WithSecure™ Labs: With great research comes great responsibility

Since November 2024, WithSecure has been tracking a slight uptick of targeted activities leveraging Remote Monitoring and Management (RMM) tools embedded within PDF documents. The activity primarily targets organizations in France and Luxembourg, using socially engineered emails to deliver a clean PDF containing an embedded link to an RMM installer, a simple but effective method of bypassing many email and malware defences. 

Organizations are facing an attack surface that is not only expanding at an unprecedented rate but also becoming more difficult to manage using traditional security approaches. The first half of 2025 has shown a sharp rise in both the discovery and exploitation of vulnerabilities, especially zero-days and those affecting security services, indicating that attackers are moving faster than defenders can respond. A new exploited vulnerability is published every two days, and a new exploited zero-day every three, with both categories growing significantly faster than in 2024. This growing gap between discovery and mitigation underscores a fundamental reality: reactive defence is no longer sufficient. Companies must adopt a proactive approach centred around continuous exposure management: monitoring, prioritizing, and remediating vulnerabilities before they are exploited. This research draws on verified exploitation data and real-world vulnerability trends to demonstrate why exposure management is no longer optional, but a foundational requirement for any organization aiming to stay ahead of cyber threats.

Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.

In this post we will focus on a Lumma infection with an initial loader written in .NET/C#, that was observed during a review of open source samples between February and March of 2025.

The malware campaign targets cryptocurrency users, a user base estimated to be in the hundreds of millions which has emerged as a viable and effective lure to infect users and organizations across all sectors alike.

The campaign targets victims globally, with infections observed across each continent. Although the campaign targets cryptocurrency users, WithSecure has observed non-cryptocurrency-related organizations in Europe being infected by the malware due to cross-contamination introduced by personal browsing of victims on their corporate machines.

Don’t drop password managers (but password managers shouldn’t drop malware).