Part 2: Tracking LummaC2 Infrastructure
Essential information
- Published
- 19/06/2025 22:30
- Modified
- 23/06/2025 23:00
- Tags
- 2025-06-19 acreed domain infrastructure eastern european names infostealer lummac2 malicious domains technical education lure
- Related entities
- 200 observables, 1 intrusion sets (apt), 7 techniques (mitre), 2 malware, 28 others
Description
An investigation into domains associated with the LummaC2 infostealing-malware campaign revealed a broader network of nearly 500 domains with highly malicious risk scores. These domains share similar registration patterns, including the use of Eastern European names and the inbox[.]eu email domain. The domains predominantly advertise technical education courses, but are likely lures for malware delivery. Four domains were identified as LummaC2 login panels. The campaign's infrastructure uses specific TLDs, naming conventions, and a Hong Kong address linked to OFAC-sanctioned entities. Security teams are advised to monitor for similar domain patterns, scrutinize suspicious training sites, and educate users about the risks.