The Lumma Stealer, known for using the malware-as-a-service (MaaS) model, has figured in various campaigns targeting victims in countries like Argentina, Colombia, the U.S., the Philippines, and others since 2022.

Netskope Threat Labs analyzed a new campaign using fake CAPTCHAs to deliver the stealer and published their findings in “Lumma Stealer: Fake CAPTCHAs and New Techniques to Evade Detection.” They identified 34 indicators of compromise (IoCs) in the process comprising 27 domains and seven subdomains.

The WhoisXML API research team expanded the list of IoCs Netskope identified and uncovered:

• 25 IP addresses, 23 of which turned out to be malicious
• 228 string-connected domains, 18 of which have already been tagged as malicious
• 477 string-connected subdomains, two of which turned out to have already figured in malicious campaigns

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Facts about the Lumma IoCs

We kicked off our in-depth analysis by querying the 27 domains tagged as IoCs on Bulk WHOIS API. The results showed that:

• They were created between 2024 and 2025. Specifically, one domain was created in 2024 while the remaining 26 were created in 2025.

  

• They were all registered with Namecheap.

• A majority of them, 22 to be exact, were registered in Iceland while the remaining five did not have registrant country information in their current WHOIS records.

  

Next, we queried the 27 domains identified as IoCs on DNS Chronicle API and discovered that only 26 recorded historical IP resolutions. Altogether, the 26 domains had 342 IP resolutions to date. The domain royaltyfree[.]pics had the oldest initial IP resolution date—10 October 2019. Take a look at the DNS histories of five other domains below.

Lumma IoC List Expansion Findings

To uncover possibly connected artifacts, we began by querying the 27 domains tagged as IoCs on WHOIS History API. The results revealed that six of them had 17 email addresses in their historical WHOIS records after duplicates were filtered out. A closer look at the 17 email addresses after duplicates were filtered out showed that four were public email addresses.

Next, we queried the four public email addresses on Reverse WHOIS API in hopes of uncovering email-connected domains. Unfortunately, none of them appeared in the current WHOIS records of other domains.

After that, we queried the 27 domains identified as IoCs on DNS Lookup API and found that 12 of them resolved to 25 IP addresses after duplicates were filtered out.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.