The Lumma Stealer, a malware-as-a-service (MaaS) model, has been involved in numerous attacks across multiple countries since 2022. Recent analysis by Netskope Threat Labs revealed a new campaign using fake CAPTCHAs, which identified 34 indicators of compromise (IoCs). Further investigations expanded the IoC list significantly. Affected: Argentina, Colombia, U.S., Philippines, various sectors
Keypoints :
- Lumma Stealer utilizes a malware-as-a-service (MaaS) model.
- Various campaigns have targeted victims in multiple countries since 2022.
- Recent research identified a campaign using fake CAPTCHAs for distribution.
- Netskope found 34 initial IoCs, which included 27 domains and 7 subdomains.
- Further analysis by WhoisXML detected 25 IP addresses linked to the campaign, with 23 deemed malicious.
- 228 string-connected domains were analyzed, with 18 flagged as malicious.
- 477 string-connected subdomains revealed two with previous involvement in malicious activities.
- Domains registered with Namecheap were mostly based in Iceland.
- Most identified domains were created between 2024 and 2025.
- 12 of the domains resolved to 25 unique IP addresses upon analysis.
MITRE Techniques :
- Credential Dumping (T1003): The Lumma Stealer collects stored credentials from web browsers and applications.
- Data Encrypted for Impact (T1486): The malware encodes data for its delivery, increasing difficulty in detection.
- Command and Control (C2) (T1071): Utilizes communication protocols to transmit stolen information to the attackers.
- Exploitation of Remote Services (T1210): Makes use of public web services for deployment and execution.
- Spear Phishing Attachment (T1566.001): Fake CAPTCHAs used to lure victims into downloading the malware.
Indicator of Compromise :
- [Domain] royaltyfree[.]pics
- [Domain] bestinthemarket[.]com
- [Domain] dokedok[.]shop
- [Domain] gustavu[.]shop
- [Domain] luxeorbit[.]shop
Full Story: https://circleid.com/posts/illuminating-lumma-stealer-dns-facts-and-findings