{ "type": "Domain", "indicator": "codebitw.live", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/codebitw.live", "alexa": "http://www.alexa.com/siteinfo/codebitw.live", "indicator": "codebitw.live", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4069943088, "indicator": "codebitw.live", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "682e5bb94e2f4e75be640cb5", "name": "Lumma Stealer is Out... of business!", "description": "A coordinated action led by Microsoft's Digital Crimes Unit, with participation from Bitsight and other partners, has successfully dismantled the operational capabilities of Lumma Stealer (LummaC2), a prominent information stealer operating since late 2022. The operation involved seizing over 1,000 domains and shutting down more than 90 Telegram channels and Steam profiles associated with the malware's infrastructure. LummaC2, which gained popularity after the takedown of Redline and Meta stealers, targeted Windows systems to extract sensitive data from various applications. The malware employed a complex, multi-tiered command and control infrastructure, using multiple domains, Steam profiles, and Telegram channels for resilience. This disruptive action is expected to significantly impact the threat landscape and hinder criminal activities in the malware scene.", "modified": "2025-05-22T07:11:18.344000", "created": "2025-05-21T23:03:21.624000", "tags": [ "lummac", "infrastructure takedown", "information stealer", "lummac2", "redline", "multi-tiered c2", "malware-as-a-service", "data theft" ], "references": [ "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business" ], "public": 1, "adversary": "Lumma Stealer", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1129, "hostname": 3 }, "indicator_count": 1132, "is_author": false, "is_subscribing": null, "subscriber_count": 376730, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68340f42d5f7a341e8ad88e7", "name": "Lumma Stealer Shutdown: Global Takedown Disrupts Prolific Cybercrime Tool", "description": "A coordinated international operation led by Microsoft\u2019s Digital Crimes Unit (DCU), the U.S. Department of Justice (DOJ), Europol, and partners has dismantled the infrastructure of Lumma Stealer, a notorious Malware-as-a-Service (MaaS) platform linked to over 10 million infections and 1.7 million confirmed attacks globally. The action, announced in May 2025, resulted in the seizure of 2,300 malicious domains, sinkholing of traffic to Microsoft-controlled servers, and the suspension of Lumma\u2019s Telegram-based affiliate marketplace, crippling its ability to steal sensitive data like passwords, cryptocurrency wallets, and MFA tokens 311.\n\nLumma, developed by Russian threat actor \"Shamel,\" operated under a subscription model ($250\u2013$20,000) and was distributed via phishing campaigns, malvertising, and trojanized software. Its evasion tactics\u2014such as abuse of legitimate cloud services, encrypted C2 communications, and geofenced payloads\u2014made it a preferred tool for ransomware affiliates and credential harvesters.", "modified": "2025-05-26T06:50:42.505000", "created": "2025-05-26T06:50:42.505000", "tags": [ "lummac2", "bitsight", "windows", "steam profile", "lummac2 iocs", "lumma stealer", "malware", "redline", "meta", "bitsight trace", "telegram", "steam", "service", "lumma" ], "references": [ "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business", "https://raw.githubusercontent.com/bitsight-research/threat_research/refs/heads/main/lumma/lumma_iocs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bitsight", "display_name": "Bitsight", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1135, "hostname": 3, "URL": 97 }, "indicator_count": 1235, "is_author": false, "is_subscribing": null, "subscriber_count": 168, "modified_text": "323 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://raw.githubusercontent.com/bitsight-research/threat_research/refs/heads/main/lumma/lumma_iocs.csv", "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business" ], "related": { "alienvault": { "adversary": [ "Lumma Stealer" ], "malware_families": [ "Lumma stealer" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Bitsight", "Lumma" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "682e5bb94e2f4e75be640cb5", "name": "Lumma Stealer is Out... of business!", "description": "A coordinated action led by Microsoft's Digital Crimes Unit, with participation from Bitsight and other partners, has successfully dismantled the operational capabilities of Lumma Stealer (LummaC2), a prominent information stealer operating since late 2022. The operation involved seizing over 1,000 domains and shutting down more than 90 Telegram channels and Steam profiles associated with the malware's infrastructure. LummaC2, which gained popularity after the takedown of Redline and Meta stealers, targeted Windows systems to extract sensitive data from various applications. The malware employed a complex, multi-tiered command and control infrastructure, using multiple domains, Steam profiles, and Telegram channels for resilience. This disruptive action is expected to significantly impact the threat landscape and hinder criminal activities in the malware scene.", "modified": "2025-05-22T07:11:18.344000", "created": "2025-05-21T23:03:21.624000", "tags": [ "lummac", "infrastructure takedown", "information stealer", "lummac2", "redline", "multi-tiered c2", "malware-as-a-service", "data theft" ], "references": [ "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business" ], "public": 1, "adversary": "Lumma Stealer", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1129, "hostname": 3 }, "indicator_count": 1132, "is_author": false, "is_subscribing": null, "subscriber_count": 376730, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68340f42d5f7a341e8ad88e7", "name": "Lumma Stealer Shutdown: Global Takedown Disrupts Prolific Cybercrime Tool", "description": "A coordinated international operation led by Microsoft\u2019s Digital Crimes Unit (DCU), the U.S. Department of Justice (DOJ), Europol, and partners has dismantled the infrastructure of Lumma Stealer, a notorious Malware-as-a-Service (MaaS) platform linked to over 10 million infections and 1.7 million confirmed attacks globally. The action, announced in May 2025, resulted in the seizure of 2,300 malicious domains, sinkholing of traffic to Microsoft-controlled servers, and the suspension of Lumma\u2019s Telegram-based affiliate marketplace, crippling its ability to steal sensitive data like passwords, cryptocurrency wallets, and MFA tokens 311.\n\nLumma, developed by Russian threat actor \"Shamel,\" operated under a subscription model ($250\u2013$20,000) and was distributed via phishing campaigns, malvertising, and trojanized software. Its evasion tactics\u2014such as abuse of legitimate cloud services, encrypted C2 communications, and geofenced payloads\u2014made it a preferred tool for ransomware affiliates and credential harvesters.", "modified": "2025-05-26T06:50:42.505000", "created": "2025-05-26T06:50:42.505000", "tags": [ "lummac2", "bitsight", "windows", "steam profile", "lummac2 iocs", "lumma stealer", "malware", "redline", "meta", "bitsight trace", "telegram", "steam", "service", "lumma" ], "references": [ "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business", "https://raw.githubusercontent.com/bitsight-research/threat_research/refs/heads/main/lumma/lumma_iocs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bitsight", "display_name": "Bitsight", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1135, "hostname": 3, "URL": 97 }, "indicator_count": 1235, "is_author": false, "is_subscribing": null, "subscriber_count": 168, "modified_text": "323 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "codebitw.live", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "codebitw.live", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776228890.5893157 }