Lumma Stealer is currently one of the most popular malware. Campaigns involving this info stealer have a notable presence in DNS. We’ve been tracking a threat actor that deploys large number of domains to advertise file share links dropping Lumma Stealer. These campaigns are interesting because the actor uses traffic distribution system (TDS), cloaking, and web tracking technology (e.g. Matomo, Bablosoft) to hide and protect the malicious content. Here are recent examples of the TDS and landing page domains.

:::TDS + Cloaking:::
am4[.]myidmcrack[.]site
bjnhuy[.]shop
filefetch[.]click
mplopop[.]shop
oyoclean[.]sbs
psldi3z[.]com
readyf1[.]click
volopi[.]cfd

:::Landing Page:::
14redirect[.]cfd
downf[.]lol
fbfgsnew[.]com
icjvueszx[.]com
lkjpoisjnil[.]site
sikoip[.]cfd
zulmie[.]cfd


An attack that we investigated today showed a new Lumma Stealer payload and C2 domain that is only a day old.

:::Lumma Stealer executable SHA256::: df148680db17e221e6c4e8aed89b4d3623f4a8ad86a3a4d43c64d6b1768c5406

:::Text sites containing Lumma Stealer configuration details:::
hXXps://rentry[.]co/feouewe5/raw
hXXps://pastebin[.]com/raw/uh1GCpxx

:::Newly created Lumma Stealer C2:::
hXXps://urbjanjungle[.]tech/api

#malware #lummastealer #c2 #tds #tracker #cloaking #dns #mastodon #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel