Tracking LummaC2 Infrastructure with Cats
Blog Security Snack

Tracking LummaC2 Infrastructure with Cats 

05/29/2025
Share this entry
Julia Ibinson
Julia Ibinson

Domain Seizures of LummaC2 Infostealing-Malware

Last week, the US Department of Justice (DOJ) announced the disruption of the LummaC2 infostealing-malware. This was achieved through sweeping domain seizures in coordination with Microsoft, which resulted in the takedown of over 2,300 domains associated with LummaC2 operations. 

The FBI and CISA also released a joint advisory detailing LummaC2’s known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), including 114 domains observed deploying the malware. These domains have several commonalities including registration patterns and landing pages that reveal additional connected infrastructure. Pivoting on those common patterns can help organizations proactively defend against potential future LummaC2 activity. 

Domain Registration Patterns

One of the registration patterns among the 114 domains is the usage of individual, Eastern European names for the Registrant Organization, Registrant, and Contact Name. Some of these names appear to reference prominent Russian figures such as athletes, mobsters, fashion designers, and actors.

Other domain registration patterns are highlighted below: 

Mail Server Hostnames:
zoho[.]eu
pinkipinevazzey[.]pw
fanlumpactiras[.]pw		Whois Registrant Email Domains:
inbox[.]eu
Server Types:
Cloudflare
GWS
nginx/1.14.2
nginx/1.18.0 (Ubuntu)		Top SSL Hashes:
80b9e0f6a81ab78ee4e01152958e1322e6d7b6fa
b1677d595e69263c9a8181ba9375b5cdd8cf6e34
2eb2ec01b334bb74109a227fdd57da8398f035cc
a9f2cf9a6ad5bb2b6cdd0429f124e8f581ada7e6
1206f4fceeed9f9614f65245cb03916c399e6ec6

We also observed that four of the domains – blast-hubs[.]com, blastikcn[.]com, naturewsounds[.]help, and stormlegue[.]com – featured the same landing page. This page was titled, “About Cats,” and, as the name suggests, contained various bits of information about our feline friends.

The website title “About Cats” appears across 58 additional domains which have an average Risk Score of 98 out of 100. Nearly all of these domains feature the above landing page and appear in malware IOC databases such as ThreatFox for distributing LummaC2 and other strains. 41 of the 58 domains remain active at the time of writing and are listed below:

Domain NameFirst SeenRisk Score
belamai[.]shop2024-12-11100
cat-are-here[.]ru2025-01-23100
cozkeu[.]shop2025-02-07100
cyqfuy[.]shop2025-02-07100
fabzswingers[.]com2025-03-06100
fireflypath[.]shop2024-11-23100
forestchime[.]shop2024-11-23100
gentlestream[.]shop2024-11-23100
gewrye[.]shop2025–02-07100
happyjourney[.]shop2024-11-16100
jonagye[.]shop2024-12-11100
kerlalostel[.]org2025-03-0334
kittlez[.]ru2025-01-23100
leqezuu[.]shop2024-12-11100
lingagulidon[.]com2025-02-11100
lumdukekiy[.]shop2024-12-03100
lumfokim[.]shop2024-12-02100
lumjebyhiu[.]shop2024-11-28100
lumkecuq[.]shop2024-12-02100
lumlacumii[.]shop2024-12-03100
lumlideweo[.]shop2024-12-03100
lummomusuo[.]shop2024-12-03100
lumramavyy[.]shop2024-12-03100
lumsuxinya[.]shop2024-12-03100
lumtovusao[.]shop2024-12-03100
lumzacynuy[.]shop2024-12-03100
morningjoy[.]shop2024-11-16100
mysticjourney[.]shop2024-11-23100
nature-sounds[.]shop2024-11-16100
ocean-view[.]shop2024-11-16100
padxae[.]shop2025-02-07100
pannlumz[.]com2024-11-05100
rapabuo[.]shop2024-12-11100
river-stone[.]shop2024-11-16100
rubyfalls[.]shop2024-11-23100
rugtou[.]shop2025-02-07100
sereneoasis[.]shop2024-11-23100
sunny-beach[.]shop2024-11-16100
weponoe[.]shop2024-12-11100
winterchill[.]shop2024-11-16100
zincaa[.]shop2025-02-07100

Remaining LummaC2 Domains

While the DOJ and Microsoft’s efforts against LummaC2 have significantly disrupted operations, it is important to be aware of other LummaC2 domains that are still active. The “About Cats” domains detailed above are 160 days old on average, but may continue to distribute the malware or facilitate other malicious activity. In addition to blocking these sites, we recommend getting your burning cat-related questions answered by more reputable sources.

