this page, victims must navigate through several redirects, including a fabricated Reddit thread, to reach the final download link. This multi-step process ensures that only users intentionally trying to download malicious files fall victim to the attack.
The downloaded file (installer_1.05_38.2.exe) is a double-compressed RAR archive protected by a password (“Schools”) to evade detection. After extraction, an NSIS installer script runs an obfuscated batch file (Nv.cmd), which deploys the LummaC2 payload.
The batch script checks for security tools like Avast, Sophos, and Bitdefender processes. If none are found, it decrypts and reassembles the LummaC2 components from fragmented binary blobs.
LummaC2 Malware and Data Theft
The final payload, embedded within an AutoIt script (.a3x), uses layered encryption to conceal its malicious code. LummaC2 is designed to exfiltrate sensitive data, including browser credentials, cryptocurrency wallets, and autofill information, which is sent to attacker-controlled servers (affordtempyo[.]biz, hoursuhouy[.]biz).
Campaign MD5 hashes associated with this attack include 0a2d4bbb5237add913a2c6cf24c08688 and 25728e657a3386c5bed9ae133613d660.
How to Defend Against This Threat
This campaign serves as a stark reminder of how cybercriminals exploit software piracy to deliver malware. Users are urged to avoid cracked software and only download tools from trusted, official vendors.
Enterprises should monitor network traffic for suspicious connections to domains like those listed in the Indicators of Compromise (IoCs). To mitigate the evolving risks of LummaC2, combining behavioral analytics with endpoint detection is essential for enhanced security.
