The ThreatFox: Lumar IOCs rule detects potential adversary activity linked to the Lumar threat group, which is associated with malicious campaigns targeting cloud environments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration or lateral movement.
IOC Summary
Malware Family: Lumar Total IOCs: 6 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | dudadelira.monster | payload_delivery | 2026-05-17 | 100% |
| domain | opaqueshellsoftsmoke.click | payload_delivery | 2026-05-17 | 100% |
| domain | kyjpwnw.monster | payload_delivery | 2026-05-17 | 100% |
| domain | quietbinglowdrift.monster | payload_delivery | 2026-05-17 | 100% |
| domain | livespacenext.monster | payload_delivery | 2026-05-17 | 100% |
| domain | educationcaster.monster | payload_delivery | 2026-05-17 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Lumar
let malicious_domains = dynamic(["dudadelira.monster", "opaqueshellsoftsmoke.click", "kyjpwnw.monster", "quietbinglowdrift.monster", "livespacenext.monster", "educationcaster.monster"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Lumar Backup Job
Description: A legitimate scheduled task runs a backup of the Lumar application, which may generate IOCs related to the tool.
Filter/Exclusion: Exclude events where the process name is lumar-backup.exe or where the command line includes --backup.
Scenario: Admin Access via Lumar Console
Description: An administrator accesses the Lumar console to configure settings or monitor activity, which may trigger IOCs related to user interaction.
Filter/Exclusion: Exclude events where the user is a domain admin and the process is lumar-console.exe with a known admin session ID.
Scenario: Lumar Integration with SIEM Tools
Description: Lumar is integrated with a SIEM tool like Splunk or ELK, and the integration process may generate IOCs related to data ingestion.
Filter/Exclusion: Exclude events where the source IP is the internal SIEM server and the process is lumar-siem-ingest.exe.
Scenario: Lumar Log Rotation Task
Description: A log rotation task is executed by the Lumar service to manage log files, which may generate IOCs related to file operations.
Filter/Exclusion: Exclude events where the file path contains lumar_logs and the operation is a log rotation (e.g., rotate, backup, compress).
Scenario: Lumar Update or Patch Deployment
Description: A system administrator deploys an update or patch to the Lumar application, which may trigger IOCs related to file modifications or execution.
Filter/Exclusion: Exclude events where the process is lumar-updater.exe and the file path matches known update packages (e.g., lumar-update-*.exe).