{ "name": "Part 2: Tracking LummaC2 Infrastructure", "slug": "part-2-tracking-lummac2-infrastructure", "description": "An investigation into domains associated with the LummaC2 infostealing-malware campaign revealed a broader network of nearly 500 domains with highly malicious risk scores. These domains share similar registration patterns, including the use of Eastern European names and the inbox[.]eu email domain. The domains predominantly advertise technical education courses, but are likely lures for malware delivery. Four domains were identified as LummaC2 login panels. The campaign's infrastructure uses specific TLDs, naming conventions, and a Hong Kong address linked to OFAC-sanctioned entities. Security teams are advised to monitor for similar domain patterns, scrutinize suspicious training sites, and educate users about the risks.", "published": "2025-06-19T20:30:37+00:00", "created_at": "2025-06-19T20:30:37+00:00", "modified_at": "2025-06-23T21:00:47+00:00", "created_at_opencti": "2025-06-19T20:30:37+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-06-19", "acreed", "domain infrastructure", "eastern european names", "infostealer", "lummac2", "malicious domains", "technical education lure" ], "related_entities": { "observables": [ { "id": "", "name": "91.199.160.3" }, { "id": "", "name": "www.vadakov.com" }, { "id": "", "name": "www.thrixvingtogether.tech" }, { "id": "", "name": "www.simxplepleasus.tech" }, { "id": "", "name": "www.purposefulxliving.tech" }, { "id": "", "name": "www.playfulexnergy.tech" }, { "id": "", "name": "www.nxatureinspired.tech" }, { "id": "", "name": "www.mindfulcreatixvity.tech" }, { "id": "", "name": "www.heartfeltmoxments.tech" }, { "id": "", "name": "www.ebbodf.live" }, { "id": "", "name": "mail.exmaxi.com" }, { "id": "", "name": "mail.firstclass-partners.com" }, { "id": "", "name": "dc-mx.d7f6d0467f48.technnexuses.com" }, { "id": "", "name": "dc-mx.e2515edc9e29.designwithue5.online" }, { "id": "", "name": "dc-mx.b580fe2c5cf3.cyclespheres.pro" }, { "id": "", "name": "dc-mx.6769ee1db737.nextgenersschool.com" }, { "id": "", "name": "dc-mx.83e0616853d8.itrecruitingcourse.pro" }, { "id": "", "name": "dc-mx.5d82b9573de1.skillzmakeup.pro" }, { "id": "", "name": "dc-mx.49d08d4cf459.sparkerslides.online" }, { "id": "", "name": "dc-mx.3a598edcf235.3dpaintexpert.pro" }, { "id": "", "name": "dc-mx.39e18e96dbf8.cloudmicromasters.com" }, { "id": "", "name": "dc-mx.376f4860ba60.ssistraininghub.com" }, { "id": "", "name": "dc-mx.2a2493284601.softwaretester.pro" }, { "id": "", "name": "dc-mx.369a9a289e36.guidefitlife.pro" }, { "id": "", "name": "dc-mx.26c63ad05712.learnfibersoptics.online" }, { "id": "", "name": "dc-mx.1cf47e80d1f2.aivisualstudio.pro" }, { "id": "", "name": "dc-mx.0c6f2797c12d.etlwithssis.pro" }, { "id": "", "name": "suspended-domain.com" }, { "id": "", "name": "reg.ru" }, { "id": "", "name": "gmo.jp" }, { "id": "", "name": "inbox.eu" }, { "id": "", "name": "yuriy-andropov.com" }, { "id": "", "name": "zestmedo.top" }, { "id": "", "name": "yieldihnwz.run" }, { "id": "", "name": "yoga-maraphones.online" }, { "id": "", "name": "yeomanryi.run" }, { "id": "", "name": "xyraxl.run" }, { "id": "", "name": "xylophmtcv.live" }, { "id": "", "name": "wzrx.live" }, { "id": "", "name": "wxadventures.world" }, { "id": "", "name": "wrlbzpw.live" }, { "id": "", "name": "writintrvh.top" }, { "id": "", "name": "worldtxix.top" }, { "id": "", "name": "workpiocmx.live" }, { "id": "", "name": "withlaravel.pro" }, { "id": "", "name": "witf.live" }, { "id": "", "name": "wildxflowerdream.life" }, { "id": "", "name": "whitewnmxu.live" }, { "id": "", "name": "whiplahwyz.live" }, { "id": "", "name": "wesleychapelpresurewashing.com" }, { "id": "", "name": "watslixbne.run" }, { "id": "", "name": "wepwwd.live" }, { "id": "", "name": "webfrontendeveloper.online" }, { "id": "", "name": "wanrderfun.world" }, { "id": "", "name": "walterlywz.live" }, { "id": "", "name": "wailluwl.run" }, { "id": "", "name": "voyagely.shop" }, { "id": "", "name