Solution Brief
SafeBreach Propagate
Read More
On May 21, 2025, the FBI and CISA released a joint Cybersecurity Advisory (CSA), designated AA25-141B, warning about the rise in attacks leveraging LummaC2, attributed to a threat group referred to internally as Sticky Werewolf, this cyber espionage campaign has used LummaC2 malware since at least April 2023 to target Russian and Belarusian government agencies, science centers, and aviation manufacturers. While their exact origin is unconfirmed, some researchers suggest pro-Ukrainian alignment based on geopolitical targeting patterns. This threat has been actively observed across multiple U.S. critical infrastructure sectors from November 2023 through May 2025.
LummaC2 is capable of extracting a wide range of sensitive data, including credentials, MFA tokens, browser extensions, and cryptocurrency wallets. This malware is typically delivered through phishing techniques and further spread using masqueraded or spoofed applications.
For more information, read the full CISA advisory here.
Understanding the LummaC2 Threat
LummaC2 first emerged in 2022 in Russian-speaking cybercriminal forums and has evolved into a widely distributed infostealer sold via underground markets. Threat actors deploy LummaC2 primarily through:
- Spearphishing attachments and links [T1566.001, T1566.002]
- Fake CAPTCHA workflows prompting users to copy/paste PowerShell commands
- Spoofed versions of legitimate software (e.g., multimedia utilities) [T1036]
- Obfuscation techniques to bypass AV and EDR defenses [T1027]
Once executed, LummaC2 operates largely in-memory, exfiltrating system and browser data to attacker-controlled infrastructure via POST requests [T1071.001], without dropping persistent files.
Industry Context: LummaC2 and Scattered Spider
In addition to the findings from CISA and FBI, Microsoft recently published evidence linking the LummaC2 stealer to high-profile attacks conducted by the Scattered Spider threat group. LummaC2 has become a favored tool among financially motivated attackers due to its modular design, ease of deployment, and ability to evade endpoint detection. Scattered Spider actors reportedly used LummaC2 to steal credentials and sensitive session tokens during intrusions against major enterprises. This underscores LummaC2’s dual utility across both espionage and cybercrime campaigns — further reinforcing the need for organizations to test and strengthen their defenses against it.
Key Tactics, Techniques, & Procedures (TTPs)
Initial Access
- Spearphishing emails with malicious attachments or URLs [T1566]
- Fake CAPTCHA workflow prompting victims to launch PowerShell via clipboard trick [T1566.001, T1566.002]
- Emphasis on social engineering over traditional malware droppers.
Discovery
- WinAPI-based system probing using GetUserNameW and GetComputerNameW [T1012]
- Customizes behavior based on system environment
Credential Access & Data Collection
Automated theft of:
- Browser credentials and saved passwords
- MFA tokens
- Cryptocurrency wallets
- Browser extensions
- Personally identifiable information (PII) [T1119, T1217]
Command and Control (C2)
- Covert HTTP POST-based communication with attacker infrastructure [T1071.001]
- Parses JSON instructions enabling:
Exfiltration
- Sends stolen data over encrypted HTTP POST requests [TA0010]
- Operates in memory to avoid persistent signatures or artifacts
Indicators of Compromise (IoCs)
Executable Hashes (LummaC2.exe)
Multiple MD5, SHA-1, and SHA-256 hashes are included for known variants dating back to November 2023. For example:
- 4AFDC05708B8B39C82E60ABE3ACE55DB (MD5)
- 1239288A5876C09D9F0A67BCFD645735168A7C80 (SHA1)
Malicious Domains
Over 80 domains used in LummaC2 campaigns are listed, including:
- pinkipinevazzey[.]pw, generalmills[.]pro, blast-hubs[.]com, triplooqp[.]world, and many others spanning .shop, .site, .world, .icu, and .digital TLDs.
For the full list of IOCs, download the STIX XML or STIX JSON files.
SafeBreach Coverage & Playbook Attack Updates
The SafeBreach Labs team has reviewed the full set of tactics and IOCs associated with the LummaC2 campaign (CISA Alert AA25-141B) and has both existing and newly added simulation coverage available for customers to test and validate their security posture.
Existing Behavioral Coverage
SafeBreach already simulates a wide array of attack behaviors that align with LummaC2’s tactics, including credential theft, obfuscation, C2 activity, and data exfiltration. Notable simulations include:
- 105 – Covert data asset exfiltration using HTTP/S (URI)
- 110 – Covert data asset exfiltration using HTTPS POST
- 165 – Obfuscation of a malicious executable inside an Encrypted file over HTTP/S
- 1693 – Collect Windows system data using CMD
- 2266 – Collect Google Chrome Bookmarks
- 6996 – Steal Web Session Cookie (Windows)
- 8004 – Capture Screen using PowerShell
- 8362 – Dynamic API resolution
- 8968 – EDR evasion by calling NtCreateFile syscall directly
- 10618 – Collect credentials from Chrome password manager
- 10619 – Collect credentials from Edge password manager
- 10620 – Collect credentials from Opera password manager
These playbook entries simulate the malware’s real-world behaviors, including browser data theft, in-memory reconnaissance, and stealthy API-based system querying.
New IOC-Based SafeBreach Simulations
The Labs team added new simulation coverage aligned with LummaC2’s specific file variants and loader activity, including:
- 10803–10808: LummaC2 Wingo Loader – write, transfer, and email distribution over HTTP/S
- 10809–10813: LummaC2 Rugmi Infostealer – write to disk, transfer, and compressed delivery
These simulate loader execution paths and C2 delivery techniques, and are tagged in the playbook by IOC and threat family.
What You Should Do Now
SafeBreach customers can now validate their security controls against these TTPs in multiple ways.
Method 1
You can go to the “SafeBreach Scenarios” page and choose CISA Alert AA25-141B.
Method 2
From the Attack Playbook, select and filter attacks related to CISA Alert AA25-141B. Additionally, you can refer to the list above as well to ensure a comprehensive level of coverage.
Method 3
From the Known Attack Series report, select the US CERT Alert AA25-141B report and select Run Simulations, which will run all attack methods.
Additional Advisory Steps
To ensure your organization is protected against the LummaC2 and Sticky Werewolf atttacks detailed in CISA Alert AA25-141B, we recommend the following steps:
Run the SafeBreach Platform Simulations
- Navigate to the SafeBreach Platform.
- Filter by alert code AA25-141B.
- Execute playbooks simulating credential theft, browser exploitation, and C2 callback behavior.
Mitigation Strategies
- Implement phishing-resistant MFA and endpoint monitoring.
- Use allowlisting to prevent unauthorized remote software execution.
- Patch vulnerabilities in applications used to masquerade LummaC2 payloads.
- Monitor API usage and command-line behaviors.
Proactive Threat Monitoring
- Block or alert on LummaC2-related domains and hashes.
- Investigate endpoints with suspicious PowerShell usage or C2 POST requests.
- Review logs for evidence of in-memory execution or unauthorized exfiltration attempt.
Stay Ahead with SafeBreach
For a complete view of your security gaps against LummaC2 and Sticky Werewolf attacks, sign into SafeBreach and run the latest simulations mapped to CISA Alert AA25-141B. In addition to testing your defenses against credential harvesting and lateral movement behaviors, you can go a step further with SafeBreach Propagate.
Propagate enables you to assess how attackers could pivot across your environment post-compromise—mapping high-risk attack paths, visualizing lateral movement, and prioritizing remediation efforts based on exposure to your most critical assets. Find out more about Propagate here.