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/LummaC2-About-Cats.csv

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/LummaC2-Domains.csv

If the community has any additional input, please let us know. 

Appendix

The below search hashes can be copied and pasted into Iris Investigate to view the results detailed above. 

LummaC2 Domains: U2FsdGVkX19bvnEzXQGKOZOn2k35DSnGyimlB5qTLetimwaKffaJfZ656tYi6ryKIn4SeiGvGWZHV6kifAsmLct55EtcxiCJOwVzEYin3Mo6oxVCfQEuk+iA+K/AiusWaLxVueS13PnOyUPsQJKTJd4TmpOLZzxNuew/Bpf9AJ/tqP/L4wzNu9kTcjZo6iHqmhpe6Z+l54BKRrPPJ46+rluTpLd/thEXp3ambfU7PBFpw2vZLPy1VHDZbFYyo0PKqi4vC4E89k9GwU9sg5go+3wTtK4WWrApSApePTxIp5WmToPCE5btOW1Rbb5YvKT2WyUpAhhsV7/G7xWT0XfQhfRC6RZtrxSYTbCn8gIbGYV1QAxE0ml3E4w7OCBNjb+0YKmyojrHONsmz+x9LXLcDW4fRNXWfB7GRgF0GOpFL99YscPUWwoWB9pFZAJEYceh4VEG1k0EeMlDR7evs657tGvzGnPLnWVa+LjB2jLd7shw/nIJ+xwfXtqywHYHj8g4uvdrFOO33Vz5vG1o9fivgBdgiQX0Q/qEcoptFzGSyuGm1vRcMuCd2LbxRCV0DZHgF6Kk4++BuO9y8QAcM0f0rRV++hsoCSQ7niyiesPqsZrfAfCKEtb8XVct87/jDIllN7+UiOReiSUWRAIZwVL/LFM7K0eEFxEJKuSOg1/2UgLvfdbFffgLPY2VV4WZPRwVjVjOQg3atbAZ3TyBHdFfz5P4UmfAbm5uKZc+snwm5dYcZ2GxIG45eNmKNsUNDVdw4by10elIBKqTm6fSrxnhmF3CGHQ9pXaNmdVbyz96R44F5TLDg1bz45pTO8mM58ntOUbcFL1o4mXeeXAEgpN6OjR1KPquqxwPiE2heULja5o3E0Hc811xCcSAAb8febBZeeSunH9O6KlTrpLas7SpWjsUBoapoUVFEOW1O+qmj1YyLWz1utg8gvR4EFGGtyxOulTFdy8JZRngN+B691+a9WI7AeJ/S7388//V5ogkZPQEhUGuo0cmPuLA3GGCUIPyMaszPd5Mn6giPH+m4OotaNcDgtCYMbE7SMuG/eVKTsg4UTg4/q4MCn/mzaC5/RxOpMF53Bnjvmt8MOTT4ZoKOA5booSz/p6kfdni5x6ZwVS6Au2ZVCaO5do2850cqnaRULjbVfXB27pgy97gIxL6xdfmdZhyAsCljpvLFtrfF+BhkJezyxUeggG2STsrzVHUucwvOdt35T8eaWp7k9sPLGtYg0OyLZsZUVTSngDcweGefnGaQXnHVmTPQdGJxXN6uWpxXFLeSgMCyS5TnMsYAfC6HPFyZcramtbyMwgfyrZRn5bzTeKu7XpgBl6Mw8/RYX7m6tAbrRB06MVh/kgI/5c22cqBbNSIvHmtIAyFqVQANSKemHOZ1ZdI9Lw/oiyTG1Ks9TKm+YyGanAE/8YYREyn+bi+lnBDZKy9FPB5vuQNHpo7OuCeIbK4HjtaZjJJo1VvkBqgM4/V/0Kj8MCv3XecKium8fYhAN+lVIT+o1Wo/oicn/Ke5h17t/LeiT8y82q5wn81xvQkyb/olrpzJGm+jt/CBJbi/Naqh84oD+IVM1/cf8068znc7cHr8a2EG8B8nTiEmBL6S4WMBy1Zs3HJKUFf9/nco/cr6YIavR3pAH4gNPSsC+zDUpsLZsR+Ul3iAb15k4C3GFnSSs00VQS5sdX2tBjJ7f2mmIgk7LYB9l0dX4JRgsIoag+DnzpKji9RanMq3obE1A4eexnsKGJ3PlQKowWhxGmxgfq1ZaBggPRgsQ0x1l5HIebZ8O9mwNzaTi1Pgh6XTc9nW9+fgJhTHH5moaWkES9lxkOEGUTDvlR9PPNbJHzTtnknVnpHPo1+7lmwY0r8pzBvVwkotit+LOqdXArmk6gCNfeOt6IGs1lVS7pedt+02o8LVhCS0Je6WmbDDqzElD3BDh+0adVUvNASadN90C3t3K/PVtArs+SxKjBnRbL+1bCkG5ZbgYV3c16VLAGkLbcbBs6OHY27HAxf9I41D0rqsux7nNgxxdm28C6c3QO0kvdocOjlEQlbKk/eetWvzIIxw24qvm9syqmvEJLolEdQ/ZGiJWYFH36knGKL1wlad7lqY1DHxPEK4YQNHsoGPEkgNegHsbDk5wZ4bcXlbyQjKRO0bO1vR8CZ8VbLvr0N62pWfDuRaVtl7llTAFtYKbtmVoOnxTJ7dr5UM7fjHM7zpBiSzElk7Y/mITu67NxdeOTZTXxNvSaMxRJ59WXYlzOuF/6LBdhD6kEi7E5mHwJSAbZcm2nOC//qmN1e4SRjVgP2T+hPLauYsp/lRdi8dx3oROTHnRl3Ofts2kb0+aICbUr+zW4LES0EDvSaOVw/DtXM9crXaHMnW9njb+QxTN1TXaODS3Oyo/1urQvZo7sWrf7/4fMDt7Km02f3NNRx2tWCetVU/d+gRK8NmskhG//Te5ygsBkKMhuqIJyGUC09NuyMqHgqZE4dAu/r8jWvhL3sn6VZ5zqJnoo/+fIsqcFfX6g+L7z1/2qsabWBdzVArctAB4OZ12b8ZvU6zVA5wkluurDbd6k3041FsMnHmK2PewdtZPyeBDdarLjZE1PhkDP+GvRvQju7atx1/JRqwWYMLOhxF9dS21mee11eXYPYHs0oGFnuKXdLC0dfKX5CJ5IIwuRx4fpS2i4uI5kJ6dp9R8uVaDJZbCYPeCi4d+OWIw9VBmhE9qN+Y/Dg9MSQTva8wfLX5+khykMjoROPtFSgBVk4B4bSVtj0/FmbmOupM9vjhTXyw63KhpZCa/IH0ucSVwD4DEixMAIdstfGWnjcUdUWSZTzFhoZQ+cX89+FD5qj7HXiyaRKVKQMR05i3NxeidWNJMm6EGDFzpAHYEE91gn44Wu5Hfc+w7SK0EjxzAMwWt2DBVzOrZzzyF588/fRLFA=
AboutCats Domains: U2FsdGVkX19ztHf1q58amarkKPz5ImlzXPe6B19tK6BSUvXIw45FPh4CqvVQESRDOoCXNP/XD7mBhsIw0BRP1R2nc087UR6XbIlgnO4jIB5mdjVl+FM5YM93A7nPQESKYCuy8ee84OopvrHv6s6/eOMEJjsjepYAp65fJfypCI+YJ2iPTWJg6h5ycI5f/8Ko7BCw4jOOQhf7inlCLPFQsN3Zv+J6NLiODoHoaoYtc2C+dBluMDnWY8icHOS+8XpW6FKgSPzUM4Y2sUjfVEVY3d3qY4O0b75//+aHRiz/bDRvq+g0JNU76SyGKqyuZim4yyRY69xFtLRXuvCug8pvwIUN6o3+fIsWkpTnpZzXaekTPnu7dNvJMwVp3eHNkX+7F/x7AJEzuWiRfTk5KxU4Vre9zvmmzvftiV26rOqZ1AvgcCPV8wlqT2Rw4xmkWqJFginl7gyIqKgOw3ks8oZRMAmihrQSXEMpfLLdjoS5f0HpfcziH0+cd1Ye/B+p2+0P5WrxDAdS40gHL0ED+JUAULaYYT86UdNP25ay4FKYKBBFhyzjJ96FmuzmBKY2FJqQ6bZ8XifVIDb0rDu6mRWzduPoXqHhkjYfpj88vEPgt6Xe47jyUVvLoBxI5vqVEz94Sx4mRUuHEkwRsfsRB3pKfPllTTToiwjLv+fZYdZQtISHZ39u/sj8L0Rio7pL6nEC2yvh9osvBI2ZIQr6WXTFeS0n1rDiN7JA0zkn2t8CvWdWM5sBZlGIZ3t5zpv8gvZqf6vWqQ4+F3R7C