Exposing Lumma Stealer’s Second-Stage Infrastructure and C2 Servers with ASN and JA4X Pivoting

This report details infrastructure-level hunting that uncovered a coordinated cluster of 17 Lumma Stealer second-stage servers spanning AS56971 and AS215607. The servers share identical nginx/1.24.0 (Ubuntu) headers, a reused Let's Encrypt JA4X certificate fingerprint, use .cc domains with tech-themed/typosquatted names, and communicate over port 443; the report provides IPs/domains IOCs, SQL search queries used to discover the hosts, and mitigation recommendations to monitor and block similar infrastructure.