This use case demonstrates how Silent Push's WHOIS Search and WHOIS History features can uncover clusters of malicious domains associated with the Lumma Stealer malware campaign.
Scenario
You identify a suspicious domain linked to Lumma Stealer: elephancouped[.]fun.
Step-by-Step Investigation
Initial Enrichment:
Perform a domain Lookup in Silent Push.
In the PADNS tab: Domain resolves via ASN 13335 (Cloudflare).
In the Whois tab, the registrant is identified as Klim Puzharskiy.
Pivot with WHOIS Search:
Navigate to WHOIS Data > WHOIS Search.
Build a query: Field =
name, Operator =equals, Value =Klim Puzharskiy.Run the search → Returns 51 linked domains with common traits:
TLD:
.funRegistrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Similar registration timeframe
Examine Historical Changes with WHOIS History:
Navigate to WHOIS Data > WHOIS History.
Enter domain:
elephancouped[.]funSet time window: Collected After
2024-09-01, Collected Before2025-04-01.Key findings:
WHOIS record creation: 2025-02-21
Registrant email:
bukkenudrkow201@inbox.euLocation: Ivanovo, Zip 153041
Latest SOA points to Cloudflare nameservers
Advanced Fingerprinting (Optional):
Use the Advanced Query Builder for broader hunting:
datasource = "whois" AND created > "2025-02-21 09:36:40" AND registrar = "PDR Ltd. d/b/a PublicDomainRegistry.com" AND nameserver = "*.ns.cloudflare.com" AND domain = "*.fun" AND email = "*@inbox.eu"
Outcome
By pivoting on registrant name and combining with historical WHOIS data, you uncover a cluster of 51+ domains likely controlled by the same threat actor. These can be blocked proactively or monitored for further activity.
Benefits: WHOIS pivots reveal campaign infrastructure despite DNS obfuscation, enabling early detection and disruption of Lumma Stealer distribution.