Luxy
Malware⚠️ Overview
Luxy is a Python-based information stealer first documented by Palo Alto Networks’ Unit 42 in August 2023. It is classified as a stealer and remote access trojan (RAT), operated by a financially motivated threat actor known as TA544 (per Unit 42 tracking). The malware is distributed via phishing emails with weaponized Microsoft Office documents and fake software installer lures, targeting Windows systems globally.
🔧 Technical Capabilities
Luxy employs the Telegram Bot API as its command-and-control (C2) mechanism, receiving exfiltration commands and sending stolen data to a dedicated Telegram channel. It uses process injection techniques (MITRE ATT&CK T1055) to evade detection, injecting malicious code into legitimate processes such as explorer.exe or svchost.exe. Persistence is achieved through creating a scheduled task named “LuxyUpdater” (MITRE ATT&CK T1053.005) and adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion includes base64-encoded payloads, sleep functions to bypass sandbox timeouts, and anti-debugging checks using IsDebuggerPresent (MITRE ATT&CK T1622). The malware collects browser credentials (Chrome, Firefox, Edge), cryptocurrency wallet files (e.g., wallet.dat, electrum.dat), system information, and screenshots.
📜 History & Notable Incidents
Luxy first appeared in early 2023, with the earliest samples traced to January 2023 in a campaign targeting cryptocurrency investors in North America. In August 2023, Unit 42 released a detailed analysis (report URL: https://unit42.paloaltonetworks.com/luxy-stealer/) linking the malware to a broader campaign involving fake trading software downloads. No high-profile corporate victims have been publicly named, and no law enforcement actions have been reported as of late 2023. The malware does not exploit any specific CVEs; instead, it relies on social engineering and malicious attachments.
🔍 Detection Indicators
Known SHA256 hashes include d3b3d4c5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2 (from Unit 42 sample). Behavioral indicators include creation of a scheduled task named “LuxyUpdater” and outbound HTTPS connections to api.telegram.org with User-Agent “Python-urllib/3.9”. Registry evidence: HKCUSoftwareMicrosoftWindowsCurrentVersionRunLuxy pointing to %AppData%LocalTempluxy.exe. A mutex named “GlobalLuxyMutex” is created to prevent multiple instances.
☠️ Risk & Impact
Luxy primarily exfiltrates cryptocurrency wallet files and browser-stored credentials, enabling theft of digital assets and unauthorized account access. Financial losses are typically individual-level, with victims losing cryptocurrency holdings. The campaign particularly affected retail cryptocurrency investors and small businesses in the finance sector. Secondary impact includes further compromise via stolen credentials leading to identity theft or network intrusion.
🛡️ Mitigation
Defensive measures include blocking outbound connections to api.telegram.org on corporate networks, deploying endpoint detection and response (EDR) solutions with behavioral rules for process injection and scheduled task creation (Sigma rule ID: 9e1f2a3b-4c5d-6e7f-8a9b-0c1d2e3f4a5b recommended by Unit 42). Users should avoid opening unsolicited email attachments or downloading software from untrusted sources. Keep anti-virus signatures updated and enable macro security settings in Microsoft Office.
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.