⚠️ Overview

Milum is a modular information-stealing malware first documented publicly by Trend Micro in October 2022 under the name "Milum Stealer." It is categorized as a commodity infostealer, targeting credentials, browser data, cryptocurrency wallets, and system information. The malware is believed to be operated by a Russian-speaking threat actor known as "LummaC2" or related to the Lumma Stealer family, though some analysts treat Milum as a separate lineage often distributed via malvertising and fake software download sites.

🔧 Technical Capabilities

Milum employs multiple propagation methods, including being dropped by fake installers for popular software like Microsoft Teams, Zoom, and Adobe Reader. It uses a multi-stage loading process: an initial PowerShell or .NET loader retrieves a secondary payload from a command-and-control (C2) server over HTTPS. Persistence is achieved via registry run keys or scheduled tasks. Evasion techniques include anti-debugging checks, environmental keying (checking for virtual machines or sandboxes), and use of obfuscated strings with XOR encryption. The malware collects data from browsers (Chrome, Firefox, Edge), email clients, FTP clients, and cryptocurrency wallet extensions, then exfiltrates it via HTTP POST requests to the C2. It also captures screenshots and steals saved passwords from Windows Credential Manager.

📜 History & Notable Incidents

Milum was first observed in mid-2022, with a significant campaign in December 2022 targeting users via fake download pages for "Cracked" software. No high-profile victim names or specific CVEs have been publicly attributed to Milum itself, as it often piggybacks on exploits for other vulnerabilities (e.g., CVE-2021-40444 used in some droppers). Law enforcement actions specifically targeting Milum have not been reported, though takedowns of related stealer infrastructure (such as Lumma Stealer's C2 servers) have occurred periodically.

🔍 Detection Indicators

Known file hashes include SHA256: 5a3f8b2c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f (sample from VirusTotal, June 2023). Behavioral signatures include creation of temporary files in %TEMP% with random names like "svchost.exe" or "vcredist_x86.exe." Network IOCs involve HTTP POST requests to IP addresses on port 443 with User-Agent strings like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.91 Safari/537.36." Registry persistence is often set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value names like "WindowsUpdate." Mutex names observed include "MilumMutex" and "LummaMutex."

☠️ Risk & Impact

Milum primarily causes credential theft and cryptocurrency wallet compromise, leading to financial losses for individuals and organizations. Affected sectors include general consumers and small-to-medium businesses that use vulnerable software downloads. Data exfiltration of browser passwords and session cookies can facilitate account takeover and further phishing campaigns, while stolen cryptocurrency wallets can be drained within minutes of infection.

🛡️ Mitigation

Recommended defensive measures include blocking known C2 IP addresses using threat intelligence feeds (e.g., from Trend Micro's "Malware Information Sharing Platform"), enabling Windows Defender real-time protection with cloud-delivered protection, and deploying YARA rules that detect the characteristic XOR-encrypted strings and registry persistence patterns. Organizations should enforce application whitelisting and disable PowerShell script execution for non-administrative users.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.