Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations

    Friday, May 23, 2025 In: Threat Research Print

    Date: 05/23/2025

    Severity: Critical

    Summary

    LummaC2 is an infostealer malware targeting critical U.S. infrastructure sectors, active from November 2023 to May 2025. It spreads via spearphishing emails containing fake CAPTCHAs that trick users into running PowerShell commands. The malware is often embedded in spoofed software and first emerged on Russian-speaking forums in 2022. LummaC2 uses advanced obfuscation techniques to evade antivirus and EDR detection.

    Indicators of Compromise (IOC) List 

    Domains\URLs :

    Pinkipinevazzey.pw

    Fragnantbui.shop

    Medicinebuckerrysa.pw

    Musicallyageop.pw

    stogeneratmns.shop

    wallkedsleeoi.shop

    Tirechinecarpet.pw

    reinforcenh.shop

    reliabledmwqj.shop

    Musclefarelongea.pw

    Forbidstow.site

    gutterydhowi.shop

    Fanlumpactiras.pw

    Computeryrati.site

    Contemteny.site

    Ownerbuffersuperw.pw

    Seallysl.site

    Dilemmadu.site

    Freckletropsao.pw

    Opposezmny.site

    Faulteyotk.site

    Hemispheredodnkkl.pw

    Goalyfeastz.site

    Authorizev.site

    ghostreedmnu.shop

    Servicedny.site

    blast-hubs.com

    offensivedzvju.shop

    friendseforever.help

    blastikcn.com

    vozmeatillu.shop

    shiningrstars.help

    penetratebatt.pw

    drawzhotdog.shop

    mercharena.biz

    pasteflawwed.world

    generalmills.pro

    citywand.live

    hoyoverse.blog

    nestlecompany.pro

    esccapewz.run

    dsfljsdfjewf.info

    naturewsounds.help

    travewlio.shop

    decreaserid.world

    stormlegue.com

    touvrlane.bet

    governoagoal.pw

    paleboreei.biz

    calmingtefxtures.run

    foresctwhispers.top

    tracnquilforest.life

    sighbtseeing.shop

    advennture.top

    collapimga.fun

    holidamyup.today

    pepperiop.digital

    seizedsentec.online

    triplooqp.world

    easyfwdr.digital

    strawpeasaen.fun

    xayfarer.live

    jrxsafer.top

    quietswtreams.life

    oreheatq.live

    plantainklj.run

    starrynsightsky.icu

    castmaxw.run

    puerrogfh.live

    earthsymphzony.today

    weldorae.digital

    quavabvc.top

    citydisco.bet

    steelixr.live

    furthert.run

    featureccus.shop

    smeltingt.run

    targett.top

    mrodularmall.top

    ferromny.digital

    ywmedici.top

    jowinjoinery.icu

    rodformi.run

    legenassedk.top

    htardwarehu.icu

    metalsyo.digital

    ironloxp.live

    cjlaspcorne.icu

    navstarx.shop

    bugildbett.top

    latchclan.shop

    spacedbv.world

    starcloc.bet

    rambutanvcx.run

    galxnetb.today

    pomelohgj.top

    scenarisacri.top

    jawdedmirror.run

    changeaie.top

    lonfgshadow.live

    liftally.top

    nighetwhisper.top

    salaccgfa.top

    zestmodp.top

    owlflright.digital

    clarmodq.top

    piratetwrath.run

    hemispherexz.top

    quilltayle.live

    equatorf.run

    latitudert.live

    longitudde.digital

    climatologfy.top

    starofliught.top

    Hash :

    4AFDC05708B8B39C82E60ABE3ACE55DB

    E05DF8EE759E2C955ACC8D8A47A08F42

    C7610AE28655D6C1BCE88B5D09624FEF

    1239288A5876C09D9F0A67BCFD645735168A7C80

    B66DA4280C6D72ADCC68330F6BD793DF56A853CB

    3B267FA5E1D1B18411C22E97B367258986E871E5

    19CC41A0A056E503CC2137E19E952814FBDF14F8D83F799AEA9B96ABFF11EFBB

    2F31D00FEEFE181F2D8B69033B382462FF19C35367753E6906ED80F815A7924F

    4D74F8E12FF69318BE5EB383B4E56178817E84E83D3607213160276A7328AB5D

    325daeb781f3416a383343820064c8e98f2e31753cd71d76a886fe0dbb4fe59a

    76e4962b8ccd2e6fd6972d9c3264ccb6738ddb16066588dfcb223222aaa88f3c

    7a35008a1a1ae3d093703c3a34a21993409af42eb61161aad1b6ae4afa8bbb70

    a9e9d7770ff948bb65c0db24431f75dd934a803181afa22b6b014fac9a162dab

    b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959

    ca47c8710c4ffb4908a42bd986b14cddcca39e30bb0b11ed5ca16fe8922a468b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs 1: 

