- Company
Silent Push Inc. ©2025
Silent Push Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks
Key Findings
- Silent Push analysts have managed to acquire sensitive infrastructure used by the Lazarus Advanced Persistent Threat (APT) Group.*
- We discovered the Lazarus APT Group registered the domain bybit-assessment[.]com a few hours before the historic $1.4 billion Bybit crypto heist. This domain is connected to the email address trevorgreer9312@gmail[.]com, which was used in previous Lazarus attacks.
- The name “Lazaro” was identified in the logs as part of a test entry that the threat actors created, which appears to allude to the Lazarus Group.
- Our team discovered 27 unique Astrill VPN IP addresses in the logs linked to test records created by Lazarus members while configuring their setup, further confirming they heavily favor this VPN.
- Fake job interviews continue to be used to lure victims on LinkedIn to download malware.
On further investigation, it appears the ByBit heist was conducted by the DPRK threat actor group known as TraderTraitor, also known as Jade Sleet and Slow Pisces—whereas the crypto interview scam is being led by a DPRK threat actor group known as Contagious Interview, also known as Famous Chollima. Due to both groups targeting ByBit, our team was able to pivot from one campaign into the other, and eventually acquire infrastructure from the Contagious Interview group.
After publishing, our team continued to review the files we had acquired and eventually discovered a file containing brands that Lazarus appears to be impersonating. We’re exposing those brands publicly to help warn those companies and anyone applying for jobs with those brands. They include:
Stripe, Coinbase, Binance, Block, Ripple, Robinhood, Tether, Circle, Kraken, Gemini, Polygon, Chainalysis, KuCoin, eToro, Bitstamp, Bitfinex, Gate[.]io, Pantera Capital, Galaxy, Bitwise Asset Management, Bitwise Investments, BingX, Gauntlet, XY Labs, YouHodler, MatChain, Bemo, Barrowwise, Bondex, Halliday, Holidu, Hyphen Connect, and Windranger.
*Note: Full details will soon be available to our enterprise users in an upcoming report.
Background
The North Korean state-sponsored cyber threat, Lazarus Group, has been attributed to the Reconnaissance General Bureau and has been active since at least 2009. North Korean group definitions have significant overlap, and some reports simply include all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters (or subgroups), such as APT37, Andariel (APT45), APT38, or Kimsuky (APT43) individually.
Following news of Lazarus Group successfully compromising “ByBit” with the largest crypto theft in history, our team redoubled its efforts to hunt for any new infrastructure being utilized, quickly discovering much more than is publicly available.
Lazarus Compromised ByBit
ZachXBT was the first to flag the crypto heist, with credible details connecting it to Lazarus Group. Arkham crypto intelligence put out a bounty on the morning of February 21, 2025, asking for any researchers to confirm who was behind the ByBit attack. Just hours later, ZachXBT submitted details, and Arkham confirmed, “His analysis, based on on-chain transactions, wallet movements, and historical Lazarus tactics, techniques, and procedures (TTPs), provided early warning signs linking the attack to North Korean cyber operations and reinforcing existing intelligence assessments.”
Initial Intelligence
Silent Push analysts immediately began combing through everything our team had seen associated with Lazarus Group and any Democratic People’s Republic of Korea (DPRK) threat actors over the last few months that could have been associated with the ByBit campaign, looking for new leads. On December 28, 2024, X/Twitter user Tayvano issued a warning about “nasty malware,” which aligned with past DPRK attacks of complex hiring lures focused on targeting crypto users.
Twitter Thread Provides Useful Lazarus Pivots & Important Context
The late December thread included a screenshot that embedded a hostname “api.nvidia-release[.]org,” and our threat research team was able to use this to pivot into new infrastructure. More details can be found below.*
Through the X/Twitter post, we discovered that Tayvano also created a GitHub repository to share in relation to additional research details. We created several queries based on the information from Tayvano’s GitHub and discovered the campaign is still ongoing.
*Note: Our threat analysts have noticed malicious actors routinely change their infrastructure and tactics based on the details included in our public blog posts, so we have omitted many of the key details needed to circumvent detection from this post as well as the true extent of our discoveries for operational security reasons. Enterprise customers have access to IOFA™ feeds that enable easy blocking of all associated Lazarus APT infrastructure and will soon have access to an in-depth report containing all of our research and the methodologies we have observed by this actor.
Bybit-assessment[.]com Pivot Leads to “Trevor Greer” Connection Seen in Past Lazarus Attacks
Our team decided to take a holistic look at any fresh infrastructure referencing ByBit, hoping to find new pivots that could be associated with the DPRK theft.
Silent Push Threat Analysts soon discovered that Lazarus had registered the domain “bybit-assessment[.]com” at 22:21:57 on February 20, 2025—mere hours before the $1.4 billion crypto heist.
