📖 Overview
A URL-based indicator has been identified linking to a Telegram channel leveraged as command-and-control infrastructure for Lumma Stealer. Telegram continues to be abused by threat actors for data exfiltration and C2 management due to its encryption and ease of access. Confidence is assessed at 75%.
📌 Key Details
| Field | Information |
|---|---|
| Type | URL |
| Indicator | t[.]me/bdfgjdf5 |
| Threat Type | Botnet C2 |
| Malware | win.lumma |
| Confidence | 75% |
| Date | 05 Sep 2025 – 18:01:22 UTC |
| Tags | Lumma |
| Reporter | abuse_ch |
🔎 URLScan Result
Page Title: Telegram: View @sguajfjsjf
Screenshot: https://urlscan.io/screenshots/01991b03-c03c-72cf-b3b0-c358fd3c55e7.png
Result: https://urlscan.io/result/01991b03-c03c-72cf-b3b0-c358fd3c55e7/
📡 Related Intelligence
VirusTotal Report: https://www.virustotal.com/gui/url/5912bb62f0a6f9513b5cafbdae34bb88e07feae5d036321b5b39c63a8d85009b
Reference: https://bazaar.abuse.ch/sample/f57829fccab2aa91f23ab2a8779fc7aa93bf5eabd1010bb3479580989f6bce45/
🛡️ Defensive Guidance
- Monitor for Lumma Stealer beaconing patterns over Telegram channels.
- Hunt for credential exfiltration attempts and Telegram API usage in logs.
- Review telemetry for traffic to other suspicious Telegram channels.
⚠️ Confidence is moderate (75%), requiring additional corroboration before operational blocking in all environments.
![IOC Alert: Suspicious Crypto Wallet Domain Used for Payload Delivery – ashigaruwallet[.]rs](/content/images/size/w1304/format/webp/2025/09/IOC_Alert-2.png)
![IOC Alert: NetSupport Manager RAT Payload Delivery – wood-simple[.]com/drip.sym](/content/images/size/w1304/format/webp/2025/09/IOC_Alert.png)