": "voluptlith.run" }, { "id": "", "name": "viretualmatrix.today" }, { "id": "", "name": "verification-security.com" }, { "id": "", "name": "velvetbound.run" }, { "id": "", "name": "vadakov.com" }, { "id": "", "name": "usefulutivli.top" }, { "id": "", "name": "urbanwan.shop" }, { "id": "", "name": "urbaninsi.top" }, { "id": "", "name": "untufqb.live" }, { "id": "", "name": "untqroo.run" }, { "id": "", "name": "unrealdevelopercourse.com" }, { "id": "", "name": "unitydevgames.pro" }, { "id": "", "name": "undexxet.live" }, { "id": "", "name": "twirlevbgp.live" }, { "id": "", "name": "tryjxp.run" }, { "id": "", "name": "trrnbrawl.run" }, { "id": "", "name": "trainywholed.top" }, { "id": "", "name": "traininghubssis.online" }, { "id": "", "name": "tqravelsy.top" }, { "id": "", "name": "townwand.top" }, { "id": "", "name": "touxpf.live" }, { "id": "", "name": "totheskpeh.run" }, { "id": "", "name": "toughecane.run" }, { "id": "", "name": "togaresi.live" }, { "id": "", "name": "timexcellence.pro" }, { "id": "", "name": "timemassters.online" }, { "id": "", "name": "throwiurqe.run" }, { "id": "", "name": "througdlmw.live" }, { "id": "", "name": "thrixvingtogether.tech" }, { "id": "", "name": "textstoapps.online" }, { "id": "", "name": "thebme.run" }, { "id": "", "name": "theriduwlb.live" }, { "id": "", "name": "tenodl.run" }, { "id": "", "name": "tennisincl.com" }, { "id": "", "name": "tejguv.run" }, { "id": "", "name": "technnexuses.com" }, { "id": "", "name": "teasedctne.live" }, { "id": "", "name": "tavernmusitc.run" }, { "id": "", "name": "tandefck.run" }, { "id": "", "name": "tamikmi.live" }, { "id": "", "name": "tacticaltr.top" }, { "id": "", "name": "sytomwarn.run" }, { "id": "", "name": "synerccijy.run" }, { "id": "", "name": "sympatglcu.run" }, { "id": "", "name": "swoenship.run" }, { "id": "", "name": "sustfagtech.life" }, { "id": "", "name": "sustainharvests.top" }, { "id": "", "name": "surchasuba.run" }, { "id": "", "name": "supervuql.live" }, { "id": "", "name": "suiteqzpa.live" }, { "id": "", "name": "stuffeworke.live" }, { "id": "", "name": "stresspsychology.online" }, { "id": "", "name": "stomedpolker.bet" }, { "id": "", "name": "stockyslam.top" }, { "id": "", "name": "stickyomisz.world" }, { "id": "", "name": "steveruelo.run" }, { "id": "", "name": "stepamev.live" }, { "id": "", "name": "starolyf.top" }, { "id": "", "name": "stemleuxim.run" }, { "id": "", "name": "starlabh.top" }, { "id": "", "name": "stackwithgo.com" }, { "id": "", "name": "ssistraininghub.com" }, { "id": "", "name": "ssisquickstart.pro" }, { "id": "", "name": "sptcqb.run" }, { "id": "", "name": "springmicrohub.com" }, { "id": "", "name": "sparkerslides.online" }, { "id": "", "name": "sparerzubo.live" }, { "id": "", "name": "spreadkeor.live" }, { "id": "", "name": "sorcererse.live" }, { "id": "", "name": "solarwind.live" }, { "id": "", "name": "solidsotuehr.space" }, { "id": "", "name": "softwaretester.pro" }, { "id": "", "name": "softsphere.pro" }, { "id": "", "name": "soilandseed.icu" }, { "id": "", "name": "socialinyn.run" }, { "id": "", "name": "snugglzyfg.run" }, { "id": "", "name": "smmwritingcourse.pro" }, { "id": "", "name": "slqvjx.run" }, { "id": "", "name": "skyhighj.top" }, { "id": "", "name": "skadinoureddin.com" }, { "id": "", "name": "skillzmakeup.pro" }, { "id": "", "name": "sinkinyhuc.run" }, { "id": "", "name": "simxplepleasus.tech" }, { "id": "", "name": "silvlka.run" }, { "id": "", "name": "sikiq.run" }, { "id": "", "name": "silkyacvty.top" }, { "id": "", "name": "shicg.run" }, { "id": "", "name": "shelveftls.live" }, { "id": "", "name": "shefdurho.live" }, { "id": "", "name": "serviceforeveryone.pro" }, { "id": "", "name": "senatusu.run" }, { "id": "", "name": "saniscp.live" }, { "id": "", "name": "secretrenr.live" }, { "id": "", "name": "scientififange.top" }, { "id": "", "name": "safecyberhub.com" }, { "id": "", "name": "rshebattl.live" }, { "id": "", "name": "royalheriw.run" }, { "id": "", "name": "royalcourtq.live" }, { "id": "", "name": "rogueevpvz.live" }, { "id": "", "name": "rockwzva.live" }, { "id": "", "name": "robotticsrealm.top" }, { "id": "", "name": "roamrline.top" }, { "id": "", "name": "riflesf.top" }, { "id": "", "name": "roadtripde.top" }, { "id": "", "name": "riemansodh.run" }, { "id": "", "name": "retrofjslx.run" }, { "id": "", "name": "reservydhv.run" }, { "id": "", "name": "residufkkn.run" }, { "id": "", "name": "reseagetwork.top" }, { "id": "", "name": "repottenfuc.fun" }, { "id": "", "name": "remaitooteh.space" }, { "id": "", "name": "rekrra.run" }, { "id": "", "name": "reflecrung.run" }, { "id": "", "name": "refereghai.live" }, { "id": "", "name": "reelsvideocourse.online" }, { "id": "", "name": "ratedevea.top" }, { "id": "", "name": "realistic-3d.pro" }, { "id": "", "name": "rapmusmoon.run" }, { "id": "", "name": "ransomffpa.run" }, { "id": "", "name": "racueu.run" }, { "id": "", "name": "quick-laravel.online" }, { "id": "", "name": "questforq.run" }, { "id": "", "name": "qnaturecud.top" }, { "id": "", "name": "pythonexpertcourse.pro" }, { "id": "", "name": "pyrogaobze.run" }, { "id": "", "name": "pushbuweyc.live" }, { "id": "", "name": "purposefulxliving.tech" }, { "id": "", "name": "prosorsingcourse.pro" }, { "id": "", "name": "przmyh.run" }, { "id": "", "name": "profilingcoursesr.online" }, { "id": "", "name": "proffesioncopywritter.pro" }, { "id": "", "name": "profesaspl.run" }, { "id": "", "name": "procesxcdp.live" }, { "id": "", "name": "probosayry.run" }, { "id": "", "name": "princieyaw.live" }, { "id": "", "name": "priaflij.live" }, { "id": "", "name": "praisepunishek.online" }, { "id": "", "name": "porefuzhxv.live" }, { "id": "", "name": "practicumarchetypes.online" }, { "id": "", "name": "pontifkpsj.run" }, { "id": "", "name": "plushpbillow.world" }, { "id": "", "name": "playgodotgame.online" }, { "id": "", "name": "playfulexnergy.tech" } ], "malware": [ { "id": "legacy:malware:e052b027e75618d7", "name": "Acreed", "slug": "acreed" }, { "id": "legacy:malware:37dce7f2f14d48d9", "name": "LummaC2", "slug": "lummac2" } ], "intrusion_sets": [ { "id": "99c2c375-8d51-4496-86b8-8677c7c98760", "name": "LummaC2", "slug": "lummac2" } ], "attack_patterns": [ { "id": "75702b35-b790-4504-a1e0-7829e76f22e9", "name": "T1585" }, { "id": "21fd9920-9bc7-4ba5-8cdd-3022c0ef4e9d", "name": "T1584.001" }, { "id": "88fd8eb3-cc2d-4ff0-92ff-d047dafc7855", "name": "T1592.002" }, { "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c", "name": "T1583.001" }, { "id": "6babd5aa-5112-4f14-a660-60d756a65d6d", "name": "T1586" }, { "id": "e948db36-930d-4013-99ed-fdf14b65907e", "name": "T1589.002" }, { "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2", "name": "T1566.002" } ], "others": [ { "id": "", "name": "truycs.digital" }, { "id": "", "name": "toupdu.digital" }, { "id": "", "name": "swkkje.digital" }, { "id": "", "name": "slybkmo.digital" }, { "id": "", "name": "sltua.digital" }, { "id": "", "name": "rustore.digital" }, { "id": "", "name": "rnclhy.digital" }, { "id": "", "name": "retfxv.digital" }, { "id": "", "name": "reefkwgk.digital" }, { "id": "", "name": "railikk.digital" }, { "id": "", "name": "nemzvg.digital" }, { "id": "", "name": "nanpal.digital" }, { "id": "", "name": "mixoyxa.digital" }, { "id": "", "name": "loppkq.digital" }, { "id": "", "name": "imasar.digital" }, { "id": "", "name": "hiapoc.digital" }, { "id": "", "name": "grainzbfh.digital" }, { "id": "", "name": "ghloa.digital" }, { "id": "", "name": "genuslcxnf.digital" }, { "id": "", "name": "forxbe.digital" }, { "id": "", "name": "fiberbgqll.digital" }, { "id": "", "name": "epstainable.digital" }, { "id": "", "name": "eoelav.digital" }, { "id": "", "name": "deerzha.digital" }, { "id": "", "name": "dapsradar.finance" }, { "id": "", "name": "ceohm.digital" }, { "id": "", "name": "cdztf.digital" }, { "id": "", "name": "bearinlqek.digital" } ] }, "external_refs": [ "https://www.domaintools.com/resources/blog/part-2-tracking-lummac2-infrastructure", "https://otx.alienvault.com/pulse/68548f8da071ef219ccb11ae" ] }