The detection identifies potential Lumma malware distribution through known malicious URLs, indicating an adversary is attempting to deliver malicious payloads to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks before they cause widespread damage.
IOC Summary
Threat: Lumma Total URLs: 6 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://153.80.242.239/b1/enix.r | online | malware_download | 2026-05-27 |
hxxp://nitrogateway.digital/xawk.r | online | malware_download | 2026-05-27 |
hxxp://153.80.242.239/vzuk.ocx | online | malware_download | 2026-05-27 |
hxxp://nitrogateway.digital/vzuk.ocx | online | malware_download | 2026-05-27 |
hxxp://nitrogateway.digital/b1/enix.r | online | malware_download | 2026-05-27 |
hxxp://153.80.242.239/xawk.r | online | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Lumma
let malicious_domains = dynamic(["153.80.242.239", "nitrogateway.digital"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["153.80.242.239", "nitrogateway.digital"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortening service by inputting a Lumma-tagged URL into a tool like curl or wget for validation purposes.
Filter/Exclusion: Exclude URLs that match the command-line tools curl or wget used in administrative tasks, or include a regex pattern for known testing environments.
Scenario: A scheduled job runs a script that fetches updates from a legitimate URL hosted by a security vendor (e.g., urlhaus or virusshare) and the URL is tagged as Lumma due to a false positive in the database.
Filter/Exclusion: Exclude URLs that match known security feed domains like urlhaus.org or virusshare.com, or use a domain-based filter for trusted security sources.
Scenario: A developer is using a CI/CD pipeline tool like Jenkins or GitLab CI to run a test that includes a Lumma-tagged URL as part of a mock API endpoint for integration testing.
Filter/Exclusion: Exclude URLs that are part of CI/CD pipelines or match known test environments, such as those containing /api/test/ or /mock/ in the path.
Scenario: An IT team is performing a network security audit and uses a tool like Nmap or Masscan to scan for open ports, and one of the scanned URLs is incorrectly tagged as Lumma.
Filter/Exclusion: Exclude URLs that are part of network scanning tools or match known scanning patterns, such as those containing nmap.org or masscan.net.
Scenario: A user is accessing a legitimate enterprise portal that has been incorrectly flagged by the URLhaus database, and the portal’s URL is now appearing in the detection as a Lumma URL.
Filter/Exclusion: Exclude URLs that match internal enterprise