Looking at this domain’s WHOIS records in our WHOIS Scanner revealed the email address “trevorgreer9312@gmail[.]com,” which was used to register the domain.
This email address trevorgreer9312@gmail[.]com is seen in both the WHOIS data for the “bybit-assessment[.]com” domain as well as the same name, “Trevor Greer,” which has been noted as a Lazarus persona with a unique GitHub account used in previous attacks based on the public research included in Tayvano’s GitHub repo, “BlueNoroff Research.”*
*Note: BlueNoroff is the public name of a Lazarus APT subgroup. Our enterprise customers have access to several IOFA™ feeds that cover this particular subgroup.
Details from Tayvano’s “BlueNoroff Research” folder also mention Trevor Greer, trevorgreer9312@gmail[.]com, github[.]com/trevor9312, 104.223.97[.]2 (an Astrill VPN IP), and 91.239.130[.]102 (also Astrill).
Infiltrating Lazarus APT Infrastructure
Silent Push Threat analysts successfully infiltrated the Lazarus infrastructure associated with this campaign, gathering key intelligence vital to our ongoing investigation. For obvious reasons, we can share very little about this effort and what we found publicly, however we regularly collaborate with law enforcement partners to analyze acquired data, identify those responsible, and mitigate further threats as part of a broader initiative to track, disrupt, and hold malicious actors accountable. What we can share publicly is available below.
During our investigation, interesting details arose from within the files associated with this APT’s infrastructure. Lazarus extensively tests its own configurations, particularly in relation to phishing data. Our analysis reveals that this group repeatedly refined its methods for collecting and transmitting stolen credentials prior to assumed use, suggesting a focus on optimizing the infrastructure and configurations.
The first testing records were found on December 7, 2024; the first IP address on line 46 is from the person submitting the form on 38.170.181[.]10, and the second, 199.188.200[.]35, is the hosted server receiving the data.
We have not detected any ByBit victims within the log files yet, nor have we seen the ByBit domain being weaponized. However the registration of this domain, having been done so soon before the attack, understandably grabbed our attention, and pivots from this intelligence treasure trove helped us find additional infrastructure that wasn’t yet locked down, providing an opportunity to analyze their internal files. This analysis is ongoing, but our team felt it prudent to share what we could as soon as possible.
![Example of Josep@gmail[.]com email address](https://www.silentpush.com/wp-content/uploads/lax-7.png)
Josep@gmail[.]com was matched across more than a dozen lines, which shows the threat actor actively using this email address for testing. We do not believe this email address to be legitimate, given the “test” keyword frequently used in combination with it.
Interestingly, Silent Push Threat Analysts also identified the threat actor wrote “Lazaro” for a test, only a few characters off of the APT group’s name, “Lazarus.”
![Example of the Josep@gmail[.]com email used for testing](https://www.silentpush.com/wp-content/uploads/laz-6-1.png)
As part of this analysis, our team discovered 27 unique Astrill VPN IP addresses in the logs linked to test records created by Lazarus members while configuring their setup, further confirming they heavily favor this VPN. We are sharing these at the end of our post alongside our sample IOFA™ in an effort to help the community proactively respond to this threat. Our enterprise users can expect a TLP: Amber report with full details on our findings later this week, and our public readers can look forward to another Astrill VPN-focused post coming soon.
IP address Pivot Leads to More Domains Likely Part of Lazarus Infrastructure
Our team has connected the IP address 91.222.173[.]30 to Lazarus, which itself connects to several malicious domains.
From February 21st until today, the Lazarus domain bybit-assessment[.]com was mapped with DNS A records to 91.222.173[.]30. The domain also had TXT records referencing this same IP address.
Our analysts parsed all the domains mapped to this IP address, or were referenced in their TXT records, and found a small group of potential false positives. However, we have also confirmed that this IP is associated with yet more crypto scams and interview scams, and we are currently working to associate these domains with Lazarus Group. We’re including many of the domains from these pivots at the end of this blog and encourage organizations to be extremely cautious if interacting with any of them.
Fake Job Interviews Luring Victims to Execute MacOS Malware
Many of the domains seen in this Lazarus research appear to be part of “employment scams”, which are common among North Korean threat actors. The previously discussed domain “api.nvidia-release[.]org”, seen in the Tayvano thread, was also acquired from one of these malicious employment campaigns.
Victims are typically approached via LinkedIn, where they are socially engineered into participating in fake job interviews.