5j/E5sQ1RK1JCtYxpg1tSQpfBC0dQbtmwTZM9Vtg59X6LWTtG2TdVEs9W/g9mRqQE0ZHqzOLzEtm0bTjADHkLsIV66jipZcAuWl5P9Ol10PGxoXlIsJHB7UdZmV+b9uWk87RfhbgpnZ2bRdPS2svHIANwT8VjAJyMVPPOTdD0SI1Rbghazlu9XCp3KKYDSQfTODOVlAbqLhcJuyG8HxYRHUuoZgdpsUTxMN0fQ9MKKj2BcJbt9RBHnO0WU3YMIcFbUjyVbJY0cKe0yRtyiFfvjWdFdmTvPgrHPDmZxmSpFQc7r1VQ+Sf1ZxqdlSlxPIFWYKL9+eMDvcobv/u9/NeN6Ri0fQy0BTnbTQpWeDlc6Uv9AOiaVORmwQ2zBv7E960rnZniFTTrpUvLJhZCMDWXde7IS7QBjNyATB3uNFsWGCu/0dftEhhqz4pf5u6lGDTkcWGyUg6dmjN8+VJ+LrPc7trpRNBj/L/5ZJub86afc0UWcTIlmyqQHGQdAhp9EIGkgQYF0DPuOjdhUW6yRZlqXEd+ry+UMZkRsbLtonBAV/k7qHYZRj2HkisESXlZZKWuKlbyAG/T+w7t/PhltBVO9euKU6pmX48lcT+nL24qtkxCxeCMVRKy0ClYQnFjxU1XZPIGnRz8/BLY3pmyHCrKImzhdJElxF8cWl0SA45WsrN2m29R4Q1wKbGxRKfTsIJib5E9bnyyhUmmEEZ6p0ICifF9A+qNHLOSJmVFJDQrv/pENCnZnuDD7lm/NihJIXw3jKpEy89p7lLhPZ0ufDCy8ps3Vxy9c=
Related Content
Abstract digital background depicting a glowing blue wireframe landscape with peaks and troughs, illuminated with dots of light, on a dark blurred background.
Blog

Less Phishing, More Cat Pictures

Read more

Related Content

DomainTools Investigations May 2025 newsletter cover, titled "Security Research for the Community," features a portrait of Daniel Schwalbe, CISO & Head of Investigations, alongside the DomainTools logo.
Blog

Newsletter No. 5: A Little Bit of Research in my life…

Read more
Using DomainTools Iris to Enhance Classic Whois and RDAP
Blog

Using DomainTools Iris to Enhance Classic Whois and RDAP

Read more
Abstract digital image showing glowing lines and points forming network connections over a dark grid background with numbers and data symbols, representing data flow or Domains Targeting Spotify Job-Seekers in quantum computing concepts.
Blog

Cluster of Domains Targeting Spotify Job-Seekers

Read more
DomainTools Logo
Pricing Contact Login Support Request a Demo

© 2025 DomainTools

DomainTools® and DomainTools™ are owned by DomainTools, all rights reserved.

Privacy Policy    |    California Privacy Notice
Do Not Sell My Personal Information    |    Terms of Service    |    Sitemap