The detection identifies potential Lumma Stealer activity through known IOCs associated with this ransomware family, indicating possible data exfiltration or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before significant data loss or network compromise occurs.
IOC Summary
Malware Family: Lumma Stealer Total IOCs: 16 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | boletukk.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | trotskxt.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | springvc.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | psychozc.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | pricelou.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | strainug.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | americoq.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | lyingapy.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | bactergy.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | perfecpl.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | granddsd.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | lovesozp.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | oncolonb.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | amphibgz.cyou | botnet_cc | 2026-05-06 | 100% |
| domain | mushxhb.best | botnet_cc | 2026-05-06 | 100% |
| domain | genugsq.best | botnet_cc | 2026-05-06 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Lumma Stealer
let malicious_domains = dynamic(["boletukk.cyou", "trotskxt.cyou", "springvc.cyou", "psychozc.cyou", "pricelou.cyou", "strainug.cyou", "americoq.cyou", "lyingapy.cyou", "bactergy.cyou", "perfecpl.cyou", "granddsd.cyou", "lovesozp.cyou", "oncolonb.cyou", "amphibgz.cyou", "mushxhb.best", "genugsq.best"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for Log Collection
Description: A system administrator schedules a PowerShell script using schtasks.exe to collect logs from remote servers. This script may use a legitimate tool like Invoke-Command or Get-EventLog, which could be flagged due to its similarity to malicious activity.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known legitimate command-line arguments or scripts located in trusted directories like C:\Windows\System32\.
Scenario: Admin Task Using PowerShell for System Monitoring
Description: A system administrator uses PowerShell to monitor system performance, possibly using Get-Process or Get-Service, which could be mistaken for malicious reconnaissance.
Filter/Exclusion: Exclude PowerShell scripts executed by users with administrative privileges and located in standard admin tooling directories like C:\Windows\System32\WindowsPowerShell\v1.0\.
Scenario: Legitimate Software Installation via MSI
Description: A legitimate application is installed using an MSI package, which may include registry modifications or file creation that resemble malicious behavior.
Filter/Exclusion: Exclude processes related to msiexec.exe and files signed by trusted publishers, such as Microsoft or enterprise-approved software vendors.
Scenario: Regular File System Cleanup Task
Description: A scheduled task runs a script to clean up temporary files or logs, which may involve file deletion or modification that could trigger the rule.
Filter/Exclusion: Exclude processes initiated by Task Scheduler (e.g., schtasks.exe) and files located in temporary directories like C:\Windows\Temp or C:\Users\*\AppData\Local\Temp.
Scenario: Network Monitoring Tool Using Netsh or PowerShell
Description: A network monitoring tool uses netsh or PowerShell to