These interviews serve as an entry point for targeted malware deployment, credential harvesting, and further compromise of financial and corporate assets. Here are a few screenshots of the job scams from the malicious Lazarus domain “Blockchainjobhub[.]com” as well as some additional details:
Newer fake interview camera/picture-taking request ploy:
The next screen informs the viewer that their camera and microphone are having problems, stating that their setup access is currently being blocked. The viewer is directed to update their camera drivers with a malicious .sh file (a bash script).
One of the malicious payloads seen in this campaign from the original Twitter thread was also analyzed by DMPdump in their piece “North Korea-nexus Golang Backdoor/Stealer from Contagious Interview campaign.” This malware teardown is a must-read for technical experts.
Mitigation
Silent Push Threat Analysts recommend organizations use our Enterprise edition to receive the latest Indicators of Future Attack™ (IOFA™) in real-time and enrich them in their security solutions to detect, prevent, and respond to future cyberattacks. Our proprietary analytics and persistent manual reviews match patterns against known malicious examples to ensure our IOFA™ feeds do not contain false positives.
We are continuously searching to uncover emerging threats from APTs, financial crimes, malvertising, and more. Please do not hesitate to reach out if you or your organization are interested in cooperating on research.
Register for a Free Silent Push Community Edition Account
Silent Push Community Edition offers free access to our threat-hunting and cyber defense platform. It features a range of advanced offensive and defensive lookups, web content queries, and enriched data types, including both the Silent Push Web Scanner and Live Scan.
Sample list of IOFA™
Silent Push is sharing a sample list of 20 of the IOFA™ we have associated with active Lazarus APT infrastructure related to this campaign to support ongoing efforts within the community. Our enterprise users have access to an IOFA™ feed currently containing many times this number, with more being added in real time as our investigation continues.
- blockchainjobhub[.]com
- bybit-assessment[.]com
- camdriversupport[.]com
- camtechdrivers[.]com
- easyinterview360[.]com
- gethirednow[.]org
- hiringinterview[.]org
- jobinterview360[.]com
- nvidia-release[.]org
- quickhire360[.]com
- quickinterview360[.]com
- screenquestion[.]com
- skillmasteryhub[.]org
- skill-share[.]org
- talentcompetency[.]com
- talentsnaptest[.]com
- talentview360[.]com
- wilio-talent[.]net
- willoassessment[.]com
- willorecruit[.]com
Unique Astrill VPN IPs included in Lazarus Group infrastructure logs include:
- 104.223.97[.]2
- 104.223.98[.]2
- 107.172.242[.]4
- 107.174.131[.]204
- 155.94.255[.]2
- 189.1.170[.]50
- 194.33.45[.]162
- 198.23.241[.]254
- 199.115.99[.]34
- 204.188.233[.]66
- 208.115.228[.]234
- 209.127.117[.]234
- 23.106.161[.]1
- 23.106.169[.]120
- 23.83.129[.]1
- 38.170.181[.]10
- 38.32.68[.]195
- 38.75.137[.]213
- 45.86.208[.]162
- 66.118.255[.]35
- 70.32.3[.]15
- 70.36.99[.]82
- 70.39.103[.]3
- 70.39.70[.]194
- 74.222.14[.]83
- 77.247.126[.]189
- 91.239.130[.]102
Related Reading
Here are a few more blogs that may interest you:
Why Take A Proactive Approach To Threat Detection?
Security teams strive to be on the offensive by identifying emerging threats before they surface and have a chance to do damage. Such threat detection strategies are used across the board in multiple industries, including finance, government and healthcare.
Unfortunately, using a standard approach to threat intelligence and threat hunting often puts them on the defensive, as they’re forced to sift through outdated intelligence that eats into their response time.
Given that only 2% of global threat infrastructure is being tracked in cybersecurity at any given time, organizations simply don’t have the ability to obtain a complete view of any given threat landscape, and are forced to reactively mitigate attacks that originate from the hidden 98%.
In this blog, we’ll explain how to plan an offensive strategy with a complete view of attacker infrastructure to protect your organization, and describe how Silent Push facilitates fast, accurate proactive threat detection using Indicators of Future Attack™ (IOFA)™.
What is the Difference Between Proactive vs. Reactive Threat Detection?
Proactive threat detection locates and stops carefully orchestrated cyber attacks before they cause damage.
In boxing, there’s an old saying – “hit and don’t get hit”. A fighter who has the ability to be on the offensive minimizes the amount of hits their opponent can make, causing them to become preoccupied with defending themselves rather than attacking.
A proactive security team doesn’t sit back and wait for the punches to come to them. They understand their attack surface, they know how they’re going to be targeted – and by who – and they take the fight to the threat actor by shutting down digital assaults before they’re launched with industry-leading Indicators of Future Attack™ (IOFA)™.
Reactive security teams fight behind their gloves, and hope for the best by dealing with incidents at the perimeter, rather than going out on the attack and proactively locating threat infrastructure. Sooner or later, one of those punches will get through, and that’s when the knockout blow comes in the form of a breach.
They rely on stale lists of post-breach IOCs that only serve to inform defenders about where an attack has come from, rather than where it’s going to be.
Reactive teams formulate a defense as a REACTION to an attack that has occurred elsewhere. They aren’t able to ascertain where an adversary is going to strike before they attack, and in the dark about the infrastructure being set up.
If your teams aren’t proactively tracking and monitoring both emerging and active threat infrastructure, the knockout blow is just around the corner, your potential exposure to an attack increases, and with it the chances of a costly breach.
Proactively Identify Threat Actor Tactics
Preemptive threat intelligence allows you to proactively identify threat infrastructure as it’s being set up, and before an adversary launches an attack.
It’s the only reliable way to outsmart adversaries and take control back.
Security teams need to do away with a reactive, IOC-led approach to threat intelligence and focus on the underlying tactics and strategies used by threat actors that tracks the deployment of infrastructure, rather than simply dealing with the individual domains and IPs used in a previous attack.
How Does Silent Push Help You Develop an Offensive Approach to Protect Your Organization?
Silent Push is the first and only threat intelligence solution to deliver IOFA™ and create a unique digital fingerprint of adversary behavior that allow teams to adopt a fully proactive stance by eliminating incoming attacks before they’re launched.
Our feeds and intelligence streams aren’t made up of retrospective, reactive indicators of previous threat activity. IOFA™ provide your teams with a glimpse into the future, so that you can anticipate and react to emerging threats way before they reach your organization.
We are the only solution to understand the full attack landscape, and provide this to SOC and IR teams in a way that’s immediately actionable, and doesn’t take up precious time and resources to further investigate and validate before it’s useable.
Click here to get access to an exclusive report that outlines 4 key cyber threat trends to keep ahead of in 2025, and learn about:
- How and where threat actors use these tactics
- Named adversaries and intent
- How to combat threats with Indicators of Future Attack (IOFA)™
Learn more about our unique approach to Preemptive Threat Intelligence
Find out how your organization can use Preemptive Threat Intelligence to outsmart adversaries and stop attacks before they’re launched.
Contact us here for more information.
Lumma Stealer Malware Thrives as Silent Push Uncovers Unique Patterns in the Infostealer's Domain Clusters
Key Findings
- We found Lumma Stealer command and control (C2) domain clusters share certain technical characteristics that enabled our team to map entire clusters of the infostealer’s infrastructure.
- Lumma Stealer logs are being shared for free on Leaky[.]pro, a relatively new hacking forum, offering billions of “URL:LOG:PASS” records with specific details tied to stolen credentials.
- The increase in malware being spread via malicious YouTube links and infected files disguised in videos, comments, or descriptions is alarming. Viewers should be skeptical of unverified sources when interacting with YouTube content, particularly when prompted to download or click on links.
Table of contents
- Key Findings
- Executive Summary
- Sign Up for a Free Silent Push Community Account
- Lumma Stealer Background
- Exploring Lumma Stealer Practices
- Initial Intelligence: Lumma Stealer Logs’ Distribution
- The Fake Booking “ClickFix” Technique to Deliver Lumma Stealer
- Following the Surge of Malware as Fake Exploits Fuel Massive Infections through Malicious Sites and YouTube
- Unique Lumma Stealer Poem Leads to SecTopRAT Malware
- Lumma Stealer Malware Spread Through Cloudflare and MediaFire
- Lumma Stealer C2 Domain Clusters
- Additional Information: Continuing to Track Lumma Stealer
- Mitigation
- Register for Community Edition
- Sample Lumma Stealer Indicators of Future Attacks (IOFA™)
Executive Summary
Silent Push Threat Analysts recently expanded on our previous research on “Lumma Stealer” infostealer malware from January of last year. Among the new discoveries, our team found Lumma Stealer logs are being shared for free on Leaky[.]pro, a relatively new hacking forum.
Difficult to detect and prevent, Lumma Stealer malware is spread through various platforms such as video-sharing sites, file-sharing services, and directly through malicious websites. Lumma Stealer infections typically act as enablers for more extensive attacks, including the deployment of ransomware and espionage operations, where attackers gather intelligence or steal intellectual property.
Our team discovered that Lumma Stealer C2 domain clusters are frequently registered in quick succession and, in many cases, appear to be handled via an automated process. These clusters and infrastructure expansion techniques share certain characteristics that our threat analysts have combined to fingerprint Lumma Stealer infrastructure.
