{ "type": "Domain", "indicator": "streamingsplays.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/streamingsplays.com", "alexa": "http://www.alexa.com/siteinfo/streamingsplays.com", "indicator": "streamingsplays.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4008057904, "indicator": "streamingsplays.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "680680f666b6192de781c7f1", "name": "How Lumma Stealer sneaks into organizations", "description": "Lumma Stealer, a sophisticated information-stealing malware, has gained prominence in cybercriminal circles since 2022. It employs various distribution methods, with fake CAPTCHA pages being a notable vector. These pages mimic legitimate services and trick users into executing malicious commands. The malware uses complex infection chains involving PowerShell scripts, JavaScript, and AutoIt components to evade detection. Once installed, Lumma Stealer targets a wide range of sensitive data, including cryptocurrency wallets, browser credentials, and financial information. The malware's stealthy execution and anti-analysis techniques make it a significant threat to both individuals and organizations.", "modified": "2025-04-21T22:28:22.241000", "created": "2025-04-21T17:31:34.991000", "tags": [ "lumma stealer", "anti-analysis", "powershell", "fake captcha", "information stealer", "cryptocurrency theft", "autoit", "obfuscation" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274" ], "public": 1, "adversary": "Lumma", "targeted_countries": [ "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 12, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "403 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680c1a2539b381ea9fbe7054", "name": "InQuest - 25-04-2025", "description": "", "modified": "2025-05-25T23:00:17.763000", "created": "2025-04-25T23:26:29.483000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "URL": 236, "FileHash-SHA1": 24, "FileHash-SHA256": 814, "domain": 54, "FileHash-MD5": 26 }, "indicator_count": 1196, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "369 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680ac7dd8edc8c55be961a6d", "name": "InQuest - 24-04-2025", "description": "", "modified": "2025-05-24T23:00:39.177000", "created": "2025-04-24T23:23:09.843000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 879, "FileHash-MD5": 33, "hostname": 67, "URL": 426, "domain": 113, "FileHash-SHA1": 24 }, "indicator_count": 1542, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "370 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818f46dd65fe9f5628b6deb", "name": "Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics", "description": "", "modified": "2025-05-05T17:25:01.415000", "created": "2025-05-05T17:25:01.415000", "tags": [ "ctia type", "date", "april", "time", "update", "siem", "keep anti", "virus endpoint", "detection", "check", "test" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 8 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "390 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6814bb1dc645da1b5d4e1228", "name": "Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics", "description": "", "modified": "2025-05-02T12:34:36.004000", "created": "2025-05-02T12:31:25.355000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 7, "hostname": 5, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68144719ce06e61f72f4b24d", "name": "Lumma Stealer \u2013 Tracking distribution channels", "description": "", "modified": "2025-05-02T04:16:25.940000", "created": "2025-05-02T04:16:25.940000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": "68130b0a09b695605a0065a0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68130b0a09b695605a0065a0", "name": "Lumma Stealer \u2013 Tracking distribution channels", "description": "", "modified": "2025-05-01T05:47:54.846000", "created": "2025-05-01T05:47:54.846000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": "6807a23302e3a26f9b32c891", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "394 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68085933d995e64eaee31209", "name": "How Lumma Stealer sneaks into organizations", "description": "", "modified": "2025-04-23T03:06:27.966000", "created": "2025-04-23T03:06:27.966000", "tags": [ "lumma stealer", "anti-analysis", "powershell", "fake captcha", "information stealer", "cryptocurrency theft", "autoit", "obfuscation" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274" ], "public": 1, "adversary": "Lumma", "targeted_countries": [ "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Government" ], "TLP": "white", "cloned_from": "680680f666b6192de781c7f1", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 12, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "402 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6807a23302e3a26f9b32c891", "name": "How Lumma Stealer sneaks into organizations | Securelist", "description": "Security company Kaspersky has discovered a sophisticated and sophisticated information