Skip to content Dark Web Informer - Cyber Threat Intelligence
IOC

IOC Alert: Lumma Stealer API Endpoint Identified

📖 Overview

An API endpoint has been flagged that is associated with the Lumma information stealer malware family. The infrastructure is fronted by Cloudflare and currently requires human verification to proceed, but is believed to function as a command-and-control (C2) channel for Lumma. Confidence is assessed at 75%.


📌 Key Details

FieldInformation
TypeURL
Indicatorhttps://agentgrabber[.]com/api
Threat TypeBotnet C2
Malwarewin.lumma
Confidence75%
Date01 Oct 2025 – 17:31:21 UTC
Tagsc2, Lumma, stealer
Reporterninjacatcher
ReferenceNone

🔎 URLScan Result



🛡️ Defensive Guidance

  • Block agentgrabber[.]com and its API endpoint at DNS, proxy, and firewall layers.
  • Monitor for HTTP(S) traffic directed at this domain, particularly API request patterns indicative of C2 activity.
  • Hunt for compromised endpoints communicating with the Lumma stealer C2 framework.
  • Consider placing detection rules for outbound requests containing /api on suspicious domains tied to Lumma operations.

⚠️ This IOC highlights the continued evolution of Lumma stealer infrastructure, which frequently leverages Cloudflare or other protective services to obscure malicious endpoints from analysis.

Latest