The ever-evolving nature of Lumma Stealer campaigns, which often lead to widespread infections, outlines the need for robust, industry-wide cybersecurity measures to mitigate the potential damage they can cause. Frequent targets include YouTube, the content delivery network (CDN) Cloudflare, and the file-sharing platform/cloud storage company MediaFire. These companies cannot fight this threat alone, however, so Silent Push Threat Analysts are sharing our latest research to help defenders mitigate and prevent the spread of Lumma Stealer infections.
Sign Up for a Free Silent Push Community Account
Register now for our free Community Edition to use all the tools and queries mentioned in this blog.
Lumma Stealer Background
Lumma Stealer was first seen on Russian-language criminal forums in 2022. It continues to be sold under the “Malware-as-a-Service” business model, with different pricing tiers for threat actor operations of varying sizes. From 2023 onward, the number of compromises linked to Lumma Stealer has risen dramatically, particularly those including the resale of stolen credentials to other criminals.
“Infostealer” malware, like Lumma Stealer, refers to malware designed primarily to collect sensitive information (login credentials, browser history, credit card details, and other personal data) from infected systems. Lumma Stealer goes even further, targeting web browser information (cookies, history, extensions, and saved passwords), chat logs, details about installed programs, stored financial information, and even cryptocurrency wallet data. Lumma also targets multiple versions of the Windows operating system.
Malware distribution mechanisms for Lumma Stealer vary greatly depending on the motivation of the specific operator deploying it. Cybercriminals use “stealer logs” (files generated by malware like Lumma Stealer with sensitive information from compromised systems) to exploit stolen data for all types of fraudulent activities, including identity theft. The most effective campaigns seen by our team thus far have also utilized “malvertising” (malicious advertisements) on popular search engines and “malspam” (malicious spam emails) containing harmful attachments.
Building on our initial research back in September of 2023, where we uncovered a trove of active Lumma C2 servers and admin panels as shared in our blog, “The Dead Russian Poets Society: Silent Push Uses Behavioral Fingerprinting, Content Scans, and a 128-year-old Russian Poem to Uncover 150+ New ACTIVE Lumma C2 Servers and Admin Panels,” our team published additional research in January 2024 on the discovery of Lumma Stealer C2 and control panels hosted on Cloudflare infrastructure.
In this latest report, our threat analysts observed that threat actors using Lumma Stealer appear to register clusters of roughly 10-20 domains at a time, some of which are used immediately and others that are left to age for up to two weeks. Knowing this, we can then search for and unearth the “aging” domains if even one of the active domains can be found.
Our team believes readers of this report should be aware of the increase in malware spread via YouTube. Malicious links and infected files are often disguised in videos, comments, or descriptions. Exercising caution and being skeptical of unverified sources when interacting with YouTube content, especially when prompted to download or click on links, can help protect against these growing threats.
Note: Our threat analysts have noticed malicious actors often change their infrastructure and tactics based on the details included in our public blog posts, so we have omitted many of the key details needed to circumvent detection from this post for operational security reasons. Enterprise customers have access to a fully detailed report on Lumma Stealer’s methods as well as IOFA™ feeds that enable easy blocking of all associated infrastructure.
Exploring Lumma Stealer Practices
Initial Intelligence: Lumma Stealer Logs’ Distribution
Silent Push Threat Analysts discovered a user, “zhack,” on the popular hacking forum BreachForums, who was advertising and distributing Lumma Stealer logs.
![The site leaky[.]pro was advertised within the logs](https://www.silentpush.com/wp-content/uploads/lumma-s-leaky-pro-image-2.png)
The hacking forum leaky[.]pro was relatively new. The administrator made the first post on 12/29/2024 under the name “fijiwater.”
![Screenshot of Leaky[.]pro administrator "fijiwater"](https://www.silentpush.com/wp-content/uploads/lumma-s-fijiwater-image-3.png)
The screenshot below shows a user on the Leaky[.]pro forum advertising three billion records of “URL:LOG:PASS” that refer to stealer logs with specific website URLs tied to logins (LOG) and passwords (PASS) of stolen credentials.
![A leaky[.]pro forum user advertised 3,000,000,000 URL:LOG:PASS records](https://www.silentpush.com/wp-content/uploads/lumma-s-leaky-pro-urllogpass-image-4.png)
The Fake Booking “ClickFix” Technique to Deliver Lumma Stealer
Silent Push Threat Analysts know that organizations and sites with large user bases are commonly victims of phishing and malware campaigns. Our team was able to create a proprietary fingerprint based on observation of these campaigns that detects a large number of phishing pages, including those located on a suspected bulletproof host.
Delving deeper into these suspicious booking pages our team quickly found they were delivering Lumma Stealer through a fake Cloudflare CAPTCHA, an example of which can be seen below.
