
Storm-0408: Malvertising Drops Lumma via GitHub
An after-hours visit to a pirated sports stream feeds a corporate workstation through a malvertising redirect chain that pulls a dropper from an abused public code-hosting service. A hidden PowerShell loader sets Run-key persistence and fetches the Lumma infostealer and a NetSupport RAT, which run through signed .NET living-off-the-land binaries to dodge application control. Lumma steals the browser credential store and exfiltrates it over HTTPS. Correlate proxy, Windows, XDR, and firewall telemetry to rebuild the chain from the ad redirect to the exfiltration endpoint and hand the team the indicators to contain it.
Launches tomorrow
Friday, July 3, 2026 at 9:00 AM
Pro unlocks this operation at launch.
Training Tools
What you'll investigate
9 objectives unlock when this operation goes live.
Be first when it launches
Create your account and grab Pro before launch. The moment this operation goes live on Jul 3, 2026, you can jump straight in.
Get Started FreeNo credit card required — free forever