Infection repeatedly adds scheduled tasks and increases traffic to the same C2 domain

TLDR

Lumma Stealer infections have shown a pattern of repeatedly adding scheduled tasks that increase traffic to the same C2 domain. The infection retrieves information from a Pastebin link for follow-up activities, using .cc domains for C2 traffic. The infected host generates multiple scheduled tasks with the same trigger and action, leading to increased HTTPS requests and C2 traffic over time.

In recent weeks, Lumma Stealer infections have followed a specific pattern in follow-up activity. This pattern adds scheduled tasks for the same action, which increases traffic to the same C2 domain. This diary documents an example from one of these infections on January 14, 2026.