After checking the box for “I’m not a robot,” this message popped up:
The presence of “I am not a robot – reCAPTCHA Verification ID: 8731” within the URL suggested that the malware may have attempted to deceive security systems or users by mimicking legitimate reCAPTCHA verification processes, making it appear as though the .HTA file was part of a standard web interaction.
This technique, also known as “ClickFix,” involves cybercriminals creating fake CAPTCHA pages, often mimicking Cloudflare’s verification system, to trick users into running malicious code. The malware can steal sensitive data, including login credentials, or install harmful software.
Following the Surge of Malware as Fake Exploits Fuel Massive Infections through Malicious Sites and YouTube
Silent Push Threat Analysts detected a Lumma Stealer sample being spread through the interactive online malware analysis sandbox, any[.]run. We then expanded our search within our platform and were able to pivot toward more malicious infrastructure spreading Lumma Stealer.
![We detected a Lumma Stealer sample in the any[.]run platform](https://www.silentpush.com/wp-content/uploads/lumma-s-any-run-image-7.png)
Using information derived from this sample, “roxplo1ts[.]ws:443/wave,” our team was able to create yet another proprietary fingerprint that led to more malicious infrastructure.
These domains revealed an interesting HTML title, “Roblox #1 Xeno Executor,” that can be readily searched upon with our Silent Push Web Scanner. This campaign appeared to be targeting children who play the Roblox game, which had roughly 164 million monthly active users in 2020. By focusing on the HTML title used here, we were able to combine additional technical details to create yet another effective fingerprint.
A YouTube search using the various pieces of information derived from our searches within the Silent Push Web Scanner revealed a disturbing number of YouTube videos spreading malware through MediaFire links. These videos also appeared to be from compromised accounts that were, themselves, victims.
In testing one of these examples, youtube[.]com/watch?v=d_D4kgSVDIk. Our team noted a description which led potential victims to a download link hosted outside of YouTube, along with suspect hashtags included in the description. That link took victims to the external site: “deckarenids[.]com/roblox-executor”.
![Description from the suspicious video: youtube[.]com/watch?v=d_D4kgSVDIk](https://www.silentpush.com/wp-content/uploads/lumma-s-youtube-roblox-description-image-10.png)
This follows the same pattern we have previously observed with Lumma Stealer; however, in this case, before downloading the suspicious file, the victim was required to watch a YouTube video. This strongly suggested that the threat actors were using this tactic to harvest views and manipulate the YouTube algorithm.
![A visitor to lootdest[.]org/s?4d456215 was required to watch a YouTube video to unlock the content](https://www.silentpush.com/wp-content/uploads/lumma-s-declaremods-roblox-image-11.png)
We determined the suspicious file, seen here on Virus Total, was not actually Lumma Stealer. This indicated other methods are also being utilized by these actors in order to spread their campaigns. Bearing this in mind, our team was able to produce additional unique fingerprints to hunt for similarly suspect sites that may spread either Lumma Stealer or other types of malware.
Given the large scale of activity, our team is monitoring these results carefully and continuously iterating upon our fingerprinting techniques in order to stay ahead of the threat actors regardless of the type of malware used.
Unique Lumma Stealer Poem Leads to SecTopRAT Malware
In 2023, Silent Push wrote about threat actors using a Russian poem titled “The Curious Case of Sergei Yesenin’s Body Data” in our blog, “The Dead Russian Poets Society: Silent Push Uses Behavioral Fingerprinting, Content Scans, and a 128-Year-Old Russian Poem to Uncover 150+ New ACTIVE Lumma C2 Servers and Admin Panels.”
In our earlier research, we hypothesized that Lumma Stealer’s administrators amended their C2 infrastructure to point at the generic Russian poem based on some sort of personal preference. Further investigation showed that some domains shifted from the poetry page to a Lumma Stealer control panel. We thus used the content of the poetry page to scan our database for Lumma C2 domains and IP addresses displaying the same content.
What we observed is over the last few years this threat actor group has changed the unique poem we had originally (and have) been tracking.
All domains identified using this Russian poem were then further analyzed, allowing us to create yet another unique fingerprint to identify Lumma Stealer infrastructure. The web page of one, “docu-signer[.]com”, began with the following information thrust up on the screen:
![Docu-signer[.]com web page](https://www.silentpush.com/wp-content/uploads/lumma-s-docu-signer-pdf-image-13.png)
In the next step, the visitors are instructed to download a malicious “PDF,” seen here in Virus Total.
![The page docu-signer[.]com downloads a malicious PDF](https://www.silentpush.com/wp-content/uploads/lumma-s-docu-signer-pdf-instrucutions-image-14.png)
This particular file is actually a Windows shortcut “LNK” file, and on further examination of the file and the associated email, our threat analysts determined it was malware that made use of SecTopRAT as a C2.