    domainname like "vozmeatillu.shop" or url like "vozmeatillu.shop" or siteurl like "vozmeatillu.shop" or domainname like "citywand.live" or url like "citywand.live" or siteurl like "citywand.live" or domainname like "hoyoverse.blog" or url like "hoyoverse.blog" or siteurl like "hoyoverse.blog" or domainname like "clarmodq.top" or url like "clarmodq.top" or siteurl like "clarmodq.top" or domainname like "offensivedzvju.shop" or url like "offensivedzvju.shop" or siteurl like "offensivedzvju.shop" or domainname like "rodformi.run" or url like "rodformi.run" or siteurl like "rodformi.run" or domainname like "reinforcenh.shop" or url like "reinforcenh.shop" or siteurl like "reinforcenh.shop" or domainname like "starcloc.bet" or url like "starcloc.bet" or siteurl like "starcloc.bet" or domainname like "citydisco.bet" or url like "citydisco.bet" or siteurl like "citydisco.bet" or domainname like "Musicallyageop.pw" or url like "Musicallyageop.pw" or siteurl like "Musicallyageop.pw" or domainname like "strawpeasaen.fun" or url like "strawpeasaen.fun" or siteurl like "strawpeasaen.fun" or domainname like "liftally.top" or url like "liftally.top" or siteurl like "liftally.top" or domainname like "latitudert.live" or url like "latitudert.live" or siteurl like "latitudert.live" or domainname like "targett.top" or url like "targett.top" or siteurl like "targett.top" or domainname like "galxnetb.today" or url like "galxnetb.today" or siteurl like "galxnetb.today" or domainname like "Faulteyotk.site" or url like "Faulteyotk.site" or siteurl like "Faulteyotk.site" or domainname like "starrynsightsky.icu" or url like "starrynsightsky.icu" or siteurl like "starrynsightsky.icu" or domainname like "cjlaspcorne.icu" or url like "cjlaspcorne.icu" or siteurl like "cjlaspcorne.icu" or domainname like "oreheatq.live" or url like "oreheatq.live" or siteurl like "oreheatq.live" or domainname like "changeaie.top" or url like "changeaie.top" or siteurl like "changeaie.top" or domainname like "piratetwrath.run" or url like "piratetwrath.run" or siteurl like "piratetwrath.run" or domainname like "generalmills.pro" or url like "generalmills.pro" or siteurl like "generalmills.pro" or domainname like "navstarx.shop" or url like "navstarx.shop" or siteurl like "navstarx.shop" or domainname like "naturewsounds.help" or url like "naturewsounds.help" or siteurl like "naturewsounds.help" or domainname like "reliabledmwqj.shop" or url like "reliabledmwqj.shop" or siteurl like "reliabledmwqj.shop" or domainname like "quavabvc.top" or url like "quavabvc.top" or siteurl like "quavabvc.top" or domainname like "mrodularmall.top" or url like "mrodularmall.top" or siteurl like "mrodularmall.top" or domainname like "calmingtefxtures.run" or url like "calmingtefxtures.run" or siteurl like "calmingtefxtures.run" or domainname like "paleboreei.biz" or url like "paleboreei.biz" or siteurl like "paleboreei.biz" or domainname like "Opposezmny.site" or url like "Opposezmny.site" or siteurl like "Opposezmny.site" or domainname like "lonfgshadow.live" or url like "lonfgshadow.live" or siteurl like "lonfgshadow.live" or domainname like "Servicedny.site" or url like "Servicedny.site" or siteurl like "Servicedny.site" or domainname like "triplooqp.world" or url like "triplooqp.world" or siteurl like "triplooqp.world" or domainname like "Musclefarelongea.pw" or url like "Musclefarelongea.pw" or siteurl like "Musclefarelongea.pw" or domainname like "ironloxp.live" or url like "ironloxp.live" or siteurl like "ironloxp.live" or domainname like "earthsymphzony.today" or url like "earthsymphzony.today" or siteurl like "earthsymphzony.today" or domainname like "Seallysl.site" or url like "Seallysl.site" or siteurl like "Seallysl.site" or domainname like "advennture.top" or url like "advennture.top" or siteurl like "advennture.top"

