Lumma Stealer, Coming and Going

    Thursday, May 15, 2025 In: Threat Research Print

    Date: 05/15/2025

    Severity: High

    Summary

    Lumma Stealer, active since mid-2022, is a Russian-origin infostealer sold via a Malware-as-a-Service model on Telegram. It targets credentials, session tokens, crypto wallets, and personal data from infected devices. The threat actor uses clever tactics like fake CAPTCHA challenges and social engineering during software downloads. In simpler cases, victims are lured to malicious sites and tricked into opening harmful files in Windows Explorer.

    Indicators of Compromise (IOC) List 

    Domains \ Urls :

    https://fixedzip.oss-ap-southeast-5.aliyuncs.com/new-artist.txt

    snail-r1ced.cyou

    https://FUGTGU76v1.b-cdn.net/nxt/ilt.txt

    https://FUGTGU76v1.b-cdn.net/iltst.zip

    https://fixedzip.oss-ap-southeast-5.aliyuncs.com/pioneer.txt

    https://fixedzip.oss-ap-southeast-5.aliyuncs.com/pioneer.zip

    https://fixedzip.oss-ap-southeast-5.aliyuncs.com/new-artist.txt

    https://fixedzip.oss-ap-southeast-5.aliyuncs.com/artist.zip

    https://evolytix.com/wp-includes/fonts/CewtlSPn.txt

    https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcSEwi9isbdsrCKAxV1LXsHHZq8M0wYABAAGgJ0bQ&ae=2&aspm=1&co=1&ase=5&gclid=EAIaIQobChMIvYrG3bKwigMVdS17Bx2avDNMEAAYASAAEgKomfD_BwE&ohost=www.google.com&cid=CAASJuRosMAh_pmnrKgHnRyE4Lfiv_5QusyXIVc1HY8a6Eo87L0RZ4Qh&sig=AOD64_3NyGNBHFXQ9B_h3-F3Fyp0oe4HrQ&q&adurl&ved=2ahUKEwj95L3dsrCKAxU_zDgGHdUBKfsQ0Qx6BAgOEAE&nis=7&dct=1&suid=30426012769&ri=26

    https://usermanualplatform.com/?gad_source=5&gclid=EAIaIQobChMIq7Dp5rKwigMVXaRmAh3uXySREAAYASAAEgLFUPD_BwE

    https://usermahnualplatform-14.site/MNL14/instruction_695-18014-012_rev.php

    https://klipdexypoi.shop/wassap.mp4

    peelyitemsn.click

    sordid-snaked.cyou

    immureprech.biz

    deafeninggeh.biz

    effecterectz.xyz

    diffuculttan.xyz

    debonairnukk.xyz

    wrathful-jammy.cyou

    awake-weaves.cyou

    IP Address : 

    104.21.84.251

    104.21.84.25

    156.59.126.78

    141.193.213.10

    Hash : 

    337424610694e00ebac66d36dd20e535c7a92164

    e298cd6c5fe7b9b05a28480fd215ddcbd7aaa48a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls : 

