📖 Overview
A domain has been identified hosting infrastructure associated with the Lumma information stealer malware family. The site currently resolves to an active IP and is registered with Let’s Encrypt certificates. Confidence in this attribution is assessed at 100%.
📌 Key Details
| Field | Information |
|---|---|
| Type | Domain |
| Indicator | holdonz[.]pics |
| Threat Type | Botnet C2 |
| Malware | win.lumma |
| Confidence | 100% |
| Date | 30 Sep 2025 – 14:04:52 UTC |
| Tags | c2, domain, Lumma, stealer |
| Reporter | DonPasci |
| Reference | None |
🔎 URLScan Result
- Verdict Score: 0
- Page Title: holdonz.pics
- Screenshot: View Screenshot
- Result: Full Scan Report
📡 Domain & Certificate Info
- DNS A Record: 164[.]90[.]129[.]126
- Recent Certificates:
- C=US, O=Let's Encrypt, CN=R12 (Valid: 2025-09-22 → 2025-12-21)
- C=US, O=Let's Encrypt, CN=R12 (Valid: 2025-09-22 → 2025-12-21)
- C=US, O=Let's Encrypt, CN=R12 (Valid: 2025-09-22 → 2025-12-21)
📡 Related Intelligence
- Certificate Transparency: crt.sh Report
- VirusTotal Report: VirusTotal Domain Report
- URLScan Domain Overview: urlscan.io Domain Page
- DNS Analytics: dnslytics.com Report
🛡️ Defensive Guidance
- Block holdonz[.]pics and its associated IP (164[.]90[.]129[.]126) at DNS, proxy, and endpoint levels.
- Monitor for traffic patterns consistent with Lumma stealer C2 communication.
- Hunt for indicators of compromise such as suspicious exfiltration activity from Windows endpoints.
- Add Lumma-related domains to detection watchlists and track new registrations using certificate transparency logs.
⚠️ This IOC underscores the persistent use of cheap, quickly registered domains to support Lumma stealer operations, leveraging Let’s Encrypt certificates for legitimacy.
