The detection identifies potential Lumma Stealer malware activity through known IOCs, indicating an adversary may be exfiltrating sensitive data via compromised credentials or stolen tokens. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate data exfiltration early, preventing further compromise and data loss.
IOC Summary
Malware Family: Lumma Stealer Total IOCs: 13 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://tangmwp.club/blank | botnet_cc | 2026-05-27 | 75% |
| domain | wilheah.cyou | botnet_cc | 2026-05-27 | 100% |
| domain | diplokb.cyou | botnet_cc | 2026-05-27 | 100% |
| domain | consuus.cyou | botnet_cc | 2026-05-27 | 100% |
| domain | idealvs.cyou | botnet_cc | 2026-05-27 | 100% |
| domain | answebi.cyou | botnet_cc | 2026-05-27 | 100% |
| domain | clamsal.cyou | botnet_cc | 2026-05-27 | 100% |
| domain | pholith.cyou | botnet_cc | 2026-05-27 | 100% |
| domain | maenade.cyou | botnet_cc | 2026-05-27 | 100% |
| domain | mistjlep.cyou | botnet_cc | 2026-05-27 | 100% |
| domain | wifflvy.cyou | botnet_cc | 2026-05-27 | 100% |
| domain | hustjonr.cyou | botnet_cc | 2026-05-27 | 100% |
| domain | cudbweeo.cyou | botnet_cc | 2026-05-27 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Lumma Stealer
let malicious_domains = dynamic(["wilheah.cyou", "diplokb.cyou", "consuus.cyou", "idealvs.cyou", "answebi.cyou", "clamsal.cyou", "pholith.cyou", "maenade.cyou", "mistjlep.cyou", "wifflvy.cyou", "hustjonr.cyou", "cudbweeo.cyou"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Lumma Stealer
let malicious_urls = dynamic(["https://tangmwp.club/blank"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate System File Access
Description: A system administrator is accessing the LummaStealer.exe file as part of a security audit or malware analysis.
Filter/Exclusion: process.name != "LummaStealer.exe" OR process.parent.name == "Windows Explorer" OR process.user == "admin"
Scenario: Scheduled Job for Credential Harvesting (Legitimate)
Description: A scheduled job runs a script that uses credential harvesting tools like PowerShell or Invoke-Command to retrieve credentials for legitimate system maintenance.
Filter/Exclusion: process.name != "powershell.exe" OR process.command_line not contains "Invoke-Command" OR process.user == "admin"
Scenario: Admin Task Involving File Copying
Description: An administrator is copying files using Robocopy or xcopy as part of a backup or migration task, which may involve files with similar names to malicious payloads.
Filter/Exclusion: process.name != "robocopy.exe" OR process.name != "xcopy.exe" OR process.command_line contains "backup"
Scenario: Malicious Website Access for Testing
Description: A security researcher is testing a phishing email by accessing a legitimate website that mimics a malicious domain (e.g., test-phishing-site.com).
Filter/Exclusion: destination.domain != "test-phishing-site.com" OR http_request.method != "GET" OR http_request.url contains "test"
Scenario: Exploit Kit Legitimate Use for Vulnerability Testing
Description: A red team or penetration tester is using an exploit kit (e.g., Metasploit, Exploit-DB) to test for known vulnerabilities in a controlled environment.
*Filter/Ex