The detection identifies potential Lumma Stealer activity through known IOCs, indicating an adversary may be exfiltrating data or establishing persistence. SOC teams should proactively hunt for this behavior to detect and mitigate advanced threats leveraging compromised Azure environments.
IOC Summary
Malware Family: Lumma Stealer Total IOCs: 6 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | gstatic-node.io | botnet_cc | 2026-06-05 | 100% |
| domain | colomndead.xyz | botnet_cc | 2026-06-05 | 100% |
| domain | cloudsaled.xyz | botnet_cc | 2026-06-05 | 100% |
| domain | polandgames.xyz | botnet_cc | 2026-06-05 | 100% |
| domain | costexcise.xyz | botnet_cc | 2026-06-05 | 100% |
| domain | droppicches.xyz | botnet_cc | 2026-06-05 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Lumma Stealer
let malicious_domains = dynamic(["gstatic-node.io", "colomndead.xyz", "cloudsaled.xyz", "polandgames.xyz", "costexcise.xyz", "droppicches.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Windows Update
Description: A system update process may trigger the detection due to similar file names or hashes associated with known IOCs.
Filter/Exclusion: Check for ProcessName = "wuauclt.exe" or FileVersion = "Windows Update" in the event logs.
Scenario: Scheduled Job for Log Management (e.g., Splunk or ELK)
Description: A scheduled job that runs a script or tool for log collection may have a file name or hash that matches known Lumma Stealer IOCs.
Filter/Exclusion: Filter events where ProcessName = "splunkd.exe" or CommandLine contains "logstash".
Scenario: Admin Task for Software Deployment (e.g., SCCM or Chocolatey)
Description: A software deployment task using tools like SCCM or Chocolatey may involve files that match IOCs due to similar naming or hash collisions.
Filter/Exclusion: Exclude events where ProcessName = "ccmexec.exe" or CommandLine contains "choco install".
Scenario: Legitimate File Integrity Monitoring (e.g., Tripwire or OSSEC)
Description: A file integrity monitoring tool may generate alerts for changes to files that are also flagged by the Lumma Stealer IOC list.
Filter/Exclusion: Filter events where ProcessName = "tripwire", ProcessName = "ossec", or FileHash in known integrity tools.
Scenario: User-Initiated File Transfer (e.g., using WinSCP or FileZilla)
Description: A user transferring files using legitimate tools may inadvertently trigger the rule if the transferred file matches an IOC.
Filter/Exclusion: Exclude events where ProcessName = "winscp.exe" or `ProcessName = “filezilla.exe