Practice Brief

Operation Luminous Stag: Decoding the Certificate Trail

A surge of Lumma Stealer infections has hit cryptocurrency communities. The malware’s latest variant, LummaC2, exfiltrates wallet seeds and browser cookies to a hidden command-and-control (C2) server. Your team intercepts a sample revealing that the C2 domain: References two concepts: one tied to the malware’s Latin-derived name (“light”) and another to a forest creature symbolizing stealth. Was registered via Cloudflare (AS13335) and first active on January 22, 2025. Uses a TLS certificate logged 24 hours pre-attack across multiple CT providers, with a Sectigo (formerly Comodo) entry showing a 1-second timestamp anomaly. The attackers likely rotated certificates rapidly to evade detection. Your mission: Find the critical Sectigo CT log entry tied to this domain to uncover linked infrastructure.