League of Legends World Championship Fans Targeted by Lumma Stealer

As the League of Legends (LoL) World Championship draws global attention, cybercriminals are exploiting the event through a malvertising campaign designed to target gamers across Europe. Bitdefender Labs has identified this malicious operation that uses misleading social media ads to spread “Lumma Stealer,” a potent data-stealing malware.

Campaign overview

The campaign deceives fans by offering an installer for League of Legends. This fake promotion, coming at the height of the LoL World Championship, aims to lure gamers into downloading malware disguised as the game itself. The official PC version of League of Legends is already free, but the timing and context of the World Championship make the campaign appear as an exclusive esports event promotion.

Victims are led to a webpage that mimics an older version of the League of Legends download page. The site uses “typosquatting”—a tactic where the fake domain closely resembles the official site, making it harder for users to detect. Once the unsuspecting user clicks the download link, they are redirected to a Bitbucket repository containing a malicious archive file.

According to Bitdefender, the downloaded archive file contains an executable and a legitimate Windows DLL file, user32.dll. The executable serves as a dropper for “Lumma Stealer,” a form of malware that is part of the growing Malware-as-a-Service (MaaS) underground economy. Lumma Stealer has the capability to extract an extensive range of sensitive information, such as:

• Passwords
• Credit card information
• Cryptocurrency wallet data
• Browser session cookies

What makes Lumma Stealer particularly dangerous is its stealthy behavior. Once installed, the malware injects itself into a legitimate Windows process named bitlockertogo.exe, allowing it to evade basic antivirus detection and operate undetected on the victim's device.

Impact on the League of Legends community

The malvertising campaign, which has victimized over 4,000 people so far, focuses on a demographic of male adults who are typical League of Legends players. Once Lumma Stealer infiltrates a system, the stolen data can be leveraged in multiple ways. For example, compromised social media accounts can spread further malware or be used in scams. Sensitive information can be sold on underground forums, enabling identity theft and phishing attacks.

Defense recommendations against malvertising campaigns in general include:

• Before clicking on any ads or links, double-check for any typos or inconsistencies in the URL to avoid typosquatting traps.
• Always get your games and software directly from legitimate sources, such as official websites or trusted platforms like Steam.
• Be wary of social media ads and use ad-blockers to hide promoted search results.
• Use an up-to-date antivirus solution which can detect and block malicious files and phishing attempts.