*Note: Our team is conducting an ongoing investigation to determine the connection between SecTopRAT C2 and Lumma Stealer and will share our findings as we determine more.
Lumma Stealer Malware Spread Through Cloudflare and MediaFire
A well-known security researcher that goes by the name of Fox_threatintel on X (formerly Twitter) (https://x.com/banthisguy9349/status/1866434351614796165) tagged the Silent Push Threat Intelligence Team in a post pointing out suspicious clusters spreading MediaFire links with password protection on the .zip archives through Cloudflare hosted sites.
Examining the associated infrastructure revealed multiple methods by which our team was able to fingerprint it, leading to further clusters of infrastructure spreading Lumma Stealer.
Three additional clusters were found through the information contained in the Fox_Threatintel post. From those, we were able to create unique fingerprints to identify each as they continue to spread and evolve.
![New Lumma Stealer C2 login panel on mikhail-lermontov[.]com](https://www.silentpush.com/wp-content/uploads/lumma-s-new-login-panel-image-18.png)
Said results also displayed infrastructure details consistent with those we shared in our public blog on Lumma Stealer in 2023, which was nice confirmation of the effectiveness of our current methods.
![Older version of Lumma Stealer login panel on 213.252.244[.]62](https://www.silentpush.com/wp-content/uploads/lumma-s-old-login-russian-panel-image-19.png)
Lumma Stealer C2 Domain Clusters
Pivoting on a confirmed Lumma domain within our WHOIS scanner revealed additional details our team was able to use across multiple results, many of which were marked as Lumma Stealer C2s in public sources. We noted similarities in the resulting domains’ names as well as reuse of top-level domains (TLDs) such as “.pro”, “.shop”, etc..
Below is an example of one of the new results, tinpanckakgou[.]shop (source: VirusTotal) that was marked as “malicious” by 19 different vendors. The domain had multiple communicating files containing Lumma Stealer. This provided additional confidence that the results of this cluster were related to Lumma Stealer.
Expanding upon that cluster revealed more than 60 results, all of them featured the same naming schema and a TLD of “.shop.” Additional discoveries were made at this stage, but are too sensitive to refer to publicly without tipping off the threat actors. Suffice to say a significant number of the new results were linked to Lumma Stealer samples, though they showed fewer hits on VirusTotal.
In many cases, we saw domains marked as “clean” elsewhere, which our research team was able to confirm internally as Lumma C2 domains.
It is evident from these results that VirusTotal and other antivirus vendors are often unable to promptly or proactively flag Lumma Stealer domains. This underscores the need for pre-emptive threat intelligence, which focuses on the discovery of infrastructure prior to activation for malicious use. With our data, one can effectively detect entire clusters of Lumma Stealer C2 domains the moment they are actively weaponized.
Silent Push shines in our capability to quickly identify and respond to emerging threats, providing clients with the enhanced level of security they expect in this era of rapidly scaling and emerging threats. Rest assured that our threat analyst team continues to work to stay ahead of attackers, and our IOFA™ feeds are continuously updated as new tactics, techniques, and procedures (TTPs) are observed.
Additional Information: Continuing to Track Lumma Stealer
As referenced before, key technical information has been omitted from this public blog for operational security.
We have published a TLP:Amber report for our Enterprise users that contains links to the specific queries, lookups, and scans we’ve used to identify and traverse Lumma Stealer infrastructure—including proprietary parameters that we’ve omitted from this blog for security reasons.
Silent Push will continue to report on our work tracking Lumma Stealer and share new findings with the community as our research progresses throughout 2025. If you or your organization have any leads related to this effort, particularly those being used by these threat actors, we would love to hear from you.
Mitigation
Silent Push believes all Lumma Stealer-related domains present some level of risk.
Our analysts construct Silent Push IOFA Feeds that provide a growing list of Indicator of Future Attack™ data focused on scams supported by this technique.
Silent Push Indicators of Future Attack™ (IOFA™) Feeds are available as part of an Enterprise subscription. Enterprise users can ingest IOFA™ Feed data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.
Register for Community Edition
Silent Push Community Edition is a free threat-hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types.
Click here to sign up for your free account.
Sample Lumma Stealer Indicators of Future Attacks (IOFA™)
Below is a sample list of IOFA™ associated with Lumma Stealer. Our full list is available for enterprise users. Silent Push Enterprise clients have access to a domain feed containing all Lumma Stealer infrastructure, several IOFA™ Feeds for malware sites that distribute Lumma Stealer and other malware families, and an IOFA feed built to track malicious actors spreading Lumma Stealer based on WHOIS information.
