{
	"id": "7b5169d1-4270-4b1c-9265-64763ab6f2ff",
	"created_at": "2026-04-06T00:11:21.683576Z",
	"updated_at": "2026-04-10T13:12:20.998184Z",
	"deleted_at": null,
	"sha1_hash": "63d348acfd75b3e2086e8db793223a977344bd9b",
	"title": "Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 559624,
	"plain_text": "Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive\r\nData from Organizations | CISA\r\nPublished: 2025-05-21 · Archived: 2026-04-05 13:47:59 UTC\r\nSummary\r\nThe Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are\r\nreleasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of\r\ncompromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer)\r\nmalware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information,\r\nthreatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical\r\ninfrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been\r\nobserved as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware\r\ninfections from November 2023 through May 2025.\r\nThe FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this\r\nadvisory to reduce the likelihood and impact of LummaC2 malware.\r\nDownload the PDF version of this report:\r\nFor a downloadable copy of IOCs, see:\r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK® Matrix for Enterprise framework, version 17. See the MITRE\r\nATT\u0026CK Tactics and Techniques section of this advisory for threat actor activity mapped to MITRE ATT\u0026CK\r\ntactics and techniques.\r\nOverview\r\nLummaC2 malware first appeared for sale on multiple Russian-language speaking cybercriminal forums in 2022.\r\nThreat actors frequently use spearphishing hyperlinks and attachments to deploy LummaC2 malware payloads\r\n[T1566.001 , T1566.002 ]. Additionally, threat actors rely on unsuspecting users to execute the payload by\r\nclicking a fake Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA). The\r\nCAPTCHA contains instructions for users to then open the Windows Run window (Windows Button + R) and\r\npaste clipboard contents (“CTRL + V”). After users press “enter” a subsequent Base64-encoded PowerShell\r\nprocess is executed.\r\nTo obfuscate their operations, threat actors have embedded and distributed LummaC2 malware within spoofed or\r\nfake popular software (i.e., multimedia player or utility software) [T1036 ]. The malware’s obfuscation methods\r\nallow LummaC2 actors to bypass standard cybersecurity measures, such as Endpoint Detection and Response\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 1 of 14\n\n(EDR) solutions or antivirus programs, designed to flag common phishing attempts or drive-by downloads [T1027\r\n].\r\nOnce a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including\r\npersonally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and\r\nmultifactor authentication (MFA) details without immediate detection [TA0010 , T1119 ]. Private sector\r\nstatistics indicate there were more than 21,000 market listings selling LummaC2 logs on multiple cybercriminal\r\nforums from April through June of 2024, a 71.7 percent increase from April through June of 2023.\r\nFile Execution\r\nUpon execution, the LummaC2.exe file will enter its main routine, which includes four sub-routines (see Figure\r\n1).\r\nFigure 1. LummaC2 Main Routine\r\nThe first routine decrypts strings for a message box that is displayed to the user (see Figure 2).\r\nFigure 2. Message Box\r\nIf the user selects No , the malware will exit. If the user selects Yes , the malware will move on to its next\r\nroutine, which decrypts its callback Command and Control (C2) domains [T1140 ]. A list of observed domains is\r\nincluded in the Indicators of Compromise section.\r\nAfter each domain is decoded, the implant will attempt a POST request [T1071.001 ] (see Figure 3).\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 2 of 14\n\nFigure 3. Post Request\r\nIf the POST request is successful, a pointer to the decoded domain string is saved in a global variable for later use\r\nin the main C2 routine used to retrieve JSON formatted commands (see Figure 4).\r\nFigure 4. Code Saving Successful Callback Request\r\nOnce a valid C2 domain is contacted and saved, the malware moves on to the next routine, which queries the\r\nuser’s name and computer name utilizing the Application Programming Interfaces (APIs) GetUserNameW and\r\nGetComputerNameW respectively [T1012 ]. The returned data is then hashed and compared against a hard-coded\r\nhash value (see Figure 5).