    Domains\URLs 2: 

    domainname like "smeltingt.run" or url like "smeltingt.run" or siteurl like "smeltingt.run" or domainname like "stogeneratmns.shop" or url like "stogeneratmns.shop" or siteurl like "stogeneratmns.shop" or domainname like "xayfarer.live" or url like "xayfarer.live" or siteurl like "xayfarer.live" or domainname like "featureccus.shop" or url like "featureccus.shop" or siteurl like "featureccus.shop" or domainname like "pomelohgj.top" or url like "pomelohgj.top" or siteurl like "pomelohgj.top" or domainname like "Hemispheredodnkkl.pw" or url like "Hemispheredodnkkl.pw" or siteurl like "Hemispheredodnkkl.pw" or domainname like "governoagoal.pw" or url like "governoagoal.pw" or siteurl like "governoagoal.pw" or domainname like "sighbtseeing.shop" or url like "sighbtseeing.shop" or siteurl like "sighbtseeing.shop" or domainname like "jowinjoinery.icu" or url like "jowinjoinery.icu" or siteurl like "jowinjoinery.icu" or domainname like "Contemteny.site" or url like "Contemteny.site" or siteurl like "Contemteny.site" or domainname like "bugildbett.top" or url like "bugildbett.top" or siteurl like "bugildbett.top" or domainname like "Freckletropsao.pw" or url like "Freckletropsao.pw" or siteurl like "Freckletropsao.pw" or domainname like "Ownerbuffersuperw.pw" or url like "Ownerbuffersuperw.pw" or siteurl like "Ownerbuffersuperw.pw" or domainname like "blast-hubs.com" or url like "blast-hubs.com" or siteurl like "blast-hubs.com" or domainname like "rambutanvcx.run" or url like "rambutanvcx.run" or siteurl like "rambutanvcx.run" or domainname like "plantainklj.run" or url like "plantainklj.run" or siteurl like "plantainklj.run" or domainname like "ywmedici.top" or url like "ywmedici.top" or siteurl like "ywmedici.top" or domainname like "shiningrstars.help" or url like "shiningrstars.help" or siteurl like "shiningrstars.help" or domainname like "quietswtreams.life" or url like "quietswtreams.life" or siteurl like "quietswtreams.life" or domainname like "climatologfy.top" or url like "climatologfy.top" or siteurl like "climatologfy.top" or domainname like "dsfljsdfjewf.info" or url like "dsfljsdfjewf.info" or siteurl like "dsfljsdfjewf.info" or domainname like "Medicinebuckerrysa.pw" or url like "Medicinebuckerrysa.pw" or siteurl like "Medicinebuckerrysa.pw" or domainname like "ghostreedmnu.shop" or url like "ghostreedmnu.shop" or siteurl like "ghostreedmnu.shop" or domainname like "wallkedsleeoi.shop" or url like "wallkedsleeoi.shop" or siteurl like "wallkedsleeoi.shop" or domainname like "Computeryrati.site" or url like "Computeryrati.site" or siteurl like "Computeryrati.site" or domainname like "penetratebatt.pw" or url like "penetratebatt.pw" or siteurl like "penetratebatt.pw" or domainname like "travewlio.shop" or url like "travewlio.shop" or siteurl like "travewlio.shop" or domainname like "collapimga.fun" or url like "collapimga.fun" or siteurl like "collapimga.fun" or domainname like "jawdedmirror.run" or url like "jawdedmirror.run" or siteurl like "jawdedmirror.run" or domainname like "pasteflawwed.world" or url like "pasteflawwed.world" or siteurl like "pasteflawwed.world" or domainname like "decreaserid.world" or url like "decreaserid.world" or siteurl like "decreaserid.world" or domainname like "zestmodp.top" or url like "zestmodp.top" or siteurl like "zestmodp.top" or domainname like "drawzhotdog.shop" or url like "drawzhotdog.shop" or siteurl like "drawzhotdog.shop" or domainname like "Forbidstow.site" or url like "Forbidstow.site" or siteurl like "Forbidstow.site" or domainname like "holidamyup.today" or url like "holidamyup.today" or siteurl like "holidamyup.today" or domainname like "legenassedk.top" or url like "legenassedk.top" or siteurl like "legenassedk.top" or domainname like "foresctwhispers.top" or url like "foresctwhispers.top" or siteurl like "foresctwhispers.top" or domainname like "equatorf.run" or url like "equatorf.run" or siteurl like "equatorf.run"

