Skip to main content

Tracking LummaC2 Infrastructure with Cats

Medium
Published: Fri May 30 2025 (05/30/2025, 00:47:54 UTC)
Source: AlienVault OTX General

Description

The US Department of Justice and Microsoft disrupted LummaC2 infostealing-malware through domain seizures, taking down over 2,300 associated domains. The FBI and CISA released an advisory detailing LummaC2's tactics and indicators of compromise, including 114 domains. Analysis of these domains revealed common registration patterns, such as using Eastern European names and specific mail server hostnames. Notably, several domains featured an 'About Cats' landing page, with 58 additional domains sharing this characteristic and having high risk scores. These domains are suspected of distributing LummaC2 and other malware strains. Despite the takedown efforts, 41 of these domains remain active, highlighting the need for continued vigilance against LummaC2 infrastructure.

AI-Powered Analysis

AILast updated: 07/01/2025, 19:26:07 UTC

Technical Analysis

LummaC2 is an infostealing malware family whose infrastructure was recently targeted by coordinated law enforcement and private sector actions, notably by the US Department of Justice and Microsoft. These efforts resulted in the seizure of over 2,300 domains associated with LummaC2 operations. The FBI and CISA released advisories detailing the malware's tactics, techniques, and procedures (TTPs), including a list of 114 domains linked to the threat. Analysis of these domains uncovered distinct registration patterns, such as the use of Eastern European personal names and specific mail server hostnames, which serve as indicators for tracking and attribution. A unique characteristic identified was the presence of 'About Cats' landing pages on several domains, with 58 additional domains sharing this trait and exhibiting high risk scores. These cat-themed domains are suspected to be involved in distributing LummaC2 and potentially other malware strains. Despite the takedown efforts, 41 domains remain active, underscoring the resilience and adaptability of the threat actors behind LummaC2. The malware employs multiple techniques consistent with MITRE ATT&CK tactics such as domain fronting (T1102.001), use of web services (T1071.001), and infrastructure manipulation (T1583.001, T1589), indicating a sophisticated command and control (C2) infrastructure. The ongoing presence of active domains and the use of deceptive domain registration and hosting strategies highlight the need for continuous monitoring and threat intelligence sharing to mitigate LummaC2's impact.

Potential Impact

For European organizations, LummaC2 poses a significant risk primarily through its infostealing capabilities, which can lead to the compromise of sensitive data including credentials, intellectual property, and personal information. The malware's ability to maintain persistent C2 infrastructure via numerous domains complicates detection and remediation efforts. Organizations in Europe may face data breaches, financial losses, and reputational damage if infected. The use of domains with Eastern European registration patterns and cat-themed landing pages may facilitate targeted phishing or watering-hole attacks against European entities, especially those with business or operational ties to Eastern Europe. Additionally, the persistence of active malicious domains despite takedown efforts suggests that European organizations must remain vigilant against evolving infrastructure and tactics. The malware's distribution methods and infrastructure also increase the risk of secondary infections and lateral movement within networks, potentially impacting critical sectors such as finance, government, and technology. The medium severity rating reflects the malware's moderate ease of detection and disruption but acknowledges the ongoing threat posed by remaining active infrastructure.