\r\nFigure 5. User and Computer Name Check\r\nThe hashing routine was not identified as a standard algorithm; however, it is a simple routine that converts a\r\nUnicode string to a 32-bit hexadecimal value.\r\nIf the username hash is equal to the value 0x56CF7626 , then the computer name is queried. If the computer name\r\nqueried is seven characters long, then the name is hashed and checked against the hard-coded value of\r\n0xB09406C7 . If both values match, a final subroutine will be called with a static value of the computer name hash\r\nas an argument. If this routine is reached, the process will terminate. This is most likely a failsafe to prevent the\r\nmalware from running on the attacker’s system, as its algorithms are one-way only and will not reveal information\r\non the details of the attacker’s own hostname and username.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 3 of 14\n\nIf the username and hostname check function returns zero (does not match the hard-coded values), the malware\r\nwill enter its main callback routine. The LummaC2 malware will contact the saved hostname from the previous\r\ncheck and send the following POST request (see Figure 6).\r\nFigure 6. Second POST Request\r\nThe data returned from the C2 server is encrypted. Once decoded, the C2 data is in a JSON format and is parsed\r\nby the LummaC2 malware. The C2 uses the JSON configuration to parse its browser extensions and target lists\r\nusing the ex key, which contains an array of objects (see Figure 7).\r\nFigure 7. Parsing of ex JSON Value\r\nParsing the c key contains an array of objects, which will give the implant its C2 (see Figure 8).\r\nFigure 8. Parsing of c JSON Value\r\nC2 Instructions\r\nEach array object that contains the JSON key value of t will be evaluated as a command opcode, resulting in the\r\nC2 instructions in the subsections below.\r\n1. Opcode 0 – Steal Data Generic\r\nThis command allows five fields to be defined when stealing data, offering the most flexibility. The Opcode O\r\ncommand option allows LummaC2 affiliates to add their custom information gathering details (see Table 1).\r\nTable 2. Opcode 1 Options\r\nKey Value\r\np Path to steal from\r\nm File extensions to read\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 4 of 14\n\nKey Value\r\nz Output directory to store stolen data\r\nd Depth of recursiveness\r\nfs Maximum file size\r\n2. Opcode 1 – Steal Browser Data\r\nThis command only allows for two options: a path and the name of the output directory. This command, based on\r\nsample configuration downloads, is used for browser data theft for everything except Mozilla [T1217 ] (see\r\nTable 2).\r\nTable 2. Opcode 1 Options\r\nKey Value\r\np Path to steal from\r\nz Name of Browser – Output\r\n3. Opcode 2 – Steal Browser Data (Mozilla)\r\nThis command is identical to Opcode 1 ; however, this option seems to be utilized solely for Mozilla browser\r\ndata (see Table 3).\r\nTable 3. Opcode 2 Options\r\nKey Value\r\np Path to steal from\r\nz Name of Browser – Output\r\n4. Opcode 3 – Download a File\r\nThis command contains three options: a URL, file extension, and execution type. The configuration can specify a\r\nremote file with u to download and create the extension specified in the ft key [T1105 ] (see Table 4).\r\nTable 4. Opcode 3 Options\r\nKey Value\r\nu URL for Download\r\nft File Extension\r\ne  Execution Type\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 5 of 14\n\nThe e value can take two values: 0 or 1 . This specifies how to execute the downloaded file either with the\r\nLoadLibrary API or via the command line with rundll32.exe [T1106 ] (see Table 5).\r\nTable 5. Execution Types\r\nKey Value\r\ne=0 Execute with LoadLibraryW()\r\ne=1 Executive with rund1132.exe\r\n5. Take Screenshot\r\nIf the configuration JSON file has a key of “ se ” and its value is “ true ,” the malware will take a screenshot in\r\nBMP format and upload it to the C2 server.\r\n6. Delete Self\r\nIf the configuration JSON file has a key of “ ad ” and its value is “ true ,” the malware will enter a routine to\r\ndelete itself.\r\nThe command shown in Figure 9 will be decoded and executed for self-deletion.\r\nFigure 9. Self-Deletion Command Line\r\nFigure 10 depicts the above command line during execution.