typeentityconfidencemediumcreated2026-05-29updated2026-05-31infostealermalware-familygolangsigningobfuscation

Lummastealer

Go-based info stealer family, labelled as lummastealer by OpenCTI. First encountered in the PacketPursuit corpus on 2026-05-26. May be an alias or fork of the acrstealer / orderreshop cluster, sharing identical build artefacts but marked with a distinct OpenCTI label.

Build Stack

Compiler: Go 1.25.4+ (GOARCH=386 and amd64 siblings observed, GOOS=windows, CGO_ENABLED=0, -trimpath=true) ^[/intel/analyses/d5647efd5104b67524f99f22788de313769ab552dd53bfe497eb2a7765bbe56f.html] ^[/intel/analyses/e03dd36f22e24a323f8db11ba3a220786ea14c5617538b5433911e5a6d1f66a3.html]
Signing: Authenticode-signed PE with a fraudulent self-signed certificate (CN=www.sjabr.org, issuer CN=E8, validity 3 months) ^[/intel/analyses/d5647efd5104b67524f99f22788de313769ab552dd53bfe497eb2a7765bbe56f.html] ^[/intel/analyses/e03dd36f22e24a323f8db11ba3a220786ea14c5617538b5433911e5a6d1f66a3.html]
Obfuscation: Randomized Go module paths; randomized main.* function names (12–16-character mixed-case alphanumeric); no external packer ^[/intel/analyses/d5647efd5104b67524f99f22788de313769ab552dd53bfe497eb2a7765bbe56f.html] ^[/intel/analyses/e03dd36f22e24a323f8db11ba3a220786ea14c5617538b5433911e5a6d1f66a3.html]
Resources: No .rsrc section — unlike acrstealer siblings, which embed 256×256 PNG icons for social engineering. This is either a stripped variant or a builder option.

See golang-stealer-build-pattern for the full build-pattern concept.

Deploy / TTPs

Execution: Standard Go runtime.main entry; Windows GUI subsystem, no console window.
Network: Statically linked net/http and crypto/tls imply HTTPS C2, but no hardcoded C2 URL was found in strings. C2 endpoints are likely decoded at runtime via a PRNG-seeded transform. ^[/intel/analyses/e03dd36f22e24a323f8db11ba3a220786ea14c5617538b5433911e5a6d1f66a3.html]
Collection: Inferred from family label and shared build pattern with acrstealer / orderreshop: browser credential stores, cryptocurrency wallets, FTP/SSH sessions, and system information.
Process manipulation: sym.main.hcfvruwrivq calls syscall.LoadLibrary and a sub-function sym.main.awubwkkkhavkiw, suggesting module-loading or injection behaviour ^[r2:0x4889d0 decompilation].
Anti-analysis: See fused-string-api-decoding — API names are fused with DLL names into indivisible .rdata blobs and sliced at runtime, defeating naive string extraction. ^[/intel/analyses/e03dd36f22e24a323f8db11ba3a220786ea14c5617538b5433911e5a6d1f66a3.html]

Capabilities

signed-pe-masquerade
go-symbol-name-obfuscation
go-static-binary-no-cgo
trimpath-source-stripping
runtime-decoded-c2-urls
prng-seeded-c2-url-decoding
tls-https-c2-client
browser-credential-dumping
cryptocurrency-wallet-targeting
module-loading-injection-routine
fused-string-api-decoding
no-icon-stripped-variant

Variants / Aliases

OpenCTI labels: lummastealer, exe, signed, sunwukong (label collision — see sunwukong)
Possible relation to acrstealer / orderreshop cluster (same build pipeline; needs more siblings to confirm)

Notable Analyses

/intel/analyses/d5647efd5104b67524f99f22788de313769ab552dd53bfe497eb2a7765bbe56f.html — Go 1.25.4 PE32, module NZlhQRhWFITWnSR, cert CN=www.sjabr.org / issuer E8, no .rsrc
/intel/analyses/e03dd36f22e24a323f8db11ba3a220786ea14c5617538b5433911e5a6d1f66a3.html — Go PE32+ x64 sibling, same cert CN, no .rsrc, fused-string API decoder, PRNG C2 resolution

golang-stealer-build-pattern — shared Go infostealer build artefacts
acrstealer — sibling cluster with identical toolchain and signing pattern
orderreshop — sibling cluster with identical toolchain and signing pattern
fused-string-api-decoding — technique page for the runtime DLL+API string fusion

> Family · Lummastealer_