Hackers are disguising the Lumma info-styler as “Free VPN for PC” and distributing it freely via GitHub. Naive users, by downloading a fake VPN or even a “Minecraft Skin”, infect their devices with malicious code that steals passwords, tokens and other confidential information.
According to Cyfirma, the Lumma distribution campaign uses GitHub as a delivery platform – thanks to the trust in the service and the openness of content hosting. The malware is activated after launching a supposedly safe file, and other infection options include fake CAPTCHAs, fake video tutorials on YouTube and mass phishing links. Lumma is sold under the MaaS scheme on hacker forums and Telegram starting at \$140/month.
Lumma was first detected in 2022 and quickly became one of the most widespread info-stylers. Its code is written in C, it actively uses hidden mechanisms to bypass system protection and detection. In May 2025, the US Department of Justice and Microsoft took down over 2,300 domains associated with LummaC2, but the campaigns continue.
Don’t trust open-source “free VPNs” — this is one of the most popular traps. To avoid infection:
- don’t click on suspicious links,
- don’t download files from GitHub without checking,
- don’t paste commands into the terminal from unknown sites,
- be sure to use antivirus and 2FA.