\r\nFigure 10. Decoded Command Line in Memory\r\nHost Modifications\r\nWithout any C2 interactions, the LummaC2 malware does not create any files on the infected drive. It simply runs\r\nin memory, gathers system information, and exfiltrates it to the C2 server [T1082 ]. The commands returned\r\nfrom the C2 server could indicate that it drops additional files and/or saves data to files on the local hard drive.\r\nThis is variable, as these commands come from the C2 server and are mutable.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 6 of 14\n\nDecrypted Strings\r\nBelow is a list of hard-coded decrypted strings located in the binary (see Figure 11).\r\nFigure 11. Decoded Strings\r\nIndicators of Compromise\r\nSee Table 6 and Table 7 for LummaC2 IOCs obtained by the FBI and trusted third parties.\r\nDisclaimer: The authoring agencies recommend organizations investigate and vet these indicators of compromise\r\nprior to taking action, such as blocking.\r\nTable 6. LummaC2 Executable Hashes\r\nExecutables Type\r\n4AFDC05708B8B39C82E60ABE3ACE55DB ( LummaC2.exe from November 2023) MD5\r\nE05DF8EE759E2C955ACC8D8A47A08F42 ( LummaC2.exe from November 2023) MD5\r\nC7610AE28655D6C1BCE88B5D09624FEF MD5\r\n1239288A5876C09D9F0A67BCFD645735168A7C80 ( LummaC2.exe from November 2023) SHA1\r\nB66DA4280C6D72ADCC68330F6BD793DF56A853CB ( LummaC2.exe from November 2023) SHA1\r\n3B267FA5E1D1B18411C22E97B367258986E871E5 TLSH\r\n19CC41A0A056E503CC2137E19E952814FBDF14F8D83F799AEA9B96ABFF11EFBB\r\n(November 2023)\r\nSHA256\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 7 of 14\n\nExecutables Type\r\n2F31D00FEEFE181F2D8B69033B382462FF19C35367753E6906ED80F815A7924F\r\n( LummaC2.exe from November 2023)\r\nSHA256\r\n4D74F8E12FF69318BE5EB383B4E56178817E84E83D3607213160276A7328AB5D SHA256\r\n325daeb781f3416a383343820064c8e98f2e31753cd71d76a886fe0dbb4fe59a SHA256\r\n76e4962b8ccd2e6fd6972d9c3264ccb6738ddb16066588dfcb223222aaa88f3c SHA256\r\n7a35008a1a1ae3d093703c3a34a21993409af42eb61161aad1b6ae4afa8bbb70 SHA256\r\na9e9d7770ff948bb65c0db24431f75dd934a803181afa22b6b014fac9a162dab SHA256\r\nb287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959 SHA256\r\nca47c8710c4ffb4908a42bd986b14cddcca39e30bb0b11ed5ca16fe8922a468b SHA256\r\nTable 7. LummaC2 DLL Binaries\r\nDLL Binaries Type\r\niphlpapi.dll IP Helper API\r\nwinhttp.dll Windows HTTP Services\r\nThe following are domains observed deploying LummaC2 malware.\r\nDisclaimer: The domains below are historical in nature and may not currently be malicious.\r\nPinkipinevazzey[.]pw\r\nFragnantbui[.]shop\r\nMedicinebuckerrysa[.]pw\r\nMusicallyageop[.]pw\r\nstogeneratmns[.]shop\r\nwallkedsleeoi[.]shop\r\nTirechinecarpet[.]pw\r\nreinforcenh[.]shop\r\nreliabledmwqj[.]shop\r\nMusclefarelongea[.]pw\r\nForbidstow[.]site\r\ngutterydhowi[.]shop\r\nFanlumpactiras[.]pw\r\nComputeryrati[.]site\r\nContemteny[.]site\r\nOwnerbuffersuperw[.]pw\r\nSeallysl[.]site\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 8 of 14\n\nDilemmadu[.]site\r\nFreckletropsao[.]pw\r\nOpposezmny[.]site\r\nFaulteyotk[.]site\r\nHemispheredodnkkl[.]pw\r\nGoalyfeastz[.]site\r\nAuthorizev[.]site\r\nghostreedmnu[.]shop\r\nServicedny[.]site\r\nblast-hubs[.]com\r\noffensivedzvju[.]shop\r\nfriendseforever[.]help\r\nblastikcn[.]com\r\nvozmeatillu[.]shop\r\nshiningrstars[.]help\r\npenetratebatt[.]pw\r\ndrawzhotdog[.]shop\r\nmercharena[.]biz\r\npasteflawwed[.]world\r\ngeneralmills[.]pro\r\ncitywand[.]live\r\nhoyoverse[.]blog\r\nnestlecompany[.]pro\r\nesccapewz[.]run\r\ndsfljsdfjewf[.]info\r\nnaturewsounds[.]help\r\ntravewlio[.]shop\r\ndecreaserid[.]world\r\nstormlegue[.]com\r\ntouvrlane[.]bet\r\ngovernoagoal[.]pw\r\npaleboreei[.]biz\r\ncalmingtefxtures[.]run\r\nforesctwhispers[.]top\r\ntracnquilforest[.]life\r\nsighbtseeing[.]shop\r\nadvennture[.]top\r\ncollapimga[.]fun\r\nholidamyup[.]today\r\npepperiop[.]digital\r\nseizedsentec[.]online\r\ntriplooqp[.]world\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 9 of 14\n\neasyfwdr[.]digital\r\nstrawpeasaen[.]fun\r\nxayfarer[.]live\r\njrxsafer[.]top\r\nquietswtreams[.]life\r\noreheatq[.]live\r\nplantainklj[.]run\r\nstarrynsightsky[.]icu\r\ncastmaxw[.]run\r\npuerrogfh[.]live\r\nearthsymphzony[.]today\r\nweldorae[.]digital\r\nquavabvc[.]top\r\ncitydisco[.]bet\r\nsteelixr[.]live\r\nfurthert[.]run\r\nfeatureccus[.]shop\r\nsmeltingt[.]run\r\ntargett[.]top\r\nmrodularmall[.]top\r\nferromny[.]digital\r\nywmedici[.]top\r\njowinjoinery[.]icu\r\nrodformi[.]run\r\nlegenassedk[.]top\r\nhtardwarehu[.]icu\r\nmetalsyo[.]digital\r\nironloxp[.]live\r\ncjlaspcorne[.]icu\r\nnavstarx[.]shop\r\nbugildbett[.]top\r\nlatchclan[.]shop\r\nspacedbv[.]world\r\nstarcloc[.]bet\r\nrambutanvcx[.]run\r\ngalxnetb[.]today\r\npomelohgj[.]top\r\nscenarisacri[.]top\r\njawdedmirror[.]run\r\nchangeaie[.]top\r\nlonfgshadow[.]live\r\nliftally[.]top\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 