    Domains\URLs 3: 

    domainname like "Pinkipinevazzey.pw" or url like "Pinkipinevazzey.pw" or siteurl like "Pinkipinevazzey.pw" or domainname like "Fragnantbui.shop" or url like "Fragnantbui.shop" or siteurl like "Fragnantbui.shop" or domainname like "Tirechinecarpet.pw" or url like "Tirechinecarpet.pw" or siteurl like "Tirechinecarpet.pw" or domainname like "gutterydhowi.shop" or url like "gutterydhowi.shop" or siteurl like "gutterydhowi.shop" or domainname like "Fanlumpactiras.pw" or url like "Fanlumpactiras.pw" or siteurl like "Fanlumpactiras.pw" or domainname like "Dilemmadu.site" or url like "Dilemmadu.site" or siteurl like "Dilemmadu.site" or domainname like "Goalyfeastz.site" or url like "Goalyfeastz.site" or siteurl like "Goalyfeastz.site" or domainname like "Authorizev.site" or url like "Authorizev.site" or siteurl like "Authorizev.site" or domainname like "friendseforever.help" or url like "friendseforever.help" or siteurl like "friendseforever.help" or domainname like "blastikcn.com" or url like "blastikcn.com" or siteurl like "blastikcn.com" or domainname like "mercharena.biz" or url like "mercharena.biz" or siteurl like "mercharena.biz" or domainname like "nestlecompany.pro" or url like "nestlecompany.pro" or siteurl like "nestlecompany.pro" or domainname like "esccapewz.run" or url like "esccapewz.run" or siteurl like "esccapewz.run" or domainname like "stormlegue.com" or url like "stormlegue.com" or siteurl like "stormlegue.com" or domainname like "touvrlane.bet" or url like "touvrlane.bet" or siteurl like "touvrlane.bet" or domainname like "tracnquilforest.life" or url like "tracnquilforest.life" or siteurl like "tracnquilforest.life" or domainname like "pepperiop.digital" or url like "pepperiop.digital" or siteurl like "pepperiop.digital" or domainname like "seizedsentec.online" or url like "seizedsentec.online" or siteurl like "seizedsentec.online" or domainname like "jrxsafer.top" or url like "jrxsafer.top" or siteurl like "jrxsafer.top" or domainname like "castmaxw.run" or url like "castmaxw.run" or siteurl like "castmaxw.run" or domainname like "puerrogfh.live" or url like "puerrogfh.live" or siteurl like "puerrogfh.live" or domainname like "steelixr.live" or url like "steelixr.live" or siteurl like "steelixr.live" or domainname like "furthert.run" or url like "furthert.run" or siteurl like "furthert.run" or domainname like "ferromny.digital" or url like "ferromny.digital" or siteurl like "ferromny.digital" or domainname like "htardwarehu.icu" or url like "htardwarehu.icu" or siteurl like "htardwarehu.icu" or domainname like "metalsyo.digital" or url like "metalsyo.digital" or siteurl like "metalsyo.digital" or domainname like "latchclan.shop" or url like "latchclan.shop" or siteurl like "latchclan.shop" or domainname like "spacedbv.world" or url like "spacedbv.world" or siteurl like "spacedbv.world" or domainname like "scenarisacri.top" or url like "scenarisacri.top" or siteurl like "scenarisacri.top" or domainname like "nighetwhisper.top" or url like "nighetwhisper.top" or siteurl like "nighetwhisper.top" or domainname like "salaccgfa.top" or url like "salaccgfa.top" or siteurl like "salaccgfa.top" or domainname like "hemispherexz.top" or url like "hemispherexz.top" or siteurl like "hemispherexz.top" or domainname like "quilltayle.live" or url like "quilltayle.live" or siteurl like "quilltayle.live" or domainname like "starofliught.top" or url like "starofliught.top" or siteurl like "starofliught.top"

    Hash 1 :

    md5hash IN ("4AFDC05708B8B39C82E60ABE3ACE55DB","E05DF8EE759E2C955ACC8D8A47A08F42","C7610AE28655D6C1BCE88B5D09624FEF")

    Hash 2 : 

    sha1hash IN ("1239288A5876C09D9F0A67BCFD645735168A7C80","B66DA4280C6D72ADCC68330F6BD793DF56A853CB","3B267FA5E1D1B18411C22E97B367258986E871E5")

    Hash 3 :

    sha256hash IN ("ca47c8710c4ffb4908a42bd986b14cddcca39e30bb0b11ed5ca16fe8922a468b","a9e9d7770ff948bb65c0db24431f75dd934a803181afa22b6b014fac9a162dab","7a35008a1a1ae3d093703c3a34a21993409af42eb61161aad1b6ae4afa8bbb70","b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959","19CC41A0A056E503CC2137E19E952814FBDF14F8D83F799AEA9B96ABFF11EFBB","2F31D00FEEFE181F2D8B69033B382462FF19C35367753E6906ED80F815A7924F","4D74F8E12FF69318BE5EB383B4E56178817E84E83D3607213160276A7328AB5D","325daeb781f3416a383343820064c8e98f2e31753cd71d76a886fe0dbb4fe59a","76e4962b8ccd2e6fd6972d9c3264ccb6738ddb16066588dfcb223222aaa88f3c")

    Reference:

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b


    Tags

    MalwareCISALummaC2 StealerLumma StealerUnited StatesSpear PhishingCritical Infrastructure

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.