Illuminating Lumma Stealer DNS Facts and Findings | WhoisXML API
WhoisXML API found 730 artifacts that could be connected to the latest Lumma Stealer campaign. Download the threat research materials now.
Continue reading Download reportDNS Spotlight: Rockstar2FA Shuts Down, FlowerStorm Starts Up
It’s not unusual for threat actors to take over fellow criminals’ existing infrastructure after they have been abandoned. Think ZeuS, which its original operator allegedly sold to another actor who eventually turned it into SpyEye.1
Rockstar2FA followed ZeuS’s fate it seems, as soon after its operators quieted down, FlowerStorm, which shared many of its features and functionality, took its place.2
The WhoisXML API research team expanded a list of 190 FlowerStorm indicators of compromise (IoCs)3 to uncover other connected artifacts and found:
- 192 email-connected domains
- Three additional IP addresses
- 100 IP-connected domains
- 1,053 string-connected domains
Download a sample of the threat research materials now or contact sales to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
—
- [1] https://www.threatdown.com/blog/the-life-and-death-of-the-zeus-trojan/
- [2] https://news.sophos.com/en-us/2024/12/19/phishing-platform-rockstar-2fa-trips-and-flowerstorm-picks-up-the-pieces/
- [3] https://github.com/sophoslabs/IoCs/blob/master/FlowerStormPaaS.csv