The detection identifies potential Lumma Stealer activity through known IOCs, indicating an adversary may be exfiltrating data or establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before significant data loss occurs.
IOC Summary
Malware Family: Lumma Stealer Total IOCs: 5 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | castrkq.cyou | botnet_cc | 2026-06-01 | 75% |
| domain | frozetk.cyou | botnet_cc | 2026-06-01 | 75% |
| domain | genusim.cyou | botnet_cc | 2026-06-01 | 75% |
| domain | seasoem.cyou | botnet_cc | 2026-06-01 | 75% |
| domain | razefti.cyou | botnet_cc | 2026-06-01 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Lumma Stealer
let malicious_domains = dynamic(["castrkq.cyou", "frozetk.cyou", "genusim.cyou", "seasoem.cyou", "razefti.cyou"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe
Description: A legitimate scheduled task using schtasks.exe to run a maintenance script or system cleanup tool.
Filter/Exclusion: Exclude processes where the command line includes schtasks.exe and the script path is a known enterprise maintenance tool (e.g., C:\Windows\System32\schedtasks.exe or C:\Windows\System32\cleanmgr.exe).
Scenario: Admin using taskmgr.exe to monitor processes
Description: A system administrator is using Task Manager (taskmgr.exe) to investigate suspicious processes or system behavior.
Filter/Exclusion: Exclude processes where the executable is taskmgr.exe and the user is a known admin account (e.g., Administrator, Domain Admins).
Scenario: Legitimate use of PowerShell.exe for system diagnostics
Description: A system administrator is running PowerShell scripts to gather system diagnostics or perform routine maintenance.
Filter/Exclusion: Exclude PowerShell scripts that are executed from known enterprise diagnostic tools (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe with scripts from C:\Windows\System32\ or C:\Program Files\).
Scenario: Software update using msiexec.exe
Description: A legitimate software update is being installed using msiexec.exe, which is commonly used for Windows Installer packages.
Filter/Exclusion: Exclude processes where the command line includes msiexec.exe and the package path is a known enterprise software update location (e.g., C:\Windows\Temp\ or C:\Program Files\).
Scenario: Legitimate use of certutil.exe for certificate management
**