The ThreatFox: Lumma Stealer IOCs rule detects potential indicators of a data-exfiltration malware that steals credentials and sensitive data through phishing or compromised websites. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before significant data loss occurs.
IOC Summary
Malware Family: Lumma Stealer Total IOCs: 2 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://brorgma.cyou | botnet_cc | 2026-04-22 | 75% |
| url | hxxps://mastojh.cyou | botnet_cc | 2026-04-22 | 75% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Lumma Stealer
let malicious_urls = dynamic(["https://brorgma.cyou", "https://mastojh.cyou"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Software Update via Scheduled Job
Description: A scheduled job runs a legitimate software update script (e.g., chocolatey or scoop) that downloads a file from a known domain associated with ThreatFox.
Filter/Exclusion: process.name != "chocolatey.exe" OR process.name != "scoop.exe" OR network.destination != "known-safe-domain.com"
Scenario: Admin Task Using PowerShell for Configuration Management
Description: An admin uses PowerShell (e.g., PowerShell.exe) to execute a script that connects to a remote server for configuration management, which may trigger the rule due to outbound traffic.
Filter/Exclusion: process.name != "PowerShell.exe" OR network.destination != "internal-configuration-server.com"
Scenario: Phishing Email Simulation with Malicious URL
Description: A security team conducts a phishing simulation where a legitimate-looking URL (e.g., from testphish.com) is used to test user awareness, which may be flagged as a Lumma Stealer IOC.
Filter/Exclusion: network.destination != "testphish.com" OR email.source != "[email protected]"
Scenario: Remote Desktop Protocol (RDP) Session with Legitimate File Transfer
Description: An RDP session is used to transfer a file (e.g., using pscp or scp) to a remote server, which may be flagged due to the file transfer behavior.
Filter/Exclusion: process.name != "pscp.exe" OR process.name != "scp.exe" OR network.destination != "internal-secure-server.com"
Scenario: Legitimate Log Collection via Syslog Server
Description: A syslog server (e.g., rsyslog or syslog-ng) is configured to send logs