{ "type": "Domain", "indicator": "copper-replace.sbs", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/copper-replace.sbs", "alexa": "http://www.alexa.com/siteinfo/copper-replace.sbs", "indicator": "copper-replace.sbs", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4008058730, "indicator": "copper-replace.sbs", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "682e5bb94e2f4e75be640cb5", "name": "Lumma Stealer is Out... of business!", "description": "A coordinated action led by Microsoft's Digital Crimes Unit, with participation from Bitsight and other partners, has successfully dismantled the operational capabilities of Lumma Stealer (LummaC2), a prominent information stealer operating since late 2022. The operation involved seizing over 1,000 domains and shutting down more than 90 Telegram channels and Steam profiles associated with the malware's infrastructure. LummaC2, which gained popularity after the takedown of Redline and Meta stealers, targeted Windows systems to extract sensitive data from various applications. The malware employed a complex, multi-tiered command and control infrastructure, using multiple domains, Steam profiles, and Telegram channels for resilience. This disruptive action is expected to significantly impact the threat landscape and hinder criminal activities in the malware scene.", "modified": "2025-05-22T07:11:18.344000", "created": "2025-05-21T23:03:21.624000", "tags": [ "lummac", "infrastructure takedown", "information stealer", "lummac2", "redline", "multi-tiered c2", "malware-as-a-service", "data theft" ], "references": [ "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business" ], "public": 1, "adversary": "Lumma Stealer", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1129, "hostname": 3 }, "indicator_count": 1132, "is_author": false, "is_subscribing": null, "subscriber_count": 377806, "modified_text": "333 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682830722f6d8b9b8f6dadf4", "name": "Lumma", "description": "", "modified": "2026-02-12T22:08:40.802000", "created": "2025-05-17T06:45:06.586000", "tags": [ "Lumma" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 42, "FileHash-SHA1": 42, "FileHash-SHA256": 160, "domain": 322, "hostname": 18 }, "indicator_count": 584, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68340f42d5f7a341e8ad88e7", "name": "Lumma Stealer Shutdown: Global Takedown Disrupts Prolific Cybercrime Tool", "description": "A coordinated international operation led by Microsoft\u2019s Digital Crimes Unit (DCU), the U.S. Department of Justice (DOJ), Europol, and partners has dismantled the infrastructure of Lumma Stealer, a notorious Malware-as-a-Service (MaaS) platform linked to over 10 million infections and 1.7 million confirmed attacks globally. The action, announced in May 2025, resulted in the seizure of 2,300 malicious domains, sinkholing of traffic to Microsoft-controlled servers, and the suspension of Lumma\u2019s Telegram-based affiliate marketplace, crippling its ability to steal sensitive data like passwords, cryptocurrency wallets, and MFA tokens 311.\n\nLumma, developed by Russian threat actor \"Shamel,\" operated under a subscription model ($250\u2013$20,000) and was distributed via phishing campaigns, malvertising, and trojanized software. Its evasion tactics\u2014such as abuse of legitimate cloud services, encrypted C2 communications, and geofenced payloads\u2014made it a preferred tool for ransomware affiliates and credential harvesters.", "modified": "2025-05-26T06:50:42.505000", "created": "2025-05-26T06:50:42.505000", "tags": [ "lummac2", "bitsight", "windows", "steam profile", "lummac2 iocs", "lumma stealer", "malware", "redline", "meta", "bitsight trace", "telegram", "steam", "service", "lumma" ], "references": [ "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business", "https://raw.githubusercontent.com/bitsight-research/threat_research/refs/heads/main/lumma/lumma_iocs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bitsight", "display_name": "Bitsight", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1135, "hostname": 3, "URL": 97 }, "indicator_count": 1235, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "329 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67617edafa11fa408b73322c", "name": "ACTIVIDAD MALICIOSA | Relacionada con Lumma Stealer 17-12-2024", "description": "Lumma Stealer es un tipo de software malicioso dise\u00f1ado para robar informaci\u00f3n confidencial de los dispositivos infectados. Este malware se infiltra en los sistemas y extrae datos personales, como nombres de usuario, contrase\u00f1as, informaci\u00f3n bancaria y detalles de tarjetas de cr\u00e9dito. LummaStealer puede afectar varias cuentas, incluidas redes sociales, correos electr\u00f3nicos y monederos de criptomonedas. Los delincuentes pueden usar la informaci\u00f3n robada para chantaje, suplantaci\u00f3n de identidad, y realizar transacciones fraudulentas, lo que puede causar serios problemas de privacidad y p\u00e9rdidas econ\u00f3micas significativas para las v\u00edctimas.", "modified": "2025-01-16T13:03:38.406000", "created": "2024-12-17T13:38:34.760000", "tags": [ "access", "discovery", "ta0001 initial", "t1003 