- 213.252.244[.]62
- c3.digital-odyssey[.]shop
- clsevermarketing[.]click
- crowsudysto[.]shop
- docu-signer[.]com
- holmenester[.]com
- jellysipp[.]shop
- mikhail-lermontov[.]com
- pdf-ref095vq842r70[.]com
- roxplo1tsp[.]was
- roxplo1ts[.]ws:443/wave
- techetrs[.]icu
- tinpanckakgou[.]shop
- wetransfer[.]su
- workingkeys[.]info
How To Outsmart Adversaries with Preemptive Threat Intelligence
We’ve previously looked at how Preemptive Threat Intelligence discovers and stops attacks before they’re launched, but how does a preemptive approach keep you one step ahead of adversaries as they evolve their strategies to evade detection?
In this blog, we’ll explore how Preemptive Threat Intelligence acts as an early warning system by using a threat actor’s own tactics against them, forming a comprehensive picture of how a threat campaign is prepped and launched, so that security teams can proactively defend themselves against known and hidden attacks using Indicators of Future Attack™ (IOFA)™.
How to stop an attack by knowing threat actor tactics and behavior
Preemptive Threat Intelligence allows security teams to locate and block the 98% of global threat infrastructure that’s yet to be discovered, and lurking under the surface.
Most importantly, it helps you head off any future attacks by knowing where threat actors are going to strike, based on how they behave.
When a law enforcement agency needs to find and arrest a perpetrator, they gather as much information they can on the person to understand where they are, and where they’re going to strike next.
We’ve all watched crime shows where the agency builds a file to capture who a criminal associated with, what methods they use to commit a crime, what their motive is, and any other crimes they’re involved in. They also look for behaviors to document such as places they frequent, company they keep, and even what brand of cigarettes they smoke.
All of this enables the good guys to be one step ahead of the bad guys, and lay a trap to put them behind bars.
How does Silent Push profile attacker behavior?
At Silent Push, Preemptive Threat Intelligence works in a similar way, but in the digital world.
Instead of only relying on information that’s easily obtainable and available everywhere – such as a domain that’s already been involved in an attack – it’s essential to understand a threat actors’ motivation and modus operandi, and use their own methods as identifiers against them to anticipate and prevent any future attacks.
Silent Push achieves this through our unique digital behavioral fingerprinting process.
We go beyond stale lists of post-breach IOCs, and help security teams to proactively profile threat actor behavior in a way that makes it easy to understand how they set up their infrastructure before an attack, and where to expect the next digital assault.
Our digital behavioral fingerprint breaks down a domain, website or IP address into hundreds of searchable categories, and connects the dots between billions of datapoints across the Internet by giving security teams a comprehensive criminal profile of online threat activity, wherever it occurs and whoever is propagating it.
How does Silent Push provide a cyber early warning system to stop hidden attacks?
Behavioral fingerprints and IOFA™ are unique to Silent Push. No other threat intelligence provider has the same ability to scan, aggregate, and correlate global Internet data, and deliver it in a way that makes it immediately actionable, and easy to use, in the form of IOFA™.
Think of all the questions your team needs to answer as they track down malicious infrastructure targeting your organization…
What favicon is that brand impersonation site using that’s targeting your organization, and what are all the other domains that have ever used that favicon? What domains are linked with the same nameserver? How has that threat actor moved between different hosting providers? Where are they now, where have they been before, and where are they likely to go to next? How does that website interact with users, and what other sites behave in the same way?
All of this, and more, is available only within Silent Push.
Learn more about our unique approach to Preemptive Threat Intelligence
Find out how your organization can use Preemptive Threat Intelligence to outsmart adversaries and stop attacks before they’re launched.
Contact us here for more information.
Webinar – Infrastructure Laundering
In the evolving landscape of cyber threats, attackers are increasingly exploiting legitimate cloud services to mask their malicious activities – a tactic we term “Infrastructure Laundering.”
By renting IP addresses from reputable providers like Amazon Web Services and Microsoft Azure, threat actors such as the FUNNULL content delivery network (CDN) can seamlessly integrate illicit operations into mainstream infrastructure. This approach not only complicates detection but also challenges traditional security measures.
Access Webinar
What we cover:
In this session, Silent Push Director of Threat Intelligence Kasey Best covers:
- What is Infrastructure Laundering?
- The evolution of adversaries: How and why threat actors are jumping on this trend
- How to detect Infrastructure Laundering in real-time with Silent Push preemptive threat intelligence
- Case Study: Triad Nexus and FUNNULL CDN Infrastructure Laundering
- Ethical concerns for Big Tech
- Mitigation and Q&A
Who should watch:
Anyone seeking cutting-edge strategies to preemptively detect and mitigate threats.
Ready to dive deeper into the world of preemptive threat intelligence? Begin your journey with the Silent Push free Community Edition today.