Privacy Ninja

Lampion Malware Returns in Phishing Attacks Abusing WeTransfer

Lampion Malware Returns in Phishing Attacks Abusing WeTransfer

The Lampion malware is being distributed in greater volumes lately, with threat actors abusing WeTransfer as part of their phishing campaigns.

WeTransfer is a legitimate file-sharing service that can be used free of charge, so it’s a no-cost way to bypass security software that may not raise alerts about the URLs used in emails.

In a new campaign observed by email security firm Cofense, Lampion operators are sending phishing emails from compromised company accounts urging users to download a “Proof of Payment” document from WeTransfer.

Also Read: Trusted Data Sharing Framework IMDA Announced In Singapore

Spam mail with link to a WeTransfer download
Spam mail with link to a WeTransfer download (Cofense)

The file the targets receive is a ZIP archive containing a VBS (Virtual Basic script) file the victim needs to launch for the attack to begin.

Contents of the malicious ZIP file
Contents of the malicious ZIP file (Cofense)

Upon execution, the script initiates a WScript process that creates four VBS files with random naming. The first one is empty, the second has minimal functionality, and the third’s only purpose is to launch the fourth script.

Cofense analysts comment that this extra step is unclear, but modular execution approaches are typically preferred for their versatility, allowing easy file swaps.

The fourth script launches a new WScript process that connects to two hardcoded URLs to fetch two DLL files hiding inside password-protected ZIPs. The URLs point to Amazon AWS instances.

URLs hosting the DLL payloads
URLs hosting the DLL payloads (Cofense)

The password for the ZIP files is hardcoded in the script, so the archives are extracted without requiring user interaction. The contained DLL payloads are loaded into memory, allowing Lampion to be stealthily executed on compromised systems.

From there, Lampion begins stealing data from the computer, targeting bank accounts by fetching injections from the C2 and overlaying its own login forms on login pages. When users enter their credentials, these fake login forms will be stolen and sent to the attacker.

Also Read: PDPA Breach Penalty Singapore: How Can Businesses Prevent

Lampion revitalized

The Lampion trojan has been around since at least 2019, focusing mainly on Spanish-speaking targets and using compromised servers to host its malicious ZIPs.

In 2021, Lampion was seen abusing cloud services for hosting the malware for the first time, including Google Drive and pCloud.

More recently, in March 2022, Cyware reported an uptick in the trojan’s distribution, identifying a hostname link to Bazaar and LockBit operations.

Cyware also reported that Lampion’s authors were actively trying to make their malware harder to analyze by adding more obfuscation layers and junk code.

Cofense’s latest report indicates that Lampion is an active and stealthy threat, and users should be cautious with unsolicited emails asking them to download files, even from legitimate cloud services.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us