data", "local system", "t1033 system", "t1057 process", "t1082 system", "t1087 account" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Lumma", "https://www.virustotal.com/graph/embed/gec57b97e0f194fd38738be6392abba6f180fe9d93be24891af76fb2c7bec3638?theme=dark", "https://www.virustotal.com/gui/collection/bf70caf191025dfa3e68e8bc63882880ae2ca60f72ece512aaee246b487c5ad6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 27, "URL": 301, "domain": 665, "hostname": 8 }, "indicator_count": 1052, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "459 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674c9f48cd2a512e28ef6523", "name": "ACTIVIDAD MALICIOSA | Relacionada con LummaStealer 01-12-2024", "description": "Lumma Stealer es un tipo de software malicioso dise\u00f1ado para robar informaci\u00f3n confidencial de los dispositivos infectados. Este malware se infiltra en los sistemas y extrae datos personales, como nombres de usuario, contrase\u00f1as, informaci\u00f3n bancaria y detalles de tarjetas de cr\u00e9dito. LummaStealer puede afectar varias cuentas, incluidas redes sociales, correos electr\u00f3nicos y monederos de criptomonedas. Los delincuentes pueden usar la informaci\u00f3n robada para chantaje, suplantaci\u00f3n de identidad, y realizar transacciones fraudulentas, lo que puede causar serios problemas de privacidad y p\u00e9rdidas econ\u00f3micas significativas para las v\u00edctimas.", "modified": "2024-12-31T17:05:00.863000", "created": "2024-12-01T17:39:20.573000", "tags": [ "http", "access", "discovery", "uexfvbqog9i67m", "mmirygls1g", "vt51x7b9cwn7e4x", "v2fnqdfylkobc", "tcticas", "ta0001 initial", "t1003 data" ], "references": [ "https://www.virustotal.com/graph/embed/g31920c46027f42a085f0a4040c4609fcccba0ba580b3451893964f393d84ac65?theme=dark", "https://www.virustotal.com/gui/collection/9419ada66b99877877ab2cbbe22a5e2de65cd18153db39736cb4fe1d06cc1129", "https://darfe.es/ciberwiki/index.php?title=Lumma" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1161, "FileHash-SHA1": 1159, "FileHash-SHA256": 1167, "URL": 255, "domain": 665, "hostname": 8 }, "indicator_count": 4415, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "475 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/", "https://www.virustotal.com/graph/embed/g31920c46027f42a085f0a4040c4609fcccba0ba580b3451893964f393d84ac65?theme=dark", "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business", "https://darfe.es/ciberwiki/index.php?title=Lumma", "https://www.virustotal.com/gui/collection/9419ada66b99877877ab2cbbe22a5e2de65cd18153db39736cb4fe1d06cc1129", "https://www.virustotal.com/gui/collection/bf70caf191025dfa3e68e8bc63882880ae2ca60f72ece512aaee246b487c5ad6", "https://www.virustotal.com/graph/embed/gec57b97e0f194fd38738be6392abba6f180fe9d93be24891af76fb2c7bec3638?theme=dark", "https://raw.githubusercontent.com/bitsight-research/threat_research/refs/heads/main/lumma/lumma_iocs.csv" ], "related": { "alienvault": { "adversary": [ "Lumma Stealer" ], "malware_families": [ "Lumma stealer" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Bitsight", "Lumma stealer", "Lumma" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "682e5bb94e2f4e75be640cb5", "name": "Lumma Stealer is Out... of business!", "description": "A coordinated action led by Microsoft's Digital Crimes Unit, with participation from Bitsight and other partners, has successfully dismantled the operational capabilities of Lumma Stealer (LummaC2), a prominent information stealer operating since late 2022. The operation involved seizing over 1,000 domains and shutting down more than 90 Telegram channels and Steam profiles associated with the malware's infrastructure. LummaC2, which gained popularity after the takedown of Redline and Meta stealers, targeted Windows systems to extract sensitive data from various applications. The malware employed a complex, multi-tiered command and control infrastructure, using multiple domains, Steam profiles, and Telegram channels for resilience. This disruptive action is expected to significantly impact the threat landscape and hinder criminal activities in the malware scene.", "modified": "2025-05-22T07:11:18.344000", "created": "2025-05-21T23:03:21.624000", "tags": [ "lummac", "infrastructure takedown", "information stealer", "lummac2", "redline", "multi-tiered c2", "malware-as-a-service", "data theft" ], "references": [ "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business" ], "public": 1, "adversary": "Lumma Stealer", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1129, "hostname": 3 }, "indicator_count": 1132, "is_author": false, "is_subscribing": null, "subscriber_count": 377806, "modified_text": "333 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682830722f6d8b9b8f6dadf4", "name": "Lumma", "description": "", "modified": "2026-02-12T22:08:40.802000", "created": "2025-05-17T06:45:06.586000", "tags": [ "Lumma" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 42, "FileHash-SHA1": 42, "FileHash-SHA256": 160, "domain": 322, "hostname": 18 }, "indicator_count": 584, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68340f42d5f7a341e8ad88e7", "name": "Lumma Stealer Shutdown: Global Takedown Disrupts Prolific Cybercrime Tool", "description": "A coordinated international operation led by Microsoft\u2019s Digital Crimes Unit (DCU), the U.S. Department of Justice (DOJ), Europol, and partners has dismantled the infrastructure of Lumma Stealer, a notorious Malware-as-a-Service (MaaS) platform linked to over 10 million infections and 1.7 million confirmed attacks globally. The action, announced in May 2025, resulted in the seizure of 2,300 malicious domains, sinkholing of traffic to Microsoft-controlled servers, and the suspension of Lumma\u2019s Telegram-based affiliate marketplace, crippling its ability to steal sensitive data like passwords, cryptocurrency wallets, and MFA tokens 311.