Insikt Group analyzed a sprawling Lumma infostealer affiliate ecosystem, finding affiliates use multiple MaaS families (Lumma, Vidar, Stealc, Meduza) and a wide range of operational enablers such as proxy/VPN services, anti-detect browsers, crypting/exploit services, and underground forums to run parallel scams and monetize stolen data. The report includes new tooling (cracked EMAIL SOFTWARE 1.4.0.9, DONUSSEF), IoCs (Lumma sample hash, Ngioweb IPs, C2 panels), and recommends defenders monitor exfiltration, deploy YARA/Sigma/Snort detections, and track underground forums. #Lumma #Vidar #MeduzaStealer
Keypoints
- Insikt Group uncovered previously unreported tools used by Lumma affiliates, including a cracked email credential validator (“EMAIL SOFTWARE 1.4.0.9 cracked by Maksim”) and a phishing page generator (“DONUSSEF”).
- Lumma affiliates frequently operate multiple schemes and use multiple infostealers simultaneously (Lumma plus Vidar, Stealc, Meduza Stealer) to increase success and resilience to takedowns.
- Affiliates rely extensively on privacy-enhancing services (proxies, VPNs, anti-detect browsers), exploit/crypting services (hector[.]su), and virtual phone/SMS services for OTP bypass and account creation.
- Underground forums and carding shops (e.g., Russian Market, BriansClub, LolzTeam) provide marketplaces, technical support, and monetization channels, making affiliates deeply embedded in the cybercriminal ecosystem.
- Insikt Group linked specific affiliates (e.g., blackowl23, suffergrime, worldmix10k) to campaigns, hosting providers, and botnet-linked IPs, and documented a real-estate rental scam leveraging stolen WG-Gesucht credentials.
- Operational infrastructure includes both legitimate and clearly malicious services: proxy domains (piaproxy[.]com, ghostsocks[.]net), hosting (AnonRDP, Bulletproof Hosting, HostCay), and malware-scanning alternatives (KleenScan) favored by criminals.
- Defensive recommendations: monitor for exfiltration, deploy detection rules (YARA/Sigma/Snort), restrict/allow-list downloads, train staff on malvertising and ClickFix signs, and continuously monitor underground forums and leaked logs.
MITRE Techniques
- [T1583.001 ] Domains – Affiliates acquire and use domains (e.g., techmindzs[.]live, earthsymphzony[.]today) for C2 and phishing infrastructure: “…Lumma supplies core C2 infrastructure through its MaaS offering…”
- [T1583.003 ] Virtual Private Server – Use of VPS/bulletproof hosting (AnonRDP, Bulletproof Hosting, HostCay) to host phishing pages, payloads, and resilient infrastructure: “…AnonRDP is a self-proclaimed bulletproof hosting provider specializing in anonymous VPS and RDP services…”
- [T1583.004 ] Server – Deployment of separate hosting providers and legitimate file hosts (MEGA, temp[.]sh, imgbb) to serve payloads and phishing content: “…Lumma affiliates have also been observed leveraging numerous legitimate hosting providers and services, including the file hosting platform MEGA…”
- [T1650 ] Acquire Access – Purchasing or leveraging services and forums to obtain access and resources (carding shops, forum escrow, initial access brokers) to monetize and expand operations: “…forum marketplaces connect Lumma affiliates to initial access brokers and financial fraud services…”
- [T1588.002 ] Tool – Obtaining capabilities via third-party tooling (EMAIL SOFTWARE 1.4.0.9 cracked, DONUSSEF phishing generator, Hector crypting/exploit service) to validate credentials, build phishing pages, and create FUD payloads: “…@cryptexxx’s crypting service and exploit builder…outsources the difficult aspects of stealth and delivery.”
- [T1586.002 ] Email Accounts – Compromising and using email accounts and credential lists for scams and validation (combo lists, validated WG-Gesucht credentials used in rental scam): “…the affiliate possesses a large number of compromised WG-Gesucht credentials…likely stolen through the affiliate’s Lumma infections.”
- [T1090.002 ] External Proxy – Use of external proxy and residential proxy services (PIA Proxy, GhostSocks, ASocks, FACELESS) to mask origin and bypass cookie-based protections: “…Lumma began collaborating with the GhostSocks team…enabling affiliates to create SOCKS5 proxies from infected bots…improving their ability to bypass access controls such as Google’s cookie-based protections.”
Indicators of Compromise
- [IP Addresses ] Ngioweb botnet-linked IPs used by affiliate blackowl23 – 38[.]91[.]107[.]2, 162[.]210[.]192[.]136, and 15 other Ngioweb IPs listed in Appendix B.
- [File Hash ] Lumma sample – b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630 (reported Lumma sample hash).
- [Domain / URL ] Meduza Stealer panel – hxxp://195[.]133[.]18[.]15/auth/login (panel used by an affiliate for Meduza Stealer).
- [Domain / URL ] Stealc panel – hxxp://94[.]232[.]249[.]208/6a6fe9d70500fe64/main.php (Stealc management panel observed linked to an affiliate).
- [Email Addresses ] Emails used in rental scam – immo-total[@]outlook[.]com, mwimport[@]outlook[.]de (addresses tied to blackowl23 rental fraud activity).
Read more: https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate