Skip to main content
Storm-0408: Malvertising Drops Lumma via GitHub operation cover
COMING SOONAdvancedPRO

Storm-0408: Malvertising Drops Lumma via GitHub

An after-hours visit to a pirated sports stream feeds a corporate workstation through a malvertising redirect chain that pulls a dropper from an abused public code-hosting service. A hidden PowerShell loader sets Run-key persistence and fetches the Lumma infostealer and a NetSupport RAT, which run through signed .NET living-off-the-land binaries to dodge application control. Lumma steals the browser credential store and exfiltrates it over HTTPS. Correlate proxy, Windows, XDR, and firewall telemetry to rebuild the chain from the ad redirect to the exfiltration endpoint and hand the team the indicators to contain it.

1h 35m
9 tasks
150 points
Pro

Launches tomorrow

Jul 3, 2026

Friday, July 3, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

SIEMXDRFirewall

What you'll investigate

9 objectives unlock when this operation goes live.

1Brief: an after-hours infection on a creative workstation
2Find where the browser left the streaming page
3Locate where the first payload was hosted
4Trace the loader to its dropper command-and-control
5Identify how the infection re-arms at logon
6Name the signed binary that ran the stealer
7Determine where the stolen credentials went
8Produce the file indicator for the stealer payload
9Classify the defense-evasion technique

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 3, 2026, you can jump straight in.

Get Started Free

No credit card required — free forever