stealer, known as Lumma, that is being used by cybercriminals to steal data from people around the world and sell it on dark web marketplaces.", "modified": "2025-04-22T14:05:39.893000", "created": "2025-04-22T14:05:39.893000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "403 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67617edafa11fa408b73322c", "name": "ACTIVIDAD MALICIOSA | Relacionada con Lumma Stealer 17-12-2024", "description": "Lumma Stealer es un tipo de software malicioso dise\u00f1ado para robar informaci\u00f3n confidencial de los dispositivos infectados. Este malware se infiltra en los sistemas y extrae datos personales, como nombres de usuario, contrase\u00f1as, informaci\u00f3n bancaria y detalles de tarjetas de cr\u00e9dito. LummaStealer puede afectar varias cuentas, incluidas redes sociales, correos electr\u00f3nicos y monederos de criptomonedas. Los delincuentes pueden usar la informaci\u00f3n robada para chantaje, suplantaci\u00f3n de identidad, y realizar transacciones fraudulentas, lo que puede causar serios problemas de privacidad y p\u00e9rdidas econ\u00f3micas significativas para las v\u00edctimas.", "modified": "2025-01-16T13:03:38.406000", "created": "2024-12-17T13:38:34.760000", "tags": [ "access", "discovery", "ta0001 initial", "t1003 data", "local system", "t1033 system", "t1057 process", "t1082 system", "t1087 account" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Lumma", "https://www.virustotal.com/graph/embed/gec57b97e0f194fd38738be6392abba6f180fe9d93be24891af76fb2c7bec3638?theme=dark", "https://www.virustotal.com/gui/collection/bf70caf191025dfa3e68e8bc63882880ae2ca60f72ece512aaee246b487c5ad6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 27, "URL": 301, "domain": 665, "hostname": 8 }, "indicator_count": 1052, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "499 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674c9f48cd2a512e28ef6523", "name": "ACTIVIDAD MALICIOSA | Relacionada con LummaStealer 01-12-2024", "description": "Lumma Stealer es un tipo de software malicioso dise\u00f1ado para robar informaci\u00f3n confidencial de los dispositivos infectados. Este malware se infiltra en los sistemas y extrae datos personales, como nombres de usuario, contrase\u00f1as, informaci\u00f3n bancaria y detalles de tarjetas de cr\u00e9dito. LummaStealer puede afectar varias cuentas, incluidas redes sociales, correos electr\u00f3nicos y monederos de criptomonedas. Los delincuentes pueden usar la informaci\u00f3n robada para chantaje, suplantaci\u00f3n de identidad, y realizar transacciones fraudulentas, lo que puede causar serios problemas de privacidad y p\u00e9rdidas econ\u00f3micas significativas para las v\u00edctimas.", "modified": "2024-12-31T17:05:00.863000", "created": "2024-12-01T17:39:20.573000", "tags": [ "http", "access", "discovery", "uexfvbqog9i67m", "mmirygls1g", "vt51x7b9cwn7e4x", "v2fnqdfylkobc", "tcticas", "ta0001 initial", "t1003 data" ], "references": [ "https://www.virustotal.com/graph/embed/g31920c46027f42a085f0a4040c4609fcccba0ba580b3451893964f393d84ac65?theme=dark", "https://www.virustotal.com/gui/collection/9419ada66b99877877ab2cbbe22a5e2de65cd18153db39736cb4fe1d06cc1129", "https://darfe.es/ciberwiki/index.php?title=Lumma" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1161, "FileHash-SHA1": 1159, "FileHash-SHA256": 1167, "URL": 255, "domain": 665, "hostname": 8 }, "indicator_count": 4415, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "515 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67605e1014eb611bf6c3ea80", "name": "\u201cDeceptionAds\u201d \u2014 Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising", "description": "Guardio Labs reported on a large-scale fake captcha campaign distributing Lumma Stealer that circumvents general security measures like Safe Browsing. The campaign relies entirely on a single ad network for propagation (malvertising), Monetag, a subsidiary of ProepllerAds previously tracked by Infoblox under the name \u201cVane Viper.\u201d These ads, leveraging BeMob for tracking, receive over 1 million daily \u201cimpressions,\u201d potentially causing thousands of daily infections of Lumma Stealer\u00a0through a network of\u00a03,000+\u00a0sites using Monetag scripts. The research dissects this campaign and provides insights into the malvertising industry\u2019s infrastructure, tactics, and key players.", "modified": "2024-12-16T17:06:24.698000", "created": "2024-12-16T17:06:24.698000", "tags": [ "Malvertising", "Lumma Stealer", "BeMob Ad Tracking" ], "references": [ "https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 92, "URL": 94, "FileHash-MD5": 1, "hostname": 4 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "530 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676049d097dee16008d10a76", "name": "\u201cDeceptionAds\u201d \u2014 Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising", "description": "Research by Guardio Labs sheds light on the dark side of the internet advertising