Prospering Lumma

Investigation tracks an active Lumma infostealer campaign tied to AS200593 (Prospero), enumerating hosting IPs, domains, and distribution paths (notably /1337 and /update) that deliver payloads like TORRENTOLD-1.exe and TPB-1.exe via Apache hosts and Cloudflare. Using urlscan, Validin, and other pivots, the author maps additional infrastructure across 91.202.233.0/24 and 91.215.85.0/24, shares specific URLs and IPs, notes crawler blocking behavior, and links an external IoC list for defenders.