WithSecure™ Labs: With great research comes great responsibility

WithSecure's STINGR Group is releasing a detailed technical analysis of TangleCrypt, a previously undocumented packer for Windows malware. The packer was found on two executables of the STONESTOP EDR killer used in a recent ransomware attack. The blogpost describes how TangleCrypt unpacks and launches the payload, which anti-analysis techniques it uses, and the implementation flaws we identified.

WithSecure’s STINGR has been investigating a malware campaign, tracked as WEBJACK, which compromises Microsoft IIS servers to deploy malicious IIS modules belonging to the BadIIS malware family. The hijacked servers are being abused for SEO poisoning and fraud, redirecting users to casino, gambling, or betting websites. The threat actor has compromised high-profile targets, including government institutions, universities, tech firms, and many other organizations, abusing their domain reputation to serve fraudulent content through search engine results pages (SERPs).

TamperedChef is a sophisticated malware campaign that leveraged a convincing advertising campaign strategy and a fully functional decoy application to target European organizations. Disguised as a legitimate application such as a PDF editor, the malware operated with expected functionality for nearly two months before activating its payload to harvest browser credentials, impacting a significant number of systems.

Since November 2024, WithSecure has been tracking a slight uptick of targeted activities leveraging Remote Monitoring and Management (RMM) tools embedded within PDF documents. The activity primarily targets organizations in France and Luxembourg, using socially engineered emails to deliver a clean PDF containing an embedded link to an RMM installer, a simple but effective method of bypassing many email and malware defences. 

Organizations are facing an attack surface that is not only expanding at an unprecedented rate but also becoming more difficult to manage using traditional security approaches. The first half of 2025 has shown a sharp rise in both the discovery and exploitation of vulnerabilities, especially zero-days and those affecting security services, indicating that attackers are moving faster than defenders can respond. A new exploited vulnerability is published every two days, and a new exploited zero-day every three, with both categories growing significantly faster than in 2024. This growing gap between discovery and mitigation underscores a fundamental reality: reactive defence is no longer sufficient. Companies must adopt a proactive approach centred around continuous exposure management: monitoring, prioritizing, and remediating vulnerabilities before they are exploited. This research draws on verified exploitation data and real-world vulnerability trends to demonstrate why exposure management is no longer optional, but a foundational requirement for any organization aiming to stay ahead of cyber threats.

Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.

In this post we will focus on a Lumma infection with an initial loader written in .NET/C#, that was observed during a review of open source samples between February and March of 2025.