Mitigation Recommendations

European organizations should implement targeted domain monitoring and blocking strategies focusing on domains exhibiting the identified registration patterns, including those with cat-themed landing pages. Integrating threat intelligence feeds that include the FBI and CISA advisories and the known domain lists into security information and event management (SIEM) systems will enhance detection capabilities. Network defenders should employ DNS filtering and web proxy controls to restrict access to suspicious domains, especially those linked to LummaC2 infrastructure. Endpoint detection and response (EDR) solutions should be tuned to detect infostealing behaviors and anomalous network communications consistent with LummaC2's TTPs. Organizations should conduct regular phishing awareness training emphasizing the recognition of deceptive domain names and unusual website content. Collaborating with national Computer Security Incident Response Teams (CSIRTs) and sharing indicators of compromise (IOCs) will improve collective defense. Finally, organizations should maintain robust patch management and credential hygiene practices to reduce the attack surface and limit the malware's ability to propagate.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.domaintools.com/resources/blog/tracking-lummac2-infrastructure-with-cats"]
Adversary
LummaC2
Pulse Id
6839003a3028827e1ebbfb1a
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash1fc59ff559c941f99cf27c18ef066789
hash36a25a0c6dbc42e3b0018a89cf1e5d7c
hash45a16d54edb7453c992f898c6085d7aa
hash48360d300e9549d09ef0988f1f3e9940
hash4d9dd0f2400e4d0484eb7b8245a14521
hash552ef4dcb1034387830d1b3d9888433f
hash576df09b25a6496eac399155221d159e
hash5c931c5129104a1993c22b6a42def5ea
hash5e94f3d061bc4339a5eab48ac569b189
hash64adca8de7794635841da885aabc33c8
hash792ef5f0e22f4740ba354246856258c1
hash8413af3e5e4b413dab097ff0debe9750
hash90a122f4ea2845708765d641accaedb5
hasha920faa21aeb448f9e0a89602c227682
hashc03c8572c80443b496f20d11ca9f6c10
hashedf65a0c3eb94b3181460ea8fffea76b
hashf0f4b6e16b8d4005aec799e41a6c7287
hashf516b9050fd743e8b6f89a932acea38f
hashf72c2dd8f3e64ee3a70c0af8865e3e3d
hashfa43d5ac21544a9bba95e04c7e4bc250
hash022bf70ddcc0b280fa7e3921c39093cfbd9fb255
hash06043d638660130af45f12b8d13b033a1e3d484f
hash085f1b4e6308582684ead2ebb8903885136be518
hash0e9f6c970f62fb619080e436fe05dc7a05164f3b
hash14dfd033cc71a77e2532c9a811fecafc3da0b71b
hash19054ff9bcfba6d6bccc3ecbed29f3d5b8fda72c
hash21a2b9341715408c464d0ad8fa2c986f4c0a36fa
hash2f92195f0a8acddfcf33ccba61044a323783e354
hash2fedaae8c45563a3c27c4d05071b0c1c45a774bc
hash362049f6933922d05497c40b363be051861d12f2
hash37e7f968ececf9c1e446d73a1df9220d2fbb7c42
hash3c920328c3ec1dc332651d486afd495b0799ea11
hash3d0298c42092552192ce9d38c0d3a8bea1b0d259
hash3dba7dd1cde233fc0645b0f5d80e326324c00955
hash3ddd4eb4edc7e12db71d9eb404c8c51c8861e406
hash408a1ab56ee6b1547199460f0cf2e6ab4c0df2e5
hash43524c7dae29eae434314ba53b766946e42face4
hash49c21f7be467700833b1f336aedd3ad7b073c0ff
hash4d29141f179eedfdb360c678bd621651ab982e8e
hash4ea5137409ddbbcbf5e6e22d8d99fc64be7b4ec2
hash509c8ce7c78111303f0e03babd3551054f5ee3cc
hash51a88c13032c88fd96543272539c84554a887027
hash5bdf7b050d176fc8f2e4d2be5482a307ea9dc757
hash5e1f4b3f6cd9b508fd14ef5930eee1663997b623
hash60459638d82498fdd4b39197488607fbb46df216
hash6240d31ff701dd54adaa509bcdb06bea13468661
hash627c12d30ededf6310242e8a4852ed89a0de6366
hash64483f0386ec6a1a59831e161b1deb3704c648f9
hash6b596dc8d1dc642c86a13bc1d78c1f9a4393a538
hash6b994473e787c0701a66641e7abe47f1a074ad23
hash6d18d41c09f46864c9566b800e62e569034ad4a7
hash6e34e95dac777ddb41beac2e2188fc02a71e3289
hash74113d66412e8124b5039bd53c8355748eed1d5c
hash7619b6961fc1fe5275df5a6b2efe8b28b6ed37a1
hash79322d4a195af845f7799364843ea7b173fed29c
hash7b0d914da34eba536b23216062f6764bfbbda194
hash7be840a03a77c97abb213800b60b51b7977f95ab
hash8546c4de7399df58d01983a6d00ac747af0c1450
hash855a3f7d07686b00b942362e9697e510677cd368
hash881656f05a60588b8a42dff36f9ed2bc7463aa9b
hash929ed077e785eed52dca775d991c9e66784c51ae
hash9d2be9d078a76eab2510fb6ebc9080e8383561d0
hasha0201d7ea9d2ba8e4896fe3974bcbffa66939c7e
hashad0788a0c2104421a0f62a3375f0b3d2bf9e9979
hashaeeeb8ee29ede289de714a962eb3d489adefaa08
hashb030559ef1690bcc672b6df0f198d752d3d1e526
hashb31cde2231ccdf26a9d4c0726f3012badea4a62f
hashb9dd3142dbebad669d04d79d499ffdc84f7ff72b
hashbb9f0a1e010b82e5566e2c350e066fcddc9bf7ef
hashbc54cc2c1c460c6b2ec93620a8b273d546bdad11
hashce8887eb6433155cff59bc6dfc81d2cb58286c2b
hashd2db26468389bf0081ee6d96e53388ca252974f7
hashd6c942ac6bb018bfacbd0b805048452d773208b7
hashdb30cc047dba012f02ba12c86ae1fcb94070416e
hashdb3f8c11ce8e1363cbf086a9774e528f0296b4c1
hashde3f771aa9f577d7059e977bd25ee1cddab98716
hashdfbc234726c00f1d3a0365707d25a423c5113ea6
hashe93bc45fb347af950416df0c07b30a3314a6c0fa
hashe95a60ba4f21f3d07ac92358b1920b410ffe8b44
hashedf27669924cf5053f006baf370d0ff32b9bc2ce
hashf1c1fc83fb53601578536226ef1989ab87bfe6d7
hashf418727fd2cf8206efa9cce8da478a022ff6d8b3
hashfd2b411e5304e29871ed061e320c2c746ff4b0bd

