Part 2 Tracking LummaC2 Infrastructure
In a previous blog, we analyzed domains associated with the recently-disrupted LummaC2 infostealing malware (although there are now reports that a new infostealer known as Acreed has come to take its place). From 114 initial domains published by the FBI and CISA, we observed distinct registration patterns such as the use of Eastern European names that appeared to reference prominent Russian individuals.
A recurring detail stood out: many of these names were associated with registrant email addresses using the domain inbox[.]eu. This observation prompted a deeper investigation, hence the part 2 you’re reading now.
What we found was a much broader campaign consisting of nearly 500 domains that not only share similar registration traits but also promote the same service: technical education courses. Despite appearances, these domains are scored as highly malicious, raising eyebrows about their true intent and – given how we got here – their possible associations with LummaC2.
To read the complete article see: