--- title: "Track Lumma Stealer Infrastructure Using WHOIS Pivots" slug: "track-lumma-stealer-infrastructure-using-whois-pivots" updated: 2026-01-16T16:45:27Z published: 2026-01-16T16:45:27Z --- > ## Documentation Index > Fetch the complete documentation index at: https://help.silentpush.com/llms.txt > Use this file to discover all available pages before exploring further. # Track Lumma Stealer Infrastructure Using WHOIS Pivots This use case demonstrates how Silent Push's WHOIS Search and WHOIS History features can uncover clusters of malicious domains associated with the Lumma Stealer malware campaign. ## Scenario You identify a suspicious domain linked to Lumma Stealer: `elephancouped[.]fun`. ## Step-by-Step Investigation 1. **Initial Enrichment**: - Perform a domain Lookup in Silent Push. - In the PADNS tab: Domain resolves via ASN 13335 (Cloudflare). - In the Whois tab, the registrant is identified as **Klim Puzharskiy**. 2. **Pivot with WHOIS Search**: - Navigate to **WHOIS Data > WHOIS Search**. - Build a query: Field = `name`, Operator = `equals`, Value = `Klim Puzharskiy`. - Run the search → Returns **51 linked domains** with common traits: - TLD: `.fun` - Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com - Similar registration timeframe 3. **Examine Historical Changes with WHOIS History**: - Navigate to **WHOIS Data > WHOIS History**. - Enter domain: `elephancouped[.]fun` - Set time window: Collected After `2024-09-01`, Collected Before `2025-04-01`. - Key findings: - WHOIS record creation: 2025-02-21 - Registrant email: `bukkenudrkow201@inbox.eu` - Location: Ivanovo, Zip 153041 - Latest SOA points to Cloudflare nameservers 4. **Advanced Fingerprinting (Optional)**: Use the Advanced Query Builder for broader hunting: ```plaintext datasource = "whois" AND created > "2025-02-21 09:36:40" AND registrar = "PDR Ltd. d/b/a PublicDomainRegistry.com" AND nameserver = "*.ns.cloudflare.com" AND domain = "*.fun" AND email = "*@inbox.eu" ``` ## Outcome By pivoting on registrant name and combining with historical WHOIS data, you uncover a cluster of 51+ domains likely controlled by the same threat actor. These can be blocked proactively or monitored for further activity. **Benefits**: WHOIS pivots reveal campaign infrastructure despite DNS obfuscation, enabling early detection and disruption of Lumma Stealer distribution. A tool that queries the WHOIS protocol on TCP port 43 to retrieve domain registration details, enabling analysis of ownership, registrar, and other metadata for threat intelligence. A feature that tracks historical changes in a domain’s WHOIS records, such as ownership, registrar, or nameserver updates, to identify patterns of malicious behavior or infrastructure reuse. A feature leveraging passive DNS data to investigate and correlate related threats, such as associated IPs, domains, or other indicators. Autonomous System Number, a unique numeric identifier assigned to an Autonomous System (AS) for managing IP address routing within and between networks on the internet Publicly available data collected during domain registration or DNS updates, used to analyze domain ownership and history.