Mapping latest Lumma infrastructure

The report documents an infrastructure hunt into the Lumma infostealer, starting from a reported C2 domain (nonsazv.qpon) and pivoting via URLScan and Validin to cluster hundreds of related C2 domains (notably *.qpon, .top, .xyz, .ru) and IPs, many running nginx/1.24.0 (Ubuntu) and hosted by Aeza (AS210644), ROUTE95 GREEN FLOID LLC (AS8254), Routerhosting, and Proton66. Using certificate fingerprint pivots, the analysis reinforces that Lumma operators rely on concentrated bulletproof hosting infrastructure despite aggressive domain rotation, and it provides a linked IoC list for detection.