10 of 14\n\nnighetwhisper[.]top\r\nsalaccgfa[.]top\r\nzestmodp[.]top\r\nowlflright[.]digital\r\nclarmodq[.]top\r\npiratetwrath[.]run\r\nhemispherexz[.]top\r\nquilltayle[.]live\r\nequatorf[.]run\r\nlatitudert[.]live\r\nlongitudde[.]digital\r\nclimatologfy[.]top\r\nstarofliught[.]top\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nSee Table 8 through Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance\r\nwith mapping malicious cyber activity to the MITRE ATT\u0026CK framework, see CISA and MITRE ATT\u0026CK’s\r\nBest Practices for MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nTable 8. Initial Access\r\nTechnique Title ID Use\r\nPhishing T1566\r\nThreat actors delivered LummaC2 malware through phishing\r\nemails.\r\nPhishing: Spearphishing\r\nAttachment\r\nT1566.001 Threat actors used spearphishing attachments to deploy\r\nLummaC2 malware payloads.\r\nPhishing: Spearphishing\r\nLink\r\nT1566.002 Threat actors used spearphishing hyperlinks to deploy\r\nLummaC2 malware payloads.\r\nTable 9. Defense Evasion\r\nTechnique Title ID Use\r\nObfuscated Files or\r\nInformation\r\nT1027\r\nThreat actors obfuscated the malware to bypass standard\r\ncybersecurity measures designed to flag common phishing\r\nattempts or drive-by downloads.\r\nMasquerading\r\nT1036\r\nThreat actors delivered LummaC2 malware via spoofed software.\r\nDeobfuscate/Decode Files or\r\nInformation\r\nT1140 Threat actors used LummaC2 malware to decrypt its callback C2\r\ndomains.\r\nTable 10. Discovery\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 11 of 14\n\nTechnique Title ID Use\r\nQuery Registry\r\nT1012\r\nThreat actors used LummaC2 malware to query the user’s name and\r\ncomputer name utilizing the APIs GetUserNameW and\r\nGetComputerNameW.\r\nBrowser\r\nInformation\r\nDiscovery\r\nT1217\r\nThreat actors used LummaC2 malware to steal browser data.\r\nTable 11. Collection\r\nTechnique Title ID Use\r\nAutomated\r\nCollection\r\nT1119 LummaC2 malware has automated collection of various information\r\nincluding cryptocurrency wallet details.\r\nTable 12. Command and Control\r\nTechnique Title ID Use\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nT1071.001 Threat actors used LummaC2 malware to attempt POST\r\nrequests.\r\nIngress Tool Transfer T1105\r\nThreat actors used LummaC2 malware to transfer a remote\r\nfile to compromised systems.\r\nTable 13. Exfiltration\r\nTechnique\r\nTitle\r\nID Use\r\nExfiltration\r\nTA0010\r\nThreat actors used LummaC2 malware to exfiltrate sensitive user information,\r\nincluding traditional credentials, cryptocurrency wallets, browser extensions,\r\nand MFA details without immediate detection.\r\nNative API T1106 Threat actors used LummaC2 malware to download files with native OS APIs.\r\nMitigations\r\nThe FBI and CISA recommend organizations implement the mitigations below to reduce the risk of compromise\r\nby LummaC2 malware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs)\r\ndeveloped by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a\r\nminimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and\r\nNIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and\r\nimpactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the\r\nCPGs, including additional recommended baseline protections. These mitigations apply to all critical\r\ninfrastructure organizations.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 12 of 14\n\nSeparate User and Privileged Accounts: Allow only necessary users and applications access to the\r\nregistry [CPG 2.E].\r\nMonitor and detect suspicious behavior during exploitation [CPG 3.A].\r\nMonitor and detect suspicious behavior, creation and termination events, and unusual and\r\nunexpected processes running.\r\nMonitor API calls that may attempt to retrieve system information.\r\nAnalyze behavior patterns from process activities to identify anomalies.\r\nFor more information, visit CISA’s guidance on: Enhanced Visibility and Hardening Guidance for\r\nCommunications Infrastructure.