📖 Overview
A domain-based indicator has been identified linked to command-and-control infrastructure for Lumma Stealer. The domain, presenting a Russian-language login portal, is confirmed with high confidence as part of active Lumma C2 operations.
📌 Key Details
Field | Information |
---|---|
Type | Domain |
Indicator | larpfxs[.]top |
Threat Type | Botnet C2 |
Malware | win.lumma |
Confidence | 100% |
Date | 31 Aug 2025 – 20:26:53 UTC |
Tags | c2, domain, Lumma, stealer |
Reporter | DonPasci |
🔎 URLScan Result
Page Title: Вход
Screenshot: https://urlscan.io/screenshots/0198fd5b-0763-7058-8bf4-5a8a755b9cfe.png
Result: https://urlscan.io/result/0198fd5b-0763-7058-8bf4-5a8a755b9cfe/

📡 Related Intelligence
WHOIS Record: https://who.is/whois/larpfxs.top
VirusTotal Report: https://www.virustotal.com/gui/domain/larpfxs.top
🛡️ Defensive Guidance
- Block
larpfxs[.]top
at DNS, proxy, and endpoint layers. - Monitor for Lumma Stealer callbacks and credential exfiltration attempts.
- Hunt for stealer payloads and persistence mechanisms in endpoint telemetry.
- Review DNS and proxy logs for suspicious outbound requests to this domain.