The U.S. Department of Justice seized 114 domains connected to a major information-stealing campaign utilizing Lumma Stealer on 21 May 2025. The Cybersecurity and Infrastructure Security Agency (CISA) released the list of indicators of compromise (IoCs) on the same date.

In a bid to uncover more connected artifacts and other information, WhoisXML API analyzed the IoCs in great depth. Here is a summary of our findings.

• 28 domain IoCs found on First Watch on an average of 97 days prior to the disclosure date - 19 May 2025
• 1-16 VirusTotal engines that classified the eight additional .digital look-alike domains found on First Watch as malicious
• 265 unique domain-to-IP resolutions
• 68 unique IP addresses resolving the domain IoCs before 19 May 2025, 62 were malicious
• Five unique IP addresses actively resolving the domain IoCs, four were malicious
• 187 IP-connected domains
• 346 string-connected domains, one was malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Domain Intel Revelations

We kicked off our investigation by looking more closely into the WHOIS records of the 114 domains identified as IoCs. A Bulk WHOIS API query for the 114 domains showed that only 106 had current WHOIS records. They were created between 2024 and 2025, making them relatively new when they were weaponized for attacks.

The 106 domains with current WHOIS records were split among six registrars led by PDR, which accounted for 56 domains. The five remaining registrars were MarkMonitor, Dynadot, Web Commerce Communications, Stichting Registrar of Last Resort Foundation, and Gandi.

While 28 of the 106 domains with current WHOIS records did not have registrant countries on record, the remaining 78 were registered in five countries topped by Russia, which accounted for 46 domains. The remaining registrant countries were the U.S., Malaysia, Sweden, and Germany.

Next, we searched for the 114 domains identified as IoCs on First Watch Malicious Domains Data Feed files and found 28 matches with corresponding discovery dates. A comparison with the date when the IoC list was released—19 May 2025—revealed that all 28 domains were listed on First Watch first. Specifically, they were listed on First Watch between 39 and 360 days prior to 19 May 2025, translating to an average of 97 days.

Next, we zoomed in on the IoC ferromny[.]digital. Its current WHOIS record showed that it was created on 24 March 2025, used the .digital TLD extension, and was administered by PDR. We downloaded the First Watch file for 24 March 2025 and uncovered eight additional domains likely to turn malicious but were not on the IoC list that shared all the aforementioned WHOIS details. The similarities potentially suggest they could be part of the same attack infrastructure but have not been identified during the Lumma Stealer analysis or fully weaponized. An example would be tv-serial[.]digital, which only one out of 94 VirusTotal engines currently detects as malicious.

It is also worth noting that all of the eight domains First Watch found that were not part of the IoC list were already being detected as malicious by an average of 12 engines on VirusTotal.

DNS Data-Related Findings

After gathering as much domain-connected intelligence as we could, we then went onto uncovering the DNS traces the 114 domains identified as IoCs left behind.

First off, we queried the 114 domain IoCs on DNS Lookup API and found that 33 of them had active domain-to-IP resolutions. We obtained five unique IP addresses, four of which have already been tagged as malicious based on Threat Intelligence API query results. An example would be 52[.]26[.]80[.]133, which was associated with malware distribution, generic threats, command and control (C&C), and attacks.

A Bulk IP Geolocation Lookup query for the five IP addresses showed that they were all geolocated in the U.S. and split among three ISPs—Amazon, Linode, and Microsoft.

Since none of the five IP addresses from DNS Lookup API were dedicated hosts, we could not use them to find IP-connected domains. We thus had to turn to DNS Chronicle API instead.

Our DNS Chronicle API query for the 114 domains identified as IoCs showed that 55 recorded 265 domain-to-IP resolutions starting on 22 February 2023.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.1