    domainname like "snail-r1ced.cyou" or url like "snail-r1ced.cyou" or siteurl like "snail-r1ced.cyou" or domainname like "https://usermanualplatform.com/?gad_source=5&gclid=EAIaIQobChMIq7Dp5rKwigMVXaRmAh3uXySREAAYASAAEgLFUPD_BwE" or url like "https://usermanualplatform.com/?gad_source=5&gclid=EAIaIQobChMIq7Dp5rKwigMVXaRmAh3uXySREAAYASAAEgLFUPD_BwE" or siteurl like "https://usermanualplatform.com/?gad_source=5&gclid=EAIaIQobChMIq7Dp5rKwigMVXaRmAh3uXySREAAYASAAEgLFUPD_BwE"  or domainname like "https://FUGTGU76v1.b-cdn.net/iltst.zip" or url like "https://FUGTGU76v1.b-cdn.net/iltst.zip" or siteurl like "https://FUGTGU76v1.b-cdn.net/iltst.zip" or domainname like "https://evolytix.com/wp-includes/fonts/CewtlSPn.txt" or url like "https://evolytix.com/wp-includes/fonts/CewtlSPn.txt" or siteurl like "https://evolytix.com/wp-includes/fonts/CewtlSPn.txt" or domainname like "effecterectz.xyz" or url like "effecterectz.xyz" or siteurl like "effecterectz.xyz" or domainname like "immureprech.biz" or url like "immureprech.biz" or siteurl like "immureprech.biz" or domainname like "sordid-snaked.cyou" or url like "sordid-snaked.cyou" or siteurl like "sordid-snaked.cyou" or domainname like "wrathful-jammy.cyou" or url like "wrathful-jammy.cyou" or siteurl like "wrathful-jammy.cyou" or domainname like "deafeninggeh.biz" or url like "deafeninggeh.biz" or siteurl like "deafeninggeh.biz" or domainname like "https://fixedzip.oss-ap-southeast-5.aliyuncs.com/artist.zip" or url like "https://fixedzip.oss-ap-southeast-5.aliyuncs.com/artist.zip" or siteurl like "https://fixedzip.oss-ap-southeast-5.aliyuncs.com/artist.zip" or domainname like "https://fixedzip.oss-ap-southeast-5.aliyuncs.com/new-artist.txt" or url like "https://fixedzip.oss-ap-southeast-5.aliyuncs.com/new-artist.txt" or siteurl like "https://fixedzip.oss-ap-southeast-5.aliyuncs.com/new-artist.txt" or domainname like "https://FUGTGU76v1.b-cdn.net/nxt/ilt.txt" or url like "https://FUGTGU76v1.b-cdn.net/nxt/ilt.txt" or siteurl like "https://FUGTGU76v1.b-cdn.net/nxt/ilt.txt" or domainname like "awake-weaves.cyou" or url like "awake-weaves.cyou" or siteurl like "awake-weaves.cyou" or domainname like "https://fixedzip.oss-ap-southeast-5.aliyuncs.com/pioneer.txt" or url like "https://fixedzip.oss-ap-southeast-5.aliyuncs.com/pioneer.txt" or siteurl like "https://fixedzip.oss-ap-southeast-5.aliyuncs.com/pioneer.txt" or domainname like "https://fixedzip.oss-ap-southeast-5.aliyuncs.com/pioneer.zip" or url like "https://fixedzip.oss-ap-southeast-5.aliyuncs.com/pioneer.zip" or siteurl like "https://fixedzip.oss-ap-southeast-5.aliyuncs.com/pioneer.zip" or domainname like "https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcSEwi9isbdsrCKAxV1LXsHHZq8M0wYABAAGgJ0bQ&ae=2&aspm=1&co=1&ase=5&gclid=EAIaIQobChMIvYrG3bKwigMVdS17Bx2avDNMEAAYASAAEgKomfD_BwE&ohost=www.google.com&cid=CAASJuRosMAh_pmnrKgHnRyE4Lfiv_5QusyXIVc1HY8a6Eo87L0RZ4Qh&sig=AOD64_3NyGNBHFXQ9B_h3-F3Fyp0oe4HrQ&q&adurl&ved=2ahUKEwj95L3dsrCKAxU_zDgGHdUBKfsQ0Qx6BAgOEAE&nis=7&dct=1&suid=30426012769&ri=26" or url like "https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcSEwi9isbdsrCKAxV1LXsHHZq8M0wYABAAGgJ0bQ&ae=2&aspm=1&co=1&ase=5&gclid=EAIaIQobChMIvYrG3bKwigMVdS17Bx2avDNMEAAYASAAEgKomfD_BwE&ohost=www.google.com&cid=CAASJuRosMAh_pmnrKgHnRyE4Lfiv_5QusyXIVc1HY8a6Eo87L0RZ4Qh&sig=AOD64_3NyGNBHFXQ9B_h3-F3Fyp0oe4HrQ&q&adurl&ved=2ahUKEwj95L3dsrCKAxU_zDgGHdUBKfsQ0Qx6BAgOEAE&nis=7&dct=1&suid=30426012769&ri=26" or siteurl like "https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcSEwi9isbdsrCKAxV1LXsHHZq8M0wYABAAGgJ0bQ&ae=2&aspm=1&co=1&ase=5&gclid=EAIaIQobChMIvYrG3bKwigMVdS17Bx2avDNMEAAYASAAEgKomfD_BwE&ohost=www.google.com&cid=CAASJuRosMAh_pmnrKgHnRyE4Lfiv_5QusyXIVc1HY8a6Eo87L0RZ4Qh&sig=AOD64_3NyGNBHFXQ9B_h3-F3Fyp0oe4HrQ&q&adurl&ved=2ahUKEwj95L3dsrCKAxU_zDgGHdUBKfsQ0Qx6BAgOEAE&nis=7&dct=1&suid=30426012769&ri=26" or domainname like "https://usermahnualplatform-14.site/MNL14/instruction_695-18014-012_rev.php" or url like "https://usermahnualplatform-14.site/MNL14/instruction_695-18014-012_rev.php" or siteurl like "https://usermahnualplatform-14.site/MNL14/instruction_695-18014-012_rev.php" or domainname like "https://klipdexypoi.shop/wassap.mp4" or url like "https://klipdexypoi.shop/wassap.mp4" or siteurl like "https://klipdexypoi.shop/wassap.mp4" or domainname like "peelyitemsn.click" or url like "peelyitemsn.click" or siteurl like "peelyitemsn.click" or domainname like "diffuculttan.xyz" or url like "diffuculttan.xyz" or siteurl like "diffuculttan.xyz" or domainname like "debonairnukk.xyz" or url like "debonairnukk.xyz" or siteurl like "debonairnukk.xyz"

    IP Address : 

    dstipaddress In ("104.21.84.251","104.21.84.25","156.59.126.78","141.193.213.10") or srcipaddress IN ("104.21.84.251","104.21.84.25","156.59.126.78","141.193.213.10")

    Hash :

    sha1hash IN ("e298cd6c5fe7b9b05a28480fd215ddcbd7aaa48a","337424610694e00ebac66d36dd20e535c7a92164")

    Reference:    

    https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/


    Tags

    MalwareLumma StealerRussiaInfostealerMaaS

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.