Ip

ValueDescriptionCopy
ip176.65.142.154
ip213.209.143.24

Url

ValueDescriptionCopy
urlhttps://tieredaccess.com/contact/41e19500-be48-4754-ae7a-a74e0428b04e

Domain

ValueDescriptionCopy
domainbelamai.shop
domaincan-get-no.info
domaincat-are-here.ru
domaincozkeu.shop
domaincyqfuy.shop
domainfabzswingers.com
domainfireflypath.shop
domainforestchime.shop
domaingentlestream.shop
domaingewrye.shop
domainhappyjourney.shop
domainjonagye.shop
domainkerlalostel.org
domainkittlez.ru
domainleqezuu.shop
domainlingagulidon.com
domainlumdukekiy.shop
domainlumfokim.shop
domainlumjebyhiu.shop
domainlumkecuq.shop
domainlumlacumii.shop
domainlumlideweo.shop
domainlummomusuo.shop
domainlumramavyy.shop
domainlumsuxinya.shop
domainlumtovusao.shop
domainlumzacynuy.shop
domainmorningjoy.shop
domainmysticjourney.shop
domainnature-sounds.shop
domainocean-view.shop
domainpadxae.shop
domainpannlumz.com
domainrapabuo.shop
domainriver-stone.shop
domainrubyfalls.shop
domainrugtou.shop
domainsereneoasis.shop
domainsunny-beach.shop
domaintieredaccess.com
domainweponoe.shop
domainwhoisprotection.cc
domainwinterchill.shop
domainwithheldforprivacy.com
domainzincaa.shop
domainreg.ru
domainwebnic.cc
domaingdpr-masked.com
domainregery.com
domain2-can.njalla.in
domain3-get.njalla.fo
domainpns1.regery.net
domainpns2.regery.net
domainpns3.regery.net
domainblast-hubs.com
domainblastikcn.com
domainnaturewsounds.help
domainstormlegue.com

Threat ID: 68396fa3182aa0cae2a6d760

Added to database: 5/30/2025, 8:43:15 AM

Last enriched: 7/1/2025, 7:26:07 PM

Last updated: 7/31/2025, 11:08:25 PM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats