Pretty stoked! I’ve been trying to see if I could find an unreported Lumma C2 domain since about August. At some point in August, I noticed ET Labs (https://x.com/ET_Labs) had been adding a BAJILLION Lumma Stealer domains. One of the things I’ve been trying to focus on over the past few months is figuring out how the pros find and monitor things. I’ve been trying out a lot of different monitoring queries. Up until now, all of them only returned C2 domains that were already reported by the Proofpoint Emerging Threats team.

This is just kind of a short one. When I get the time I’ll post another discussing the queries I’ve been using to monitor some Lumma activity.

Alohaz!

THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY EMPLOYER OR ANY AFFILIATED ORGANIZATIONS. ALL RESEARCH, ANALYSIS, AND WRITING ARE CONDUCTED ON MY PERSONAL TIME AND USING MY OWN PERSONALLY-ACQUIRED RESOURCES. ANY REFERENCES, TOOLS, OR SOFTWARE MENTIONED HERE ARE LIKEWISE USED INDEPENDENTLY AND ARE NOT ASSOCIATED WITH, ENDORSED, OR FUNDED BY MY EMPLOYER.

IOC:

joymagnutwy[.]cyou