\n\nLumma, developed by Russian threat actor \"Shamel,\" operated under a subscription model ($250\u2013$20,000) and was distributed via phishing campaigns, malvertising, and trojanized software. Its evasion tactics\u2014such as abuse of legitimate cloud services, encrypted C2 communications, and geofenced payloads\u2014made it a preferred tool for ransomware affiliates and credential harvesters.", "modified": "2025-05-26T06:50:42.505000", "created": "2025-05-26T06:50:42.505000", "tags": [ "lummac2", "bitsight", "windows", "steam profile", "lummac2 iocs", "lumma stealer", "malware", "redline", "meta", "bitsight trace", "telegram", "steam", "service", "lumma" ], "references": [ "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business", "https://raw.githubusercontent.com/bitsight-research/threat_research/refs/heads/main/lumma/lumma_iocs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bitsight", "display_name": "Bitsight", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1135, "hostname": 3, "URL": 97 }, "indicator_count": 1235, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "329 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67617edafa11fa408b73322c", "name": "ACTIVIDAD MALICIOSA | Relacionada con Lumma Stealer 17-12-2024", "description": "Lumma Stealer es un tipo de software malicioso dise\u00f1ado para robar informaci\u00f3n confidencial de los dispositivos infectados. Este malware se infiltra en los sistemas y extrae datos personales, como nombres de usuario, contrase\u00f1as, informaci\u00f3n bancaria y detalles de tarjetas de cr\u00e9dito. LummaStealer puede afectar varias cuentas, incluidas redes sociales, correos electr\u00f3nicos y monederos de criptomonedas. Los delincuentes pueden usar la informaci\u00f3n robada para chantaje, suplantaci\u00f3n de identidad, y realizar transacciones fraudulentas, lo que puede causar serios problemas de privacidad y p\u00e9rdidas econ\u00f3micas significativas para las v\u00edctimas.", "modified": "2025-01-16T13:03:38.406000", "created": "2024-12-17T13:38:34.760000", "tags": [ "access", "discovery", "ta0001 initial", "t1003 data", "local system", "t1033 system", "t1057 process", "t1082 system", "t1087 account" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Lumma", "https://www.virustotal.com/graph/embed/gec57b97e0f194fd38738be6392abba6f180fe9d93be24891af76fb2c7bec3638?theme=dark", "https://www.virustotal.com/gui/collection/bf70caf191025dfa3e68e8bc63882880ae2ca60f72ece512aaee246b487c5ad6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 27, "URL": 301, "domain": 665, "hostname": 8 }, "indicator_count": 1052, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "459 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674c9f48cd2a512e28ef6523", "name": "ACTIVIDAD MALICIOSA | Relacionada con LummaStealer 01-12-2024", "description": "Lumma Stealer es un tipo de software malicioso dise\u00f1ado para robar informaci\u00f3n confidencial de los dispositivos infectados. Este malware se infiltra en los sistemas y extrae datos personales, como nombres de usuario, contrase\u00f1as, informaci\u00f3n bancaria y detalles de tarjetas de cr\u00e9dito. LummaStealer puede afectar varias cuentas, incluidas redes sociales, correos electr\u00f3nicos y monederos de criptomonedas. Los delincuentes pueden usar la informaci\u00f3n robada para chantaje, suplantaci\u00f3n de identidad, y realizar transacciones fraudulentas, lo que puede causar serios problemas de privacidad y p\u00e9rdidas econ\u00f3micas significativas para las v\u00edctimas.", "modified": "2024-12-31T17:05:00.863000", "created": "2024-12-01T17:39:20.573000", "tags": [ "http", "access", "discovery", "uexfvbqog9i67m", "mmirygls1g", "vt51x7b9cwn7e4x", "v2fnqdfylkobc", "tcticas", "ta0001 initial", "t1003 data" ], "references": [ "https://www.virustotal.com/graph/embed/g31920c46027f42a085f0a4040c4609fcccba0ba580b3451893964f393d84ac65?theme=dark", "https://www.virustotal.com/gui/collection/9419ada66b99877877ab2cbbe22a5e2de65cd18153db39736cb4fe1d06cc1129", "https://darfe.es/ciberwiki/index.php?title=Lumma" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1161, "FileHash-SHA1": 1159, "FileHash-SHA256": 1167, "URL": 255, "domain": 665, "hostname": 8 }, "indicator_count": 4415, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "475 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "copper-replace.sbs", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "copper-replace.sbs", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776719790.0998228 }