industry, revealing how malvertising on steroids is thriving and how web users are vulnerable to the threat of cyber-thieves.", "modified": "2024-12-16T15:40:00.031000", "created": "2024-12-16T15:40:00.031000", "tags": [ "monetag", "bemob", "infoblox", "facebook", "guardio labs", "powershell", "system", "javascript", "js snippet", "service", "download", "example", "rest", "captcha lumma", "monetag tds" ], "references": [ "https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Captcha Lumma", "display_name": "Captcha Lumma", "target": null }, { "id": "Monetag TDS", "display_name": "Monetag TDS", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 92, "URL": 94, "FileHash-MD5": 1, "hostname": 4 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "530 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6747ae5423483853dd03a506", "name": "ClickFix Baddys via RussianPanda's Workflow", "description": "https://malasada.tech/clickfix-baddys-via-russianpandas-workflow/", "modified": "2024-11-27T23:42:12.555000", "created": "2024-11-27T23:42:12.555000", "tags": [ "ClickFix" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "malasada.tech", "id": "277538", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 147, "hostname": 8 }, "indicator_count": 155, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "548 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274", "https://www.virustotal.com/gui/collection/bf70caf191025dfa3e68e8bc63882880ae2ca60f72ece512aaee246b487c5ad6", "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/", "https://www.virustotal.com/graph/embed/g31920c46027f42a085f0a4040c4609fcccba0ba580b3451893964f393d84ac65?theme=dark", "https://darfe.es/ciberwiki/index.php?title=Lumma", "https://www.virustotal.com/graph/embed/gec57b97e0f194fd38738be6392abba6f180fe9d93be24891af76fb2c7bec3638?theme=dark", "https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6", "https://labs.inquest.net/iocdb", "https://www.virustotal.com/gui/collection/9419ada66b99877877ab2cbbe22a5e2de65cd18153db39736cb4fe1d06cc1129" ], "related": { "alienvault": { "adversary": [ "Lumma" ], "malware_families": [ "Lumma stealer" ], "industries": [ "Finance", "Government" ] }, "other": { "adversary": [ "Lumma" ], "malware_families": [ "Downloads", "Monetag tds", "\u2019m", "Captcha lumma", "Lumma", "Lumma stealer", "Captcha" ], "industries": [ "Maritime", "Logistics", "Finance", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "680680f666b6192de781c7f1", "name": "How Lumma Stealer sneaks into organizations", "description": "Lumma Stealer, a sophisticated information-stealing malware, has gained prominence in cybercriminal circles since 2022. It employs various distribution methods, with fake CAPTCHA pages being a notable vector. These pages mimic legitimate services and trick users into executing malicious commands. The malware uses complex infection chains involving PowerShell scripts, JavaScript, and AutoIt components to evade detection. Once installed, Lumma Stealer targets a wide range of sensitive data, including cryptocurrency wallets, browser credentials, and financial information. The malware's stealthy execution and anti-analysis techniques make it a significant threat to both individuals and organizations.", "modified": "2025-04-21T22:28:22.241000", "created": "2025-04-21T17:31:34.991000", "tags": [ "lumma stealer", "anti-analysis", "powershell", "fake captcha", "information stealer", "cryptocurrency theft", "autoit", "obfuscation" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274" ], "public": 1, "adversary": "Lumma", "targeted_countries": [ "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 12, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "403 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680c1a2539b381ea9fbe7054", "name": "InQuest - 25-04-2025", "description": "", "modified": "2025-05-25T23:00:17.763000", "created": "2025-04-25T23:26:29.483000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "URL": 236, "FileHash-SHA1": 24, "FileHash-SHA256": 814, "domain": 54, "FileHash-MD5": 26 }, "indicator_count": 1196, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "369 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680ac7dd8edc8c55be961a6d", "name": "InQuest - 24-04-2025", "description": "", "modified": "2025-05-24T23:00:39.177000", "created": "2025-04-24T23:23:09.843000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 879, "FileHash-MD5": 33, "hostname": 67, "URL": 426, "domain": 113, "FileHash-SHA1": 24 }, "indicator_count": 1542, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "370 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818f46dd65fe9f5628b6deb", "name": "Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics", "description": "", "modified": "2025-05-05T17:25:01.415000", "created": "2025-05-05T17:25:01.415000", "tags": [ "ctia type", "date", "april", "time", "update", "siem", "keep anti", "virus endpoint", "detection", "check", "test" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 