\r\nImplement application controls to manage and control execution of software, including allowlisting\r\nremote access programs. Application controls should prevent installation and execution of portable\r\nversions of unauthorized remote access and other software. A properly configured application allowlisting\r\nsolution will block any unlisted application execution. Allowlisting is important because antivirus solutions\r\nmay fail to detect the execution of malicious portable executables when the files use any combination of\r\ncompression, encryption, or obfuscation.\r\nProtect against threat actor phishing campaigns by implementing CISA’s Phishing Guidance\r\nand Phishing-resistant multifactor authentication. [CPG 2.H]\r\nLog Collection: Regularly monitoring and reviewing registry changes and access logs can support\r\ndetection of LummaC2 malware [CPG 2.T].\r\nImplement authentication, authorization, and accounting (AAA) systems [M1018 ] to limit actions\r\nusers can perform and review logs of user actions to detect unauthorized use and abuse. Apply principles of\r\nleast privilege to user accounts and groups, allowing only the performance of authorized actions.\r\nAudit user accounts and revoke credentials for departing employees, removing those that are inactive\r\nor unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional\r\naccounts.\r\nKeep systems up to date with regular updates, patches, hot fixes, and service packs that may minimize\r\nvulnerabilities. Learn more by visiting CISA’s webpage: Secure our World Update Software.\r\nSecure network devices to restrict command line access.\r\nLearn more about defending against the malicious use of remote access software by visiting\r\nCISA’s Guide to Securing Remote Access Software.\r\nUse segmentation to prevent access to sensitive systems and information, possibly with the use of\r\nDemilitarized Zone (DMZ) or virtual private cloud (VPC) instances to isolate systems [CPG 2.F].\r\nMonitor and detect API usage, looking for unusual or malicious behavior.\r\nValidate Security Controls\r\nIn addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your\r\norganization’s security program against threat behaviors mapped to the MITRE ATT\u0026CK Matrix for Enterprise\r\nframework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to\r\nassess performance against the ATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 13 of 14\n\n1. Select an ATT\u0026CK technique described in this advisory (see Table 8 through Table 13).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by\r\nthis process.\r\nThe FBI and CISA recommend continually testing your security program, at scale, in a production environment to\r\nensure optimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nReporting\r\nYour organization has no obligation to respond or provide information to the FBI in response to this joint advisory.\r\nIf, after reviewing the information provided, your organization decides to provide information to the FBI,\r\nreporting must be consistent with applicable state and federal laws.\r\nThe FBI is interested in any information that can be shared, to include the status and scope of infection, estimated\r\nloss, date of infection, date detected, initial attack vector, and host- and network-based indicators.\r\nTo report information, please contact the FBI’s Internet Crime Complaint Center (IC3), your local FBI field office,\r\nor CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870.\r\nDisclaimer\r\nThe information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not\r\nendorse any commercial entity, product, company, or service, including any entities, products, or services linked\r\nwithin this document. Any reference to specific commercial entities, products, processes, or services by service\r\nmark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor\r\nby the FBI and CISA.\r\nAcknowledgements\r\nReliaQuest contributed to this advisory.\r\nVersion History\r\nMay 21, 2025: Initial version.\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b"
	],
	"report_names": [
		"aa25-141b"
	],
	"threat_actors": [],
	"ts_created_at": 1775434281,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63d348acfd75b3e2086e8db793223a977344bd9b.pdf",
		"text": "https://archive.orkl.eu/63d348acfd75b3e2086e8db793223a977344bd9b.txt",
		"img": "https://archive.orkl.eu/63d348acfd75b3e2086e8db793223a977344bd9b.jpg"
	}
}