8 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "390 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6814bb1dc645da1b5d4e1228", "name": "Lumma Stealer Rising MaaS Threat with Sophisticated Delivery and Evasion Tactics", "description": "", "modified": "2025-05-02T12:34:36.004000", "created": "2025-05-02T12:31:25.355000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 7, "hostname": 5, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68144719ce06e61f72f4b24d", "name": "Lumma Stealer \u2013 Tracking distribution channels", "description": "", "modified": "2025-05-02T04:16:25.940000", "created": "2025-05-02T04:16:25.940000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": "68130b0a09b695605a0065a0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "393 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68130b0a09b695605a0065a0", "name": "Lumma Stealer \u2013 Tracking distribution channels", "description": "", "modified": "2025-05-01T05:47:54.846000", "created": "2025-05-01T05:47:54.846000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": "6807a23302e3a26f9b32c891", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "394 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68085933d995e64eaee31209", "name": "How Lumma Stealer sneaks into organizations", "description": "", "modified": "2025-04-23T03:06:27.966000", "created": "2025-04-23T03:06:27.966000", "tags": [ "lumma stealer", "anti-analysis", "powershell", "fake captcha", "information stealer", "cryptocurrency theft", "autoit", "obfuscation" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274" ], "public": 1, "adversary": "Lumma", "targeted_countries": [ "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Government" ], "TLP": "white", "cloned_from": "680680f666b6192de781c7f1", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 12, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "402 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6807a23302e3a26f9b32c891", "name": "How Lumma Stealer sneaks into organizations | Securelist", "description": "Security company Kaspersky has discovered a sophisticated and sophisticated information stealer, known as Lumma, that is being used by cybercriminals to steal data from people around the world and sell it on dark web marketplaces.", "modified": "2025-04-22T14:05:39.893000", "created": "2025-04-22T14:05:39.893000", "tags": [ "captcha", "cryptocurrencies", "incident response", "infostealers", "lumma", "malvertizing", "malware", "malware descriptions", "malware technologies", "phishing", "telegram", "trojan", "trojan-stealer", "lumma stealer", "nsis installer", "autoit", "iocs", "run dialog", "amsi", "below", "nsis", "mcafee", "stealer", "\u2019m", "downloads" ], "references": [ "https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Mongolia", "Russian Federation" ], "malware_families": [ { "id": "CAPTCHA", "display_name": "CAPTCHA", "target": null }, { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Downloads", "display_name": "Downloads", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Maritime", "Logistics" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 19, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "403 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67617edafa11fa408b73322c", "name": "ACTIVIDAD MALICIOSA | Relacionada con Lumma Stealer 17-12-2024", "description": "Lumma Stealer es un tipo de software malicioso dise\u00f1ado para robar informaci\u00f3n confidencial de los dispositivos infectados. Este malware se infiltra en los sistemas y extrae datos personales, como nombres de usuario, contrase\u00f1as, informaci\u00f3n bancaria y detalles de tarjetas de cr\u00e9dito. LummaStealer puede afectar varias cuentas, incluidas redes sociales, correos electr\u00f3nicos y monederos de criptomonedas. Los delincuentes pueden usar la informaci\u00f3n robada para chantaje, suplantaci\u00f3n de identidad, y realizar transacciones fraudulentas, lo que puede causar serios problemas de privacidad y p\u00e9rdidas econ\u00f3micas significativas para las v\u00edctimas.", "modified": "2025-01-16T13:03:38.406000", "created": "2024-12-17T13:38:34.760000", "tags": [ "access", "discovery", "ta0001 initial", "t1003 data", "local system", "t1033 system", "t1057 process", "t1082 system", "t1087 account" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Lumma", "https://www.virustotal.com/graph/embed/gec57b97e0f194fd38738be6392abba6f180fe9d93be24891af76fb2c7bec3638?theme=dark", "https://www.virustotal.com/gui/collection/bf70caf191025dfa3e68e8bc63882880ae2ca60f72ece512aaee246b487c5ad6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 27, "URL": 301, "domain": 665, "hostname": 8 }, "indicator_count": 1052, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "499 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "streamingsplays.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